Author: markt
Date: Sun Dec 14 13:08:57 2014
New Revision: 1645456
URL: http://svn.apache.org/r1645456
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57209
Add new JNDIRealm configuration userSearchAsUser
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java
tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml
Propchange: tomcat/tc8.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Dec 14 13:08:57 2014
@@ -1 +1 @@
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357
+/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357,1645455
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1645456&r1=1645455&r2=1645456&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java Sun Dec
14 13:08:57 2014
@@ -269,6 +269,15 @@ public class JNDIRealm extends RealmBase
/**
+ * When searching for users, should the search be performed as the user
+ * currently being authenticated? If false, {@link #connectionName} and
+ * {@link #connectionPassword} will be used if specified, else an anonymous
+ * connection will be used.
+ */
+ private boolean userSearchAsUser = false;
+
+
+ /**
* The MessageFormat object associated with the current
* <code>userSearch</code>.
*/
@@ -658,6 +667,16 @@ public class JNDIRealm extends RealmBase
}
+ public boolean isUserSearchAsUser() {
+ return userSearchAsUser;
+ }
+
+
+ public void setUserSearchAsUser(boolean userSearchAsUser) {
+ this.userSearchAsUser = userSearchAsUser;
+ }
+
+
/**
* Return the "search subtree for users" flag.
*/
@@ -779,10 +798,12 @@ public class JNDIRealm extends RealmBase
return roleSearchAsUser;
}
+
public void setRoleSearchAsUser(boolean roleSearchAsUser) {
this.roleSearchAsUser = roleSearchAsUser;
}
+
/**
* Return the "search subtree for roles" flag.
*/
@@ -1280,7 +1301,17 @@ public class JNDIRealm extends RealmBase
containerLog.debug("Found user by pattern [" + user + "]");
}
} else {
- user = getUserBySearch(context, username, attrIds);
+ boolean thisUserSearchAsUser = isUserSearchAsUser();
+ try {
+ if (thisUserSearchAsUser) {
+ userCredentialsAdd(context, username, credentials);
+ }
+ user = getUserBySearch(context, username, attrIds);
+ } finally {
+ if (thisUserSearchAsUser) {
+ userCredentialsRemove(context);
+ }
+ }
if (containerLog.isDebugEnabled()) {
containerLog.debug("Found user by search [" + user + "]");
}
@@ -1727,13 +1758,14 @@ public class JNDIRealm extends RealmBase
// Perform the configured search and process the results
NamingEnumeration<SearchResult> results = null;
+ boolean thisRoleSearchAsUser = isRoleSearchAsUser();
try {
- if (roleSearchAsUser) {
+ if (thisRoleSearchAsUser) {
userCredentialsAdd(context, dn, user.getPassword());
}
results = context.search(base, filter, controls);
} finally {
- if (roleSearchAsUser) {
+ if (thisRoleSearchAsUser) {
userCredentialsRemove(context);
}
}
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml?rev=1645456&r1=1645455&r2=1645456&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml
Sun Dec 14 13:08:57 2014
@@ -317,6 +317,11 @@
description="The message format used to select roles for a user"
type="java.lang.String"/>
+ <attribute name="roleSearchAsUser"
+ description="Should the search for user roles be performed as the
authenticating user?"
+ is="true"
+ type="boolean"/>
+
<attribute name="roleSubtree"
description="Should we search the entire subtree for matching
memberships?"
type="boolean"/>
@@ -338,13 +343,18 @@
description="The message format used to select a user"
type="java.lang.String"/>
- <attribute name="userRoleName"
+ <attribute name="userRoleName"
description="The name of the attribute in the user's entry
containing roles for that user"
type="java.lang.String"/>
- <attribute name="userSearch"
- description="The message format used to search for a user"
- type="java.lang.String"/>
+ <attribute name="userSearch"
+ description="The message format used to search for a user"
+ type="java.lang.String"/>
+
+ <attribute name="userSearchAsUser"
+ description="Should the search for the user's DN be performed as the
authenticating user?"
+ is="true"
+ type="boolean"/>
<attribute name="userSubtree"
description="Should we search the entire subtree for matching users?"
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1645456&r1=1645455&r2=1645456&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Sun Dec 14 13:08:57 2014
@@ -70,6 +70,10 @@
in a directory context for a user with specified user name. Based on
a patch provided by Jason McIntosh. (violetagg)
</fix>
+ <add>
+ <bug>57209</bug>: Add a new attribute, userSearchAsUser to the JNDI
+ Realm. (markt)
+ </add>
<fix>
<bug>57215</bug>: Ensure that the result of calling
<code>HttpServletRequest.getContextPath()</code> is neither decoded nor
Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml?rev=1645456&r1=1645455&r2=1645456&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml Sun Dec 14 13:08:57 2014
@@ -663,6 +663,16 @@
user's entry.</p>
</attribute>
+ <attribute name="userSearchAsUser" required="false">
+ <p> When searching for a user's entry, should the search be performed
as
+ the user currently being authenticated? If false,
+ <code>connectionName</code> and <code>connectionPassword</code> will be
+ used if specified, else an anonymous. If not specified, the default
+ value of <code>false</code> is used. Note that when accessing the
+ directory using delegated credentials, this attribute is always ignored
+ and the search is performed using the delegated credentials.</p>
+ </attribute>
+
<attribute name="userSubtree" required="false">
<p>Set to <code>true</code> if you want to search the entire
subtree of the element specified by the <code>userBase</code>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
