File Doc Category Size Date Package
JNDIRealm.java API Doc Apache Tomcat 6.0.14 58161 Fri Jul 20 04:20:32 BST 2007 org.apache.catalina.realm

JNDIRealm

java.lang.Object
- RealmBase

public class JNDIRealm extends RealmBase

Implementation of Realm that works with a directory server accessed via the Java Naming and Directory Interface (JNDI) APIs. The following constraints are imposed on the data structure in the underlying directory server:

Each user that can be authenticated is represented by an individual element in the top level DirContext that is accessed via the connectionURL property.
If a socket connection can not be made to the connectURL an attempt will be made to use the alternateURL if it exists.
Each user element has a distinguished name that can be formed by substituting the presented username into a pattern configured by the userPattern property.
Alternatively, if the userPattern property is not specified, a unique element can be located by searching the directory context. In this case:
- The userSearch pattern specifies the search filter after substitution of the username.
- The userBase property can be set to the element that is the base of the subtree containing users. If not specified, the search base is the top-level context.
- The userSubtree property can be set to true if you wish to search the entire subtree of the directory context. The default value of false requests a search of only the current level.
The user may be authenticated by binding to the directory with the username and password presented. This method is used when the userPassword property is not specified.
The user may be authenticated by retrieving the value of an attribute from the directory and comparing it explicitly with the value presented by the user. This method is used when the userPassword property is specified, in which case:
- The element for this user must contain an attribute named by the userPassword property.
- The value of the user password attribute is either a cleartext String, or the result of passing a cleartext String through the RealmBase.digest() method (using the standard digest support included in RealmBase).
- The user is considered to be authenticated if the presented credentials (after being passed through RealmBase.digest()) are equal to the retrieved value for the user password attribute.
Each group of users that has been assigned a particular role may be represented by an individual element in the top level DirContext that is accessed via the connectionURL property. This element has the following characteristics:
- The set of all possible groups of interest can be selected by a search pattern configured by the roleSearch property.
- The roleSearch pattern optionally includes pattern replacements "{0}" for the distinguished name, and/or "{1}" for the username, of the authenticated user for which roles will be retrieved.
- The roleBase property can be set to the element that is the base of the search for matching roles. If not specified, the entire context will be searched.
- The roleSubtree property can be set to true if you wish to search the entire subtree of the directory context. The default value of false requests a search of only the current level.
- The element includes an attribute (whose name is configured by the roleName property) containing the name of the role represented by this element.
In addition, roles may be represented by the values of an attribute in the user's element whose name is configured by the userRoleName property.
Note that the standard <security-role-ref> element in the web application deployment descriptor allows applications to refer to roles programmatically by names other than those used in the directory server itself.

TODO - Support connection pooling (including message format objects) so that authenticate() does not have to be synchronized.

WARNING - There is a reported bug against the Netscape provider code (com.netscape.jndi.ldap.LdapContextFactory) with respect to successfully authenticated a non-existing user. The report is here: http://issues.apache.org/bugzilla/show_bug.cgi?id=11210 . With luck, Netscape has updated their provider code and this is not an issue.

author: John Holman
author: Craig R. McClanahan
version: $Revision: 543693 $ $Date: 2007-06-02 03:42:17 +0200 (sam., 02 juin 2007) $

Fields Summary
protected String
authentication
The type of authentication to use
protected String
connectionName
The connection username for the server we will contact.
protected String
connectionPassword
The connection password for the server we will contact.
protected String
connectionURL
The connection URL for the server we will contact.
protected DirContext
context
The directory context linking us to our directory server.
protected String
contextFactory
The JNDI context factory used to acquire our InitialContext. By default, assumes use of an LDAP server using the standard JNDI LDAP provider.
protected String
derefAliases
How aliases should be dereferenced during search operations.
public static final String
DEREF_ALIASES
Constant that holds the name of the environment property for specifying the manner in which aliases should be dereferenced.
protected static final String
info
Descriptive information about this Realm implementation.
protected static final String
name
Descriptive information about this Realm implementation.
protected String
protocol
The protocol that will be used in the communication with the directory server.
