Thanks for the review and fix > -----Original Message----- > From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] > Sent: Sunday, July 01, 2012 6:06 AM > To: Tomcat Developers List > Subject: Re: svn commit: r1355615 - in /tomcat/trunk: > java/org/apache/catalina/realm/JNDIRealm.java > webapps/docs/config/realm.xml > > 2012/6/30 <fha...@apache.org>: > > Author: fhanik > > Date: Sat Jun 30 01:04:59 2012 > > New Revision: 1355615 > > > > URL: http://svn.apache.org/viewvc?rev=1355615&view=rev > > Log: > > With more and more use of RFC 2307 http://tools.ietf.org/html/rfc2307 > > There is a new way to search for roles using the memberUid that can > contain the value of another attribute within the users directory entry. > > This may not be very specific to 2307, but that is where I see this > combination of role searches occur the most. > > > > Example: http://www.openldap.org/lists/openldap- > technical/200904/msg00024.html > > > > > > > > > > Modified: > > tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java > > tomcat/trunk/webapps/docs/config/realm.xml > > > > Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java > > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm > /JNDIRealm.java?rev=1355615&r1=1355614&r2=1355615&view=diff > > > ======================================================================== > ====== > > --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java > (original) > > +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Sat Jun > 30 01:04:59 2012 > > @@ -126,8 +126,9 @@ import org.ietf.jgss.GSSCredential; > > * property.</li> > > * <li>The <code>roleSearch</code> pattern optionally includes > pattern > > * replacements "{0}" for the distinguished name, and/or > "{1}" for > > - * the username, of the authenticated user for which roles > will be > > - * retrieved.</li> > > + * the username, and/or "{2}" the value of the > userRoleAttribute > > + * attribute from the users entry, of the authenticated user > > + * for which roles will be retrieved.</li> > > * <li>The <code>roleBase</code> property can be set to the > element that > > * is the base of the search for matching roles. If not > specified, > > * the entire context will be searched.</li> > > @@ -292,6 +293,14 @@ public class JNDIRealm extends RealmBase > > */ > > protected String userPassword = null; > > > > + /** > > + * The name of the attribute inside the users > > + * directory entry where the value will be > > + * taken to search for roles > > + * This attribute is not used during a nested search > > + */ > > + protected String userRoleAttribute = null; > > + > > > > /** > > * A string of LDAP user patterns or paths, ":"-separated > > @@ -829,6 +838,14 @@ public class JNDIRealm extends RealmBase > > } > > > > > > + public String getUