2012/6/30 <fha...@apache.org>:
> Author: fhanik
> Date: Sat Jun 30 01:04:59 2012
> New Revision: 1355615
>
> URL: http://svn.apache.org/viewvc?rev=1355615&view=rev
> Log:
> With more and more use of RFC 2307 http://tools.ietf.org/html/rfc2307
> There is a new way to search for roles using the memberUid that can contain
> the value of another attribute within the users directory entry.
> This may not be very specific to 2307, but that is where I see this
> combination of role searches occur the most.
>
> Example: http://www.openldap.org/lists/openldap-technical/200904/msg00024.html
>
>
>
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
> tomcat/trunk/webapps/docs/config/realm.xml
>
> Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1355615&r1=1355614&r2=1355615&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Sat Jun 30
> 01:04:59 2012
> @@ -126,8 +126,9 @@ import org.ietf.jgss.GSSCredential;
> * property.</li>
> * <li>The <code>roleSearch</code> pattern optionally includes pattern
> * replacements "{0}" for the distinguished name, and/or "{1}" for
> - * the username, of the authenticated user for which roles will be
> - * retrieved.</li>
> + * the username, and/or "{2}" the value of the userRoleAttribute
> + * attribute from the users entry, of the authenticated user
> + * for which roles will be retrieved.</li>
> * <li>The <code>roleBase</code> property can be set to the element that
> * is the base of the search for matching roles. If not specified,
> * the entire context will be searched.</li>
> @@ -292,6 +293,14 @@ public class JNDIRealm extends RealmBase
> */
> protected String userPassword = null;
>
> + /**
> + * The name of the attribute inside the users
> + * directory entry where the value will be
> + * taken to search for roles
> + * This attribute is not used during a nested search
> + */
> + protected String userRoleAttribute = null;
> +
>
> /**
> * A string of LDAP user patterns or paths, ":"-separated
> @@ -829,6 +838,14 @@ public class JNDIRealm extends RealmBase
> }
>
>
> + public String getUserRoleAttribute() {
> + return userRoleAttribute;
> + }
> +
> + public void setUserRoleAttribute(String userRoleAttribute) {
> + this.userRoleAttribute = userRoleAttribute;
> + }
> +
> /**
> * Return the message format pattern for selecting users in this Realm.
> */
> @@ -839,6 +856,8 @@ public class JNDIRealm extends RealmBase
> }
>
>
> +
> +
> /**
> * Set the message format pattern for selecting users in this Realm.
> * This may be one simple pattern, or multiple patterns to be tried,
> @@ -1230,6 +1249,9 @@ public class JNDIRealm extends RealmBase
> list.add(userPassword);
> if (userRoleName != null)
> list.add(userRoleName);
> + if (userRoleAttribute != null) {
> + list.add(userRoleAttribute);
> + }
> String[] attrIds = new String[list.size()];
> list.toArray(attrIds);
>
> @@ -1265,7 +1287,7 @@ public class JNDIRealm extends RealmBase
>
> // If no attributes are requested, no need to look for them
> if (attrIds == null || attrIds.length == 0) {
> - return new User(username, dn, null, null);
> + return new User(username, dn, null, null,null);
> }
>
> // Get required attributes from user entry
> @@ -1283,12 +1305,17 @@ public class JNDIRealm extends RealmBase
> if (userPassword != null)
> password = getAttributeValue(userPassword, attrs);
>
> + String userRoleAttrValue = null;
> + if (userRoleAttribute != null) {
> + userRoleAttrValue = getAttributeValue(userRoleAttribute, attrs);
> + }
> +
> // Retrieve values of userRoleName attribute
> ArrayList<String> roles = null;
> if (userRoleName != null)
> roles = addAttributeValues(userRoleName, attrs, roles);
>
> - return new User(username, dn, password, roles);
> + return new User(username, dn, password, roles, userRoleAttrValue);
> }
>
>
> @@ -1427,12 +1454,17 @@ public class JNDIRealm extends RealmBase
> if (userPassword != null)
> password = getAttributeValue(userPassword, attrs);
>
> + String userRoleAttrValue = null;
> + if (userRoleAttribute != null) {
> + userRoleAttrValue = getAttributeValue(userRoleAttribute, attrs);
> + }
> +
> // Retrieve values of userRoleName attribute
> ArrayList<String> roles = null;
> if (userRoleName != null)
> roles = addAttributeValues(userRoleName, attrs, roles);
>
> - return new User(username, dn, password, roles);
> + return new User(username, dn, password, roles, password);
The above line is likely wrong. The last argument should not be "password".
> }
>
>
> @@ -1675,6 +1707,7 @@ public class JNDIRealm extends RealmBase
>
> String dn = user.getDN();
> String username = user.getUserName();
> + String userRoleId = user.getUserRoleId();
>
> if (dn == null || username == null)
> return (null);
> @@ -1702,7 +1735,7 @@ public class JNDIRealm extends RealmBase
> return (list);
>
> // Set up parameters for an appropriate search
> - String filter = roleFormat.format(new String[] {
> doRFC2254Encoding(dn), username });
> + String filter = roleFormat.format(new String[] {
> doRFC2254Encoding(dn), username, userRoleId });
> SearchControls controls = new SearchControls();
> if (roleSubtree)
> controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
> @@ -1775,7 +1808,7 @@ public class JNDIRealm extends RealmBase
> Map<String, String> newThisRound = new HashMap<String,
> String>(); // Stores the groups we find in this iteration
>
> for (Entry<String, String> group : newGroups.entrySet()) {
> - filter = roleFormat.format(new String[] {
> group.getKey(), group.getValue() });
> + filter = roleFormat.format(new String[] {
> group.getKey(), group.getValue(), group.getValue() });
>
> if (containerLog.isTraceEnabled()) {
> containerLog.trace("Perform a nested group search
> with base "+ roleBase + " and filter " + filter);
> @@ -2359,9 +2392,11 @@ public class JNDIRealm extends RealmBase
> private final String dn;
> private final String password;
> private final List<String> roles;
> + private final String userRoleId;
> +
>
> public User(String username, String dn, String password,
> - List<String> roles) {
> + List<String> roles, String userRoleId) {
> this.username = username;
> this.dn = dn;
> this.password = password;
> @@ -2370,6 +2405,7 @@ public class JNDIRealm extends RealmBase
> } else {
> this.roles = Collections.unmodifiableList(roles);
> }
> + this.userRoleId = userRoleId;
> }
>
> public String getUserName() {
> @@ -2387,6 +2423,12 @@ public class JNDIRealm extends RealmBase
> public List<String> getRoles() {
> return roles;
> }
> +
> + public String getUserRoleId() {
> + return userRoleId;
> + }
> +
> +
> }
> }
>
>(...)
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