protected String
referrals
How should we handle referrals? Microsoft Active Directory can't handle the default case, so an application authenticating against AD must set referrals to "follow".
protected String
userBase
The base element for user searches.
protected String
userSearch
The message format used to search for a user, with "{0}" marking the spot where the username goes.
protected MessageFormat
userSearchFormat
The MessageFormat object associated with the current userSearch.
protected boolean
userSubtree
Should we search the entire subtree for matching users?
protected String
userPassword
The attribute name used to retrieve the user password.
protected String[]
userPatternArray
A string of LDAP user patterns or paths, ":"-separated These will be used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes. This is similar to userPattern, but allows for multiple searches for a user.
protected String
userPattern
The message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.
protected MessageFormat[]
userPatternFormatArray
An array of MessageFormat objects associated with the current userPatternArray.
protected String
roleBase
The base element for role searches.
protected MessageFormat
roleFormat
The MessageFormat object associated with the current roleSearch.
protected String
userRoleName
The name of an attribute in the user's entry containing roles for that user
protected String
roleName
The name of the attribute containing roles held elsewhere
protected String
roleSearch
The message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes.
protected boolean
roleSubtree
Should we search the entire subtree for matching memberships?
protected String
alternateURL
An alternate URL, to which, we should connect if connectionURL fails.
protected int
connectionAttempt
The number of connection attempts. If greater than zero we use the alternate url.
protected int
curUserPattern
The current user pattern to be used for lookup and binding of a user.
Constructors Summary
Methods Summary
private java.util.ArrayList addAttributeValues(java.lang.String attrId, javax.naming.directory.Attributes attrs, java.util.ArrayList values)
Add values of a specified attribute to a list
param
attrId Attribute name
param
attrs Attributes containing the new values
param
values ArrayList containing values found so far
exception
NamingException if a directory server error occurs
if (containerLog.isTraceEnabled()) containerLog.trace(" retrieving values for attribute " + attrId); if (attrId == null || attrs == null) return values; if (values == null) values = new ArrayList<String>(); Attribute attr = attrs.get(attrId); if (attr == null) return (values); NamingEnumeration e = attr.getAll(); while(e.hasMore()) { String value = (String)e.next(); values.add(value); } return values;
public java.security.Principal authenticate(java.lang.String username, java.lang.String credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise return null. If there are any errors with the JDBC connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it.
param
username Username of the Principal to look up
param
credentials Password or other credentials to use in authenticating this username
DirContext context = null; Principal principal = null; try { // Ensure that we have a directory context available context = open(); // Occassionally the directory context will timeout. Try one more // time before giving up. try { // Authenticate the specified username if possible principal = authenticate(context, username, credentials); } catch (NullPointerException e) { /* BZ 42449 - Kludge Sun's LDAP provider with broken SSL */ // log the exception so we know it's there. containerLog.warn(sm.getString("jndiRealm.exception"), e); // close the connection so we know it will be reopened. if (context != null) close(context); // open a new directory context. context = open(); // Try the authentication again. principal = authenticate(context, username, credentials); } catch (CommunicationException e) { // log the exception so we know it's there. containerLog.warn(sm.getString("jndiRealm.exception"), e); // close the connection so we know it will be reopened. if (context != null) close(context); // open a new directory context. context = open(); // Try the authentication again. principal = authenticate(context, username, credentials); } catch (ServiceUnavailableException e) { // log the exception so we know it's there. containerLog.warn(sm.getString("jndiRealm.exception"), e); // close the connection so we know it will be reopened. if (context != null) close(context); // open a new directory context. context = open(); // Try the authentication again. principal = authenticate(context, username, credentials); } // Release this context release(context); // Return the authenticated Principal (if any) return (principal); } catch (NamingException e) { // Log the problem for posterity containerLog.error(sm.getString("jndiRealm.exception"), e); // Close the connection so that it gets reopened next time if (context != null) close(context); // Return "not authenticated" for this request return (null); }
public synchronized java.security.Principal authenticate(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise return null.
param
context The directory context
param
username Username of the Principal to look up
param
credentials Password or other credentials to use in authenticating this username
exception
NamingException if a directory server error occurs
if (username == null || username.equals("") || credentials == null || credentials.equals("")) return (null); if (userPatternArray != null) { for (curUserPattern = 0; curUserPattern < userPatternFormatArray.length; curUserPattern++) { // Retrieve user information User user = getUser(context, username); if (user != null) { try { // Check the user's credentials if (checkCredentials(context, user, credentials)) { // Search for additional roles List<String> roles = getRoles(context, user); return (new GenericPrincipal(this, username, credentials, roles)); } } catch (InvalidNameException ine) { // Log the problem for posterity containerLog.warn(sm.getString("jndiRealm.exception"), ine); // ignore; this is probably due to a name not fitting // the search path format exactly, as in a fully- // qualified name being munged into a search path // that already contains cn= or vice-versa } } } return null; } else { // Retrieve user information User user = getUser(context, username); if (user == null) return (null); // Check the user's credentials if (!checkCredentials(context, user, credentials)) return (null); // Search for additional roles List<String> roles = getRoles(context, user); // Create and return a suitable Principal for this user return (new GenericPrincipal(this, username, credentials, roles)); }
protected boolean bindAsUser(javax.naming.directory.DirContext context, org.apache.catalina.realm.User user, java.lang.String credentials)
Check credentials by binding to the directory as the user
param
context The directory context
param
user The User to be authenticated
param
credentials Authentication credentials
exception
NamingException if a directory server error occurs
if (credentials == null || user == null) return (false); String dn = user.dn; if (dn == null) return (false); // Validate the credentials specified by the user if (containerLog.isTraceEnabled()) { containerLog.trace(" validating credentials by binding as the user"); } // Set up security environment to bind as the user context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn); context.addToEnvironment(Context.SECURITY_CREDENTIALS, credentials); // Elicit an LDAP bind operation boolean validated = false; try { if (containerLog.isTraceEnabled()) { containerLog.trace(" binding as " + dn); } context.getAttributes("", null); validated = true; } catch (AuthenticationException e) { if (containerLog.isTraceEnabled()) { containerLog.trace(" bind attempt failed"); } } // Restore the original security environment if (connectionName != null) { context.addToEnvironment(Context.SECURITY_PRINCIPAL, connectionName); } else { context.removeFromEnvironment(Context.SECURITY_PRINCIPAL); } if (connectionPassword != null) { context.addToEnvironment(Context.SECURITY_CREDENTIALS, connectionPassword); } else { context.removeFromEnvironment(Context.SECURITY_CREDENTIALS); } return (validated);
protected boolean checkCredentials(javax.naming.directory.DirContext context, org.apache.catalina.realm.User user, java.lang.String credentials)
Check whether the given User can be authenticated with the given credentials. If the userPassword configuration attribute is specified, the credentials previously retrieved from the directory are compared explicitly with those presented by the user. Otherwise the presented credentials are checked by binding to the directory as the user.
param
context The directory context
param
user The User to be authenticated
param
credentials The credentials presented by the user
exception
NamingException if a directory server error occurs
boolean validated = false; if (userPassword == null) { validated = bindAsUser(context, user, credentials); } else { validated = compareCredentials(context, user, credentials); } if (containerLog.isTraceEnabled()) { if (validated) { containerLog.trace(sm.getString("jndiRealm.authenticateSuccess", user.username)); } else { containerLog.trace(sm.getString("jndiRealm.authenticateFailure", user.username)); } } return (validated);
protected void close(javax.naming.directory.DirContext context)
Close any open connection to the directory server for this Realm.
param
context The directory context to be closed
// Do nothing if there is no opened connection if (context == null) return; // Close our opened connection try { if (containerLog.isDebugEnabled()) containerLog.debug("Closing directory context"); context.close(); } catch (NamingException e) { containerLog.error(sm.getString("jndiRealm.close"), e); } this.context = null;
protected boolean compareCredentials(javax.naming.directory.DirContext context, org.apache.catalina.realm.User info, java.lang.String credentials)
Check whether the credentials presented by the user match those retrieved from the directory.
