JNDIRealm.javaAPI DocGlassfish v2 API45716Fri May 04 22:32:18 BST 2007org.apache.catalina.realm


public class JNDIRealm extends RealmBase

Implementation of Realm that works with a directory server accessed via the Java Naming and Directory Interface (JNDI) APIs. The following constraints are imposed on the data structure in the underlying directory server:

  • Each user that can be authenticated is represented by an individual element in the top level DirContext that is accessed via the connectionURL property.
  • If a socket connection can not be made to the connectURL an attempt will be made to use the alternateURL if it exists.
  • Each user element has a distinguished name that can be formed by substituting the presented username into a pattern configured by the userPattern property.
  • Alternatively, if the userPattern property is not specified, a unique element can be located by searching the directory context. In this case:
    • The userSearch pattern specifies the search filter after substitution of the username.
    • The userBase property can be set to the element that is the base of the subtree containing users. If not specified, the search base is the top-level context.
    • The userSubtree property can be set to true if you wish to search the entire subtree of the directory context. The default value of false requests a search of only the current level.
  • The user may be authenticated by binding to the directory with the username and password presented. This method is used when the userPassword property is not specified.
  • The user may be authenticated by retrieving the value of an attribute from the directory and comparing it explicitly with the value presented by the user. This method is used when the userPassword property is specified, in which case:
    • The element for this user must contain an attribute named by the userPassword property.
    • The value of the user password attribute is either a cleartext String, or the result of passing a cleartext String through the RealmBase.digest() method (using the standard digest support included in RealmBase).
    • The user is considered to be authenticated if the presented credentials (after being passed through RealmBase.digest()) are equal to the retrieved value for the user password attribute.
  • Each group of users that has been assigned a particular role may be represented by an individual element in the top level DirContext that is accessed via the connectionURL property. This element has the following characteristics:
    • The set of all possible groups of interest can be selected by a search pattern configured by the roleSearch property.
    • The roleSearch pattern optionally includes pattern replacements "{0}" for the distinguished name, and/or "{1}" for the username, of the authenticated user for which roles will be retrieved.
    • The roleBase property can be set to the element that is the base of the search for matching roles. If not specified, the entire context will be searched.
    • The roleSubtree property can be set to true if you wish to search the entire subtree of the directory context. The default value of false requests a search of only the current level.
    • The element includes an attribute (whose name is configured by the roleName property) containing the name of the role represented by this element.
  • In addition, roles may be represented by the values of an attribute in the user's element whose name is configured by the userRoleName property.
  • Note that the standard <security-role-ref> element in the web application deployment descriptor allows applications to refer to roles programmatically by names other than those used in the directory server itself.

TODO - Support connection pooling (including message format objects) so that authenticate() does not have to be synchronized.

WARNING - There is a reported bug against the Netscape provider code (com.netscape.jndi.ldap.LdapContextFactory) with respect to successfully authenticated a non-existing user. The report is here: . With luck, Netscape has updated their provider code and this is not an issue.

John Holman
Craig R. McClanahan
$Revision: 1.3 $ $Date: 2007/05/05 05:32:17 $

Fields Summary
protected String
The type of authentication to use
protected String
The connection username for the server we will contact.
protected String
The connection password for the server we will contact.
protected String
The connection URL for the server we will contact.
protected DirContext
The directory context linking us to our directory server.
protected String
The JNDI context factory used to acquire our InitialContext. By default, assumes use of an LDAP server using the standard JNDI LDAP provider.
protected static final String
Descriptive information about this Realm implementation.
protected static final String
Descriptive information about this Realm implementation.
protected String
The protocol that will be used in the communication with the directory server.
protected String
How should we handle referrals? Microsoft Active Directory can't handle the default case, so an application authenticating against AD must set referrals to "follow".
protected String
The base element for user searches.
protected String
The message format used to search for a user, with "{0}" marking the spot where the username goes.
protected MessageFormat
The MessageFormat object associated with the current userSearch.
protected boolean
Should we search the entire subtree for matching users?
protected String
The attribute name used to retrieve the user password.
protected String
The message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.
protected MessageFormat
The MessageFormat object associated with the current userPattern.
protected String
The base element for role searches.
protected MessageFormat
The MessageFormat object associated with the current roleSearch.
protected String
The name of an attribute in the user's entry containing roles for that user
protected String
The name of the attribute containing roles held elsewhere
protected String
The message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes.
protected boolean
Should we search the entire subtree for matching memberships?
protected String
An alternate URL, to which, we should connect if connectionURL fails.
protected int
The number of connection attempts. If greater than zero we use the alternate url.
Constructors Summary
Methods Summary
private java.util.ArrayListaddAttributeValues(java.lang.String attrId, attrs, java.util.ArrayList values)
Add values of a specified attribute to a list

attrId Attribute name
attrs Attributes containing the new values
values ArrayList containing values found so far
NamingException if a directory server error occurs

        if (debug >= 3)
            log("  retrieving values for attribute " + attrId);
        if (attrId == null || attrs == null)
            return values;
        if (values == null)
            values = new ArrayList();
        Attribute attr = attrs.get(attrId);
        if (attr == null)
            return (values);
        NamingEnumeration e = attr.getAll();
        while(e.hasMore()) {
            String value = (String);
        return values;
public username, java.lang.String credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise return null. If there are any errors with the JDBC connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it.

username Username of the Principal to look up
credentials Password or other credentials to use in authenticating this username

        DirContext context = null;
        Principal principal = null;

        try {

            // Ensure that we have a directory context available
            context = open();

            // Occassionally the directory context will timeout.  Try one more
            // time before giving up.
            try {

                // Authenticate the specified username if possible
                principal = authenticate(context, username, credentials);

            } catch (CommunicationException e) {

                // If contains the work closed. Then assume socket is closed.
                // If message is null, assume the worst and allow the
                // connection to be closed.
                if (e.getMessage()!=null &&
                    e.getMessage().indexOf("closed") < 0)

                // log the exception so we know it's there.
                log(sm.getString("jndiRealm.exception"), e);

                // close the connection so we know it will be reopened.
                if (context != null)

                // open a new directory context.
                context = open();

                // Try the authentication again.
                principal = authenticate(context, username, credentials);


            // Release this context

            // Return the authenticated Principal (if any)
            return (principal);

        } catch (NamingException e) {

            // Log the problem for posterity
            log(sm.getString("jndiRealm.exception"), e);

            // Close the connection so that it gets reopened next time
            if (context != null)

            // Return "not authenticated" for this request
            return (null);


public synchronized context, java.lang.String username, java.lang.String credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise return null.

context The directory context
username Username of the Principal to look up
credentials Password or other credentials to use in authenticating this username
NamingException if a directory server error occurs

        if (username == null || username.equals("")
            || credentials == null || credentials.equals(""))
            return (null);

        // Retrieve user information
        User user = getUser(context, username);
        if (user == null)
            return (null);

        // Check the user's credentials
        if (!checkCredentials(context, user, credentials))
            return (null);

        // Search for additional roles
        List roles = getRoles(context, user);

        // Create and return a suitable Principal for this user
        return (new GenericPrincipal(this, username, credentials, roles));

protected booleanbindAsUser( context, org.apache.catalina.realm.User user, java.lang.String credentials)
Check credentials by binding to the directory as the user

context The directory context
user The User to be authenticated
credentials Authentication credentials
NamingException if a directory server error occurs

         Attributes attr;

         if (credentials == null || user == null)
             return (false);

         String dn = user.dn;
         if (dn == null)
             return (false);

         // Validate the credentials specified by the user
         if (debug >= 3) {
             log("  validating credentials by binding as the user");

        // Set up security environment to bind as the user
        context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
        context.addToEnvironment(Context.SECURITY_CREDENTIALS, credentials);

        // Elicit an LDAP bind operation
        boolean validated = false;
        try {
            if (debug > 2) {
                log("  binding as "  + dn);
            attr = context.getAttributes("", null);
            validated = true;
        catch (AuthenticationException e) {
            if (debug > 2) {
                log("  bind attempt failed");

        // Restore the original security environment
        if (connectionName != null) {
        } else {

        if (connectionPassword != null) {
        else {

        return (validated);
protected booleancheckCredentials( context, org.apache.catalina.realm.User user, java.lang.String credentials)
Check whether the given User can be authenticated with the given credentials. If the userPassword configuration attribute is specified, the credentials previously retrieved from the directory are compared explicitly with those presented by the user. Otherwise the presented credentials are checked by binding to the directory as the user.

context The directory context
user The User to be authenticated
credentials The credentials presented by the user
NamingException if a directory server error occurs

         boolean validated = false;

         if (userPassword == null) {
             validated = bindAsUser(context, user, credentials);
         } else {
             validated = compareCredentials(context, user, credentials);

         if (debug >= 2) {
             if (validated) {
             } else {
         return (validated);
protected voidclose( context)
Close any open connection to the directory server for this Realm.

context The directory context to be closed

        // Do nothing if there is no opened connection
        if (context == null)

        // Close our opened connection
        try {
            if (debug >= 1)
                log("Closing directory context");
        } catch (NamingException e) {
            log(sm.getString("jndiRealm.close"), e);
        this.context = null;

protected booleancompareCredentials( context, org.apache.catalina.realm.User info, java.lang.String credentials)
Check whether the credentials presented by the user match those retrieved from the directory.

context The directory context
user The User to be authenticated
credentials Authentication credentials
NamingException if a directory server error occurs

        if (info == null || credentials == null)
            return (false);

        String password = info.password;
        if (password == null)
            return (false);

        // Validate the credentials specified by the user
        if (debug >= 3)
            log("  validating credentials");

        boolean validated = false;
        if (hasMessageDigest()) {
            // iPlanet support if the values starts with {SHA1}
            // The string is in a format compatible with Base64.encode not
            // the Hex encoding of the parent class.
            if (password.startsWith("{SHA}")) {
                /* sync since super.digest() does this same thing */
                synchronized (this) {
                    password = password.substring(5);
                    String digestedPassword = new String(Base64.encode(md.digest()));
                    validated = password.equals(digestedPassword);
            } else {
                // Hex hashes should be compared case-insensitive
                validated = (digest(credentials).equalsIgnoreCase(password));
        } else
            validated = (digest(credentials).equals(password));
        return (validated);

public java.lang.StringgetAlternateURL()
Getter for property alternateURL.

Value of property alternateURL.

        return this.alternateURL;

private java.lang.StringgetAttributeValue(java.lang.String attrId, attrs)
Return a String representing the value of the specified attribute.

attrId Attribute name
attrs Attributes containing the required value
NamingException if a directory server error occurs

        if (debug >= 3)
            log("  retrieving attribute " + attrId);

        if (attrId == null || attrs == null)
            return null;

        Attribute attr = attrs.get(attrId);
        if (attr == null)
            return (null);
        Object value = attr.get();
        if (value == null)
            return (null);
        String valueString = null;
        if (value instanceof byte[])
            valueString = new String((byte[]) value);
            valueString = value.toString();

        return valueString;
public java.lang.StringgetAuthentication()
Return the type of authentication to use.

    // ------------------------------------------------------------- Properties


        return authentication;

public java.lang.StringgetConnectionName()
Return the connection username for this Realm.

        return (this.connectionName);

public java.lang.StringgetConnectionPassword()
Return the connection password for this Realm.

        return (this.connectionPassword);

public java.lang.StringgetConnectionURL()
Return the connection URL for this Realm.

        return (this.connectionURL);

public java.lang.StringgetContextFactory()
Return the JNDI context factory for this Realm.

        return (this.contextFactory);

protected java.util.HashtablegetDirectoryContextEnvironment()
Create our directory context configuration.

java.util.Hashtable the configuration for the directory context.

        Hashtable env = new Hashtable();

        // Configure our directory context environment.
        if (debug >= 1 && connectionAttempt == 0)
            log("Connecting to URL " + connectionURL);
        else if (debug >= 1 && connectionAttempt > 0)
            log("Connecting to URL " + alternateURL);
        env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory);
        if (connectionName != null)
            env.put(Context.SECURITY_PRINCIPAL, connectionName);
        if (connectionPassword != null)
            env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
        if (connectionURL != null && connectionAttempt == 0)
            env.put(Context.PROVIDER_URL, connectionURL);
        else if (alternateURL != null && connectionAttempt > 0)
            env.put(Context.PROVIDER_URL, alternateURL);
        if (authentication != null)
            env.put(Context.SECURITY_AUTHENTICATION, authentication);
        if (protocol != null)
            env.put(Context.SECURITY_PROTOCOL, protocol);
        if (referrals != null)
            env.put(Context.REFERRAL, referrals);

        return env;

protected java.lang.StringgetName()
Return a short name for this Realm implementation.

        return (;

protected java.lang.StringgetPassword(java.lang.String username)
Return the password associated with the given principal's user name.

        return (null);

protected username)
Return the Principal associated with the given user name.

        return (null);

public java.lang.StringgetProtocol()
Return the protocol to be used.

        return protocol;

public java.lang.StringgetReferrals()
Returns the current settings for handling JNDI referrals.

        return referrals;
public java.lang.StringgetRoleBase()
Return the base element for role searches.

        return (this.roleBase);

public java.lang.StringgetRoleName()
Return the role name attribute name for this Realm.

        return (this.roleName);

public java.lang.StringgetRoleSearch()
Return the message format pattern for selecting roles in this Realm.

        return (this.roleSearch);

public booleangetRoleSubtree()
Return the "search subtree for roles" flag.

        return (this.roleSubtree);

protected java.util.ListgetRoles( context, org.apache.catalina.realm.User user)
Return a List of roles associated with the given User. Any roles present in the user's directory entry are supplemented by a directory search. If no roles are associated with this user, a zero-length List is returned.

context The directory context we are searching
user The User to be checked
NamingException if a directory server error occurs

        if (user == null)
            return (null);

        String dn = user.dn;
        String username = user.username;

        if (dn == null || username == null)
            return (null);

        if (debug >= 2)
            log("  getRoles(" + dn + ")");

        // Start with roles retrieved from the user entry
        ArrayList list = user.roles;
        if (list == null) {
            list = new ArrayList();

        // Are we configured to do role searches?
        if ((roleFormat == null) || (roleName == null))
            return (list);

        // Set up parameters for an appropriate search
        String filter = roleFormat.format(new String[] { dn, username });
        SearchControls controls = new SearchControls();
        if (roleSubtree)
        controls.setReturningAttributes(new String[] {roleName});

        // Perform the configured search and process the results
        if (debug >= 3) {
            log("  Searching role base '" + roleBase + "' for attribute '" +
                roleName + "'");
            log("  With filter expression '" + filter + "'");
        NamingEnumeration results =
  , filter, controls);
        if (results == null)
            return (list);  // Should never happen, but just in case ...
        while (results.hasMore()) {
            SearchResult result = (SearchResult);
            Attributes attrs = result.getAttributes();
            if (attrs == null)
            list = addAttributeValues(roleName, attrs, list);

        if (debug >= 2) {
            if (list != null) {
                log("  Returning " + list.size() + " roles");
                for (int i=0; i<list.size(); i++)
                    log(  "  Found role " + list.get(i));
            } else {
                log("  getRoles about to return null ");

        return (list);
protected org.apache.catalina.realm.UsergetUser( context, java.lang.String username)
Return a User object containing information about the user with the specified username, if found in the directory; otherwise return null. If the userPassword configuration attribute is specified, the value of that attribute is retrieved from the user's directory entry. If the userRoleName configuration attribute is specified, all values of that attribute are retrieved from the directory entry.

context The directory context
username Username to be looked up
NamingException if a directory server error occurs

        User user = null;

        // Get attributes to retrieve from user entry
        ArrayList list = new ArrayList();
        if (userPassword != null)
        if (userRoleName != null)
        String[] attrIds = new String[list.size()];

        // Use pattern or search for user entry
        if (userPatternFormat != null) {
            user = getUserByPattern(context, username, attrIds);
        } else {
            user = getUserBySearch(context, username, attrIds);

        return user;
public java.lang.StringgetUserBase()
Return the base element for user searches.

        return (this.userBase);

protected org.apache.catalina.realm.UsergetUserByPattern( context, java.lang.String username, java.lang.String[] attrIds)
Use the UserPattern configuration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise return null.

context The directory context
username The username
attrIds String[]containing names of attributes to retrieve.
NamingException if a directory server error occurs

        if (debug >= 2)
            log("lookupUser(" + username + ")");

        if (username == null || userPatternFormat == null)
            return (null);

        // Form the dn from the user pattern
        String dn = userPatternFormat.format(new String[] { username });
        if (debug >= 3) {
            log("  dn=" + dn);

        // Return if no attributes to retrieve
        if (attrIds == null || attrIds.length == 0)
            return new User(username, dn, null, null);

        // Get required attributes from user entry
        Attributes attrs = null;
        try {
            attrs = context.getAttributes(dn, attrIds);
        } catch (NameNotFoundException e) {
            return (null);
        if (attrs == null)
            return (null);

        // Retrieve value of userPassword
        String password = null;
        if (userPassword != null)
            password = getAttributeValue(userPassword, attrs);

        // Retrieve values of userRoleName attribute
        ArrayList roles = null;
        if (userRoleName != null)
            roles = addAttributeValues(userRoleName, attrs, roles);

        return new User(username, dn, password, roles);
protected org.apache.catalina.realm.UsergetUserBySearch( context, java.lang.String username, java.lang.String[] attrIds)
Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise return null.

context The directory context
username The username
attrIds String[]containing names of attributes to retrieve.
NamingException if a directory server error occurs

        if (username == null || userSearchFormat == null)
            return (null);

        // Form the search filter
        String filter = userSearchFormat.format(new String[] { username });

        // Set up the search controls
        SearchControls constraints = new SearchControls();

        if (userSubtree) {
        else {

        // Specify the attributes to be retrieved
        if (attrIds == null)
            attrIds = new String[0];

        if (debug > 3) {
            log("  Searching for " + username);
            log("  base: " + userBase + "  filter: " + filter);

        NamingEnumeration results =
  , filter, constraints);

        // Fail if no entries found
        if (results == null || !results.hasMore()) {
            if (debug > 2) {
                log("  username not found");
            return (null);

        // Get result for the first entry found
        SearchResult result = (SearchResult);

        // Check no further entries were found
        if (results.hasMore()) {
            log("username " + username + " has multiple entries");
            return (null);

        // Get the entry's distinguished name
        NameParser parser = context.getNameParser("");
        Name contextName = parser.parse(context.getNameInNamespace());
        Name baseName = parser.parse(userBase);
        Name entryName = parser.parse(result.getName());
        Name name = contextName.addAll(baseName);
        name = name.addAll(entryName);
        String dn = name.toString();

        if (debug > 2)
            log("  entry found for " + username + " with dn " + dn);

        // Get the entry's attributes
        Attributes attrs = result.getAttributes();
        if (attrs == null)
            return null;

        // Retrieve value of userPassword
        String password = null;
        if (userPassword != null)
            password = getAttributeValue(userPassword, attrs);

        // Retrieve values of userRoleName attribute
        ArrayList roles = null;
        if (userRoleName != null)
            roles = addAttributeValues(userRoleName, attrs, roles);

        return new User(username, dn, password, roles);
public java.lang.StringgetUserPassword()
Return the password attribute used to retrieve the user password.

        return (this.userPassword);

public java.lang.StringgetUserPattern()
Return the message format pattern for selecting users in this Realm.

        return (this.userPattern);

public java.lang.StringgetUserRoleName()
Return the user role name attribute name for this Realm.

        return userRoleName;
public java.lang.StringgetUserSearch()
Return the message format pattern for selecting users in this Realm.

        return (this.userSearch);

public booleangetUserSubtree()
Return the "search subtree for users" flag.

        return (this.userSubtree);

Open (if necessary) and return a connection to the configured directory server for this Realm.

NamingException if a directory server error occurs

        // Do nothing if there is a directory server connection already open
        if (context != null)
            return (context);

        try {

            // Ensure that we have a directory context available
            context = new InitialDirContext(getDirectoryContextEnvironment());

        } catch (NamingException e) {

            connectionAttempt = 1;

            // log the first exception.
            log(sm.getString("jndiRealm.exception"), e);

            // Try connecting to the alternate url.
            context = new InitialDirContext(getDirectoryContextEnvironment());

        } finally {

            // reset it in case the connection times out.
            // the primary may come back.
            connectionAttempt = 0;


        return (context);

protected voidrelease( context)
Release our use of this connection so that it can be recycled.

context The directory context to release

        ; // NO-OP since we are not pooling anything

public voidsetAlternateURL(java.lang.String alternateURL)
Setter for property alternateURL.

alternateURL New value of property alternateURL.

        this.alternateURL = alternateURL;

public voidsetAuthentication(java.lang.String authentication)
Set the type of authentication to use.

authentication The authentication

        this.authentication = authentication;

public voidsetConnectionName(java.lang.String connectionName)
Set the connection username for this Realm.

connectionName The new connection username

        this.connectionName = connectionName;

public voidsetConnectionPassword(java.lang.String connectionPassword)
Set the connection password for this Realm.

connectionPassword The new connection password

        this.connectionPassword = connectionPassword;

public voidsetConnectionURL(java.lang.String connectionURL)
Set the connection URL for this Realm.

connectionURL The new connection URL

        this.connectionURL = connectionURL;

public voidsetContextFactory(java.lang.String contextFactory)
Set the JNDI context factory for this Realm.

contextFactory The new context factory

        this.contextFactory = contextFactory;

public voidsetProtocol(java.lang.String protocol)
Set the protocol for this Realm.

protocol The new protocol.

        this.protocol = protocol;

public voidsetReferrals(java.lang.String referrals)
How do we handle JNDI referrals? ignore, follow, or throw (see javax.naming.Context.REFERRAL for more information).

        this.referrals = referrals;
public voidsetRoleBase(java.lang.String roleBase)
Set the base element for role searches.

roleBase The new base element

        this.roleBase = roleBase;

public voidsetRoleName(java.lang.String roleName)
Set the role name attribute name for this Realm.

roleName The new role name attribute name

        this.roleName = roleName;

public voidsetRoleSearch(java.lang.String roleSearch)
Set the message format pattern for selecting roles in this Realm.

roleSearch The new role search pattern

        this.roleSearch = roleSearch;
        if (roleSearch == null)
            roleFormat = null;
            roleFormat = new MessageFormat(roleSearch);

public voidsetRoleSubtree(boolean roleSubtree)
Set the "search subtree for roles" flag.

roleSubtree The new search flag

        this.roleSubtree = roleSubtree;

public voidsetUserBase(java.lang.String userBase)
Set the base element for user searches.

userBase The new base element

        this.userBase = userBase;

public voidsetUserPassword(java.lang.String userPassword)
Set the password attribute used to retrieve the user password.

userPassword The new password attribute

        this.userPassword = userPassword;

public voidsetUserPattern(java.lang.String userPattern)
Set the message format pattern for selecting users in this Realm.

userPattern The new user pattern

        this.userPattern = userPattern;
        if (userPattern == null)
            userPatternFormat = null;
            userPatternFormat = new MessageFormat(userPattern);

public voidsetUserRoleName(java.lang.String userRoleName)
Set the user role name attribute name for this Realm.

userRoleName The new userRole name attribute name

        this.userRoleName = userRoleName;

public voidsetUserSearch(java.lang.String userSearch)
Set the message format pattern for selecting users in this Realm.

userSearch The new user search pattern

        this.userSearch = userSearch;
        if (userSearch == null)
            userSearchFormat = null;
            userSearchFormat = new MessageFormat(userSearch);

public voidsetUserSubtree(boolean userSubtree)
Set the "search subtree for users" flag.

userSubtree The new search flag

        this.userSubtree = userSubtree;

public voidstart()
Prepare for active use of the public methods of this Component.

LifecycleException if this component detects a fatal error that prevents it from being started

        // Validate that we can open our connection
        try {
        } catch (NamingException e) {
            throw new LifecycleException(sm.getString(""), e);

        // Perform normal superclass initialization

public voidstop()
Gracefully shut down active use of the public methods of this Component.

LifecycleException if this component detects a fatal error that needs to be reported

        // Perform normal superclass finalization

        // Close any open directory server connection