param
context The directory context
param
info The User to be authenticated
param
credentials Authentication credentials
exception
NamingException if a directory server error occurs
if (info == null || credentials == null) return (false); String password = info.password; if (password == null) return (false); // Validate the credentials specified by the user if (containerLog.isTraceEnabled()) containerLog.trace(" validating credentials"); boolean validated = false; if (hasMessageDigest()) { // iPlanet support if the values starts with {SHA1} // The string is in a format compatible with Base64.encode not // the Hex encoding of the parent class. if (password.startsWith("{SHA}")) { /* sync since super.digest() does this same thing */ synchronized (this) { password = password.substring(5); md.reset(); md.update(credentials.getBytes()); String digestedPassword = new String(Base64.encode(md.digest())); validated = password.equals(digestedPassword); } } else if (password.startsWith("{SSHA}")) { // Bugzilla 32938 /* sync since super.digest() does this same thing */ synchronized (this) { password = password.substring(6); md.reset(); md.update(credentials.getBytes()); // Decode stored password. ByteChunk pwbc = new ByteChunk(password.length()); try { pwbc.append(password.getBytes(), 0, password.length()); } catch (IOException e) { // Should never happen containerLog.error("Could not append password bytes to chunk: ", e); } CharChunk decoded = new CharChunk(); Base64.decode(pwbc, decoded); char[] pwarray = decoded.getBuffer(); // Split decoded password into hash and salt. final int saltpos = 20; byte[] hash = new byte[saltpos]; for (int i=0; i< hash.length; i++) { hash[i] = (byte) pwarray[i]; } byte[] salt = new byte[pwarray.length - saltpos]; for (int i=0; i< salt.length; i++) salt[i] = (byte)pwarray[i+saltpos]; md.update(salt); byte[] dp = md.digest(); validated = Arrays.equals(dp, hash); } // End synchronized(this) block } else { // Hex hashes should be compared case-insensitive validated = (digest(credentials).equalsIgnoreCase(password)); } } else validated = (digest(credentials).equals(password)); return (validated);
protected java.lang.String doRFC2254Encoding(java.lang.String inString)
Given an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines. The character mapping is as follows: char -> Replacement --------------------------- * -> \2a ( -> \28 ) -> \29 \ -> \5c \0 -> \00
param
inString string to escape according to RFC 2254 guidelines
return
String the escaped/encoded result
StringBuffer buf = new StringBuffer(inString.length()); for (int i = 0; i < inString.length(); i++) { char c = inString.charAt(i); switch (c) { case '\\": buf.append("\\5c"); break; case '*": buf.append("\\2a"); break; case '(": buf.append("\\28"); break; case ')": buf.append("\\29"); break; case '\0": buf.append("\\00"); break; default: buf.append(c); break; } } return buf.toString();
public java.lang.String getAlternateURL()
Getter for property alternateURL.
return
Value of property alternateURL.
return this.alternateURL;
private java.lang.String getAttributeValue(java.lang.String attrId, javax.naming.directory.Attributes attrs)
Return a String representing the value of the specified attribute.
param
attrId Attribute name
param
attrs Attributes containing the required value
exception
NamingException if a directory server error occurs
if (containerLog.isTraceEnabled()) containerLog.trace(" retrieving attribute " + attrId); if (attrId == null || attrs == null) return null; Attribute attr = attrs.get(attrId); if (attr == null) return (null); Object value = attr.get(); if (value == null) return (null); String valueString = null; if (value instanceof byte[]) valueString = new String((byte[]) value); else valueString = value.toString(); return valueString;
public java.lang.String getAuthentication()
Return the type of authentication to use.
// ------------------------------------------------------------- Properties return authentication;
public java.lang.String getConnectionName()
Return the connection username for this Realm.
return (this.connectionName);
public java.lang.String getConnectionPassword()
Return the connection password for this Realm.
return (this.connectionPassword);
public java.lang.String getConnectionURL()
Return the connection URL for this Realm.
return (this.connectionURL);
public java.lang.String getContextFactory()
Return the JNDI context factory for this Realm.
return (this.contextFactory);
public java.lang.String getDerefAliases()
Return the derefAliases setting to be used.
return derefAliases;
protected java.util.Hashtable getDirectoryContextEnvironment()
Create our directory context configuration.
return
java.util.Hashtable the configuration for the directory context.
Hashtable<String,String> env = new Hashtable<String,String>(); // Configure our directory context environment. if (containerLog.isDebugEnabled() && connectionAttempt == 0) containerLog.debug("Connecting to URL " + connectionURL); else if (containerLog.isDebugEnabled() && connectionAttempt > 0) containerLog.debug("Connecting to URL " + alternateURL); env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory); if (connectionName != null) env.put(Context.SECURITY_PRINCIPAL, connectionName); if (connectionPassword != null) env.put(Context.SECURITY_CREDENTIALS, connectionPassword); if (connectionURL != null && connectionAttempt == 0) env.put(Context.PROVIDER_URL, connectionURL); else if (alternateURL != null && connectionAttempt > 0) env.put(Context.PROVIDER_URL, alternateURL); if (authentication != null) env.put(Context.SECURITY_AUTHENTICATION, authentication); if (protocol != null) env.put(Context.SECURITY_PROTOCOL, protocol); if (referrals != null) env.put(Context.REFERRAL, referrals); if (derefAliases != null) env.put(JNDIRealm.DEREF_ALIASES, derefAliases); return env;
protected java.lang.String getName()
Return a short name for this Realm implementation.
return (name);
protected java.lang.String getPassword(java.lang.String username)
Return the password associated with the given principal's user name.
return (null);
protected java.security.Principal getPrincipal(java.lang.String username)
Return the Principal associated with the given user name.
DirContext context = null; Principal principal = null; try { // Ensure that we have a directory context available context = open(); // Occassionally the directory context will timeout. Try one more // time before giving up. try { // Authenticate the specified username if possible principal = getPrincipal(context, username); } catch (CommunicationException e) { // log the exception so we know it's there. containerLog.warn(sm.getString("jndiRealm.exception"), e); // close the connection so we know it will be reopened. if (context != null) close(context); // open a new directory context. context = open(); // Try the authentication again. principal = getPrincipal(context, username); } // Release this context release(context); // Return the authenticated Principal (if any) return (principal); } catch (NamingException e) { // Log the problem for posterity containerLog.error(sm.getString("jndiRealm.exception"), e); // Close the connection so that it gets reopened next time if (context != null) close(context); // Return "not authenticated" for this request return (null); }
protected synchronized java.security.Principal getPrincipal(javax.naming.directory.DirContext context, java.lang.String username)
Return the Principal associated with the given user name.
User user = getUser(context, username); return new GenericPrincipal(this, user.username, user.password , getRoles(context, user));
public java.lang.String getProtocol()
Return the protocol to be used.
return protocol;
public java.lang.String getReferrals()
Returns the current settings for handling JNDI referrals.
return referrals;
public java.lang.String getRoleBase()
Return the base element for role searches.
return (this.roleBase);
public java.lang.String getRoleName()
Return the role name attribute name for this Realm.
return (this.roleName);
public java.lang.String getRoleSearch()
Return the message format pattern for selecting roles in this Realm.
return (this.roleSearch);
public boolean getRoleSubtree()
Return the "search subtree for roles" flag.
return (this.roleSubtree);
protected java.util.List getRoles(javax.naming.directory.DirContext context, org.apache.catalina.realm.User user)
Return a List of roles associated with the given User. Any roles present in the user's directory entry are supplemented by a directory search. If no roles are associated with this user, a zero-length List is returned.
param
context The directory context we are searching
param
user The User to be checked
exception
NamingException if a directory server error occurs
if (user == null) return (null); String dn = user.dn; String username = user.username; if (dn == null || username == null) return (null); if (containerLog.isTraceEnabled()) containerLog.trace(" getRoles(" + dn + ")"); // Start with roles retrieved from the user entry ArrayList<String> list = user.roles; if (list == null) { list = new ArrayList<String>(); } // Are we configured to do role searches? if ((roleFormat == null) || (roleName == null)) return (list); // Set up parameters for an appropriate search String filter = roleFormat.format(new String[] { doRFC2254Encoding(dn), username }); SearchControls controls = new SearchControls(); if (roleSubtree) controls.setSearchScope(SearchControls.SUBTREE_SCOPE); else controls.setSearchScope(SearchControls.ONELEVEL_SCOPE); controls.setReturningAttributes(new String[] {roleName}); // Perform the configured search and process the results NamingEnumeration results = context.search(roleBase, filter, controls); if (results == null) return (list); // Should never happen, but just in case ... while (results.hasMore()) { SearchResult result = (SearchResult) results.next(); Attributes attrs = result.getAttributes(); if (attrs == null) continue; list = addAttributeValues(roleName, attrs, list); } if (containerLog.isTraceEnabled()) { if (list != null) { containerLog.trace(" Returning " + list.size() + " roles"); for (int i=0; i<list.size(); i++) containerLog.trace( " Found role " + list.get(i)); } else { containerLog.trace(" getRoles about to return null "); } } return (list);
protected org.apache.catalina.realm.User getUser(javax.naming.directory.DirContext context, java.lang.String username)
Return a User object containing information about the user with the specified username, if found in the directory; otherwise return null. If the userPassword configuration attribute is specified, the value of that attribute is retrieved from the user's directory entry. If the userRoleName configuration attribute is specified, all values of that attribute are retrieved from the directory entry.
param
context The directory context
param
username Username to be looked up
exception
NamingException if a directory server error occurs
User user = null; // Get attributes to retrieve from user entry ArrayList<String> list = new ArrayList<String>(); if (userPassword != null) list.add(userPassword); if (userRoleName != null) list.add(userRoleName); String[] attrIds = new String[list.size()]; list.toArray(attrIds); // Use pattern or search for user entry if (userPatternFormatArray != null) { user = getUserByPattern(context, username, attrIds); } else { user = getUserBySearch(context, username, attrIds); } return user;
public java.lang.String getUserBase()
Return the base element for user searches.
return (this.userBase);
protected org.apache.catalina.realm.User getUserByPattern(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String[] attrIds)
Use the UserPattern configuration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise return null.
param
context The directory context
param
username The username
param
attrIds String[]containing names of attributes to retrieve.
exception
NamingException if a directory server error occurs
if (username == null || userPatternFormatArray[curUserPattern] == null) return (null); // Form the dn from the user pattern String dn = userPatternFormatArray[curUserPattern].format(new String[] { username }); // Get required attributes from user entry Attributes attrs = null; try { attrs = context.getAttributes(dn, attrIds); } catch (NameNotFoundException e) { return (null); } if (attrs == null) return (null); // Retrieve value of userPassword String password = null; if (userPassword != null) password = getAttributeValue(userPassword, attrs); // Retrieve values of userRoleName attribute ArrayList<String> roles = null; if (userRoleName != null) roles = addAttributeValues(userRoleName, attrs, roles); return new User(username, dn, password, roles);
protected org.apache.catalina.realm.User getUserBySearch(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String[] attrIds)
Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise return null.
param
context The directory context
param
username The username
param
attrIds String[]containing names of attributes to retrieve.
exception
NamingException if a directory server error occurs
if (username == null || userSearchFormat == null) return (null); // Form the search filter String filter = userSearchFormat.format(new String[] { username }); // Set up the search controls SearchControls constraints = new SearchControls(); if (userSubtree) { constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); } else { constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE); } // Specify the attributes to be retrieved if (attrIds == null) attrIds = new String[0]; constraints.setReturningAttributes(attrIds); NamingEnumeration results = context.search(userBase, filter, constraints); // Fail if no entries found if (results == null || !results.hasMore()) { return (null); } // Get result for the first entry found SearchResult result = (SearchResult)results.next(); // Check no further entries were found if (results.hasMore()) { if(containerLog.isInfoEnabled()) containerLog.info("username " + username + " has multiple entries"); return (null); } // Get the entry's distinguished name NameParser parser = context.getNameParser(""); Name contextName = parser.parse(context.getNameInNamespace()); Name baseName = parser.parse(userBase); // Bugzilla 32269 Name entryName = parser.parse(new CompositeName(result.getName()).get(0)); Name name = contextName.addAll(baseName); name = name.addAll(entryName); String dn = name.toString(); if (containerLog.isTraceEnabled()) containerLog.trace(" entry found for " + username + " with dn " + dn); // Get the entry's attributes Attributes attrs = result.getAttributes(); if (attrs == null) return null; // Retrieve value of userPassword String password = null; if (userPassword != null) password = getAttributeValue(userPassword, attrs); // Retrieve values of userRoleName attribute ArrayList<String> roles = null; if (userRoleName != null) roles = addAttributeValues(userRoleName, attrs, roles); return new User(username, dn, password, roles);
public java.lang.String getUserPassword()
Return the password attribute used to retrieve the user password.
return (this.userPassword);
public java.lang.String getUserPattern()
Return the message format pattern for selecting users in this Realm.
return (this.userPattern);
public java.lang.String getUserRoleName()
Return the user role name attribute name for this Realm.
return userRoleName;
public java.lang.String getUserSearch()
Return the message format pattern for selecting users in this Realm.
return (this.userSearch);
public boolean getUserSubtree()
Return the "search subtree for users" flag.
return (this.userSubtree);
protected javax.naming.directory.DirContext open()
Open (if necessary) and return a connection to the configured directory server for this Realm.
exception
NamingException if a directory server error occurs
// Do nothing if there is a directory server connection already open if (context != null) return (context); try { // Ensure that we have a directory context available context = new InitialDirContext(getDirectoryContextEnvironment()); } catch (Exception e) { connectionAttempt = 1; // log the first exception. containerLog.warn(sm.getString("jndiRealm.exception"), e); // Try connecting to the alternate url. context = new InitialDirContext(getDirectoryContextEnvironment()); } finally { // reset it in case the connection times out. // the primary may come back. connectionAttempt = 0; } return (context);
protected java.lang.String[] parseUserPatternString(java.lang.String userPatternString)
Given a string containing LDAP patterns for user locations (separated by parentheses in a pseudo-LDAP search string format - "(location1)(location2)", returns an array of those paths. Real LDAP search strings are supported as well (though only the "|" "OR" type).
param
userPatternString - a string LDAP search paths surrounded by parentheses
if (userPatternString != null) { ArrayList<String> pathList = new ArrayList<String>(); int startParenLoc = userPatternString.indexOf('("); if (startParenLoc == -1) { // no parens here; return whole thing return new String[] {userPatternString}; } int startingPoint = 0; while (startParenLoc > -1) { int endParenLoc = 0; // weed out escaped open parens and parens enclosing the // whole statement (in the case of valid LDAP search // strings: (|(something)(somethingelse)) while ( (userPatternString.charAt(startParenLoc + 1) == '|") || (startParenLoc != 0 && userPatternString.charAt(startParenLoc - 1) == '\\") ) { startParenLoc = userPatternString.indexOf("(", startParenLoc+1); } endParenLoc = userPatternString.indexOf(")", startParenLoc+1); // weed out escaped end-parens while (userPatternString.charAt(endParenLoc - 1) == '\\") { endParenLoc = userPatternString.indexOf(")", endParenLoc+1); } String nextPathPart = userPatternString.substring (startParenLoc+1, endParenLoc); pathList.add(nextPathPart); startingPoint = endParenLoc+1; startParenLoc = userPatternString.indexOf('(", startingPoint); } return (String[])pathList.toArray(new String[] {}); } return null;
protected void release(javax.naming.directory.DirContext context)
Release our use of this connection so that it can be recycled.
param
context The directory context to release
; // NO-OP since we are not pooling anything
public void setAlternateURL(java.lang.String alternateURL)
Setter for property alternateURL.
param
alternateURL New value of property alternateURL.
this.alternateURL = alternateURL;
public void setAuthentication(java.lang.String authentication)
Set the type of authentication to use.
param
authentication The authentication
this.authentication = authentication;
public void setConnectionName(java.lang.String connectionName)
Set the connection username for this Realm.
param
connectionName The new connection username
this.connectionName = connectionName;
public void setConnectionPassword(java.lang.String connectionPassword)
Set the connection password for this Realm.
param
connectionPassword The new connection password
this.connectionPassword = connectionPassword;
public void setConnectionURL(java.lang.String connectionURL)
Set the connection URL for this Realm.
param
connectionURL The new connection URL
this.connectionURL = connectionURL;
public void setContextFactory(java.lang.String contextFactory)
Set the JNDI context factory for this Realm.
param
contextFactory The new context factory
this.contextFactory = contextFactory;
public void setDerefAliases(java.lang.String derefAliases)
Set the value for derefAliases to be used when searching the directory.
param
derefAliases New value of property derefAliases.
this.derefAliases = derefAliases;
public void setProtocol(java.lang.String protocol)
Set the protocol for this Realm.
param
protocol The new protocol.
this.protocol = protocol;
public void setReferrals(java.lang.String referrals)
How do we handle JNDI referrals? ignore, follow, or throw (see javax.naming.Context.REFERRAL for more information).
this.referrals = referrals;
public void setRoleBase(java.lang.String roleBase)
Set the base element for role searches.
param
roleBase The new base element
this.roleBase = roleBase;
public void setRoleName(java.lang.String roleName)
Set the role name attribute name for this Realm.
param
roleName The new role name attribute name
this.roleName = roleName;
public void setRoleSearch(java.lang.String roleSearch)
Set the message format pattern for selecting roles in this Realm.
param
roleSearch The new role search pattern
this.roleSearch = roleSearch; if (roleSearch == null) roleFormat = null; else roleFormat = new MessageFormat(roleSearch);
public void setRoleSubtree(boolean roleSubtree)
Set the "search subtree for roles" flag.
param
roleSubtree The new search flag
this.roleSubtree = roleSubtree;
public void setUserBase(java.lang.String userBase)
Set the base element for user searches.
param
userBase The new base element
this.userBase = userBase;
public void setUserPassword(java.lang.String userPassword)
Set the password attribute used to retrieve the user password.
param
userPassword The new password attribute
this.userPassword = userPassword;
public void setUserPattern(java.lang.String userPattern)
Set the message format pattern for selecting users in this Realm. This may be one simple pattern, or multiple patterns to be tried, separated by parentheses. (for example, either "cn={0}", or "(cn={0})(cn={0},o=myorg)" Full LDAP search strings are also supported, but only the "OR", "|" syntax, so "(|(cn={0})(cn={0},o=myorg))" is also valid. Complex search strings with &, etc are NOT supported.
param
userPattern The new user pattern
this.userPattern = userPattern; if (userPattern == null) userPatternArray = null; else { userPatternArray = parseUserPatternString(userPattern); int len = this.userPatternArray.length; userPatternFormatArray = new MessageFormat[len]; for (int i=0; i < len; i++) { userPatternFormatArray[i] = new MessageFormat(userPatternArray[i]); } }
public void setUserRoleName(java.lang.String userRoleName)
Set the user role name attribute name for this Realm.
param
userRoleName The new userRole name attribute name
this.userRoleName = userRoleName;
public void setUserSearch(java.lang.String userSearch)
Set the message format pattern for selecting users in this Realm.
param
userSearch The new user search pattern
this.userSearch = userSearch; if (userSearch == null) userSearchFormat = null; else userSearchFormat = new MessageFormat(userSearch);
public void setUserSubtree(boolean userSubtree)
Set the "search subtree for users" flag.
param
userSubtree The new search flag
this.userSubtree = userSubtree;
public void start()
Prepare for active use of the public methods of this Component.
exception
LifecycleException if this component detects a fatal error that prevents it from being started
// Perform normal superclass initialization super.start(); // Validate that we can open our connection try { open(); } catch (NamingException e) { throw new LifecycleException(sm.getString("jndiRealm.open"), e); }
public void stop()
Gracefully shut down active use of the public methods of this Component.
exception
LifecycleException if this component detects a fatal error that needs to be reported
// Perform normal superclass finalization super.stop(); // Close any open directory server connection close(this.context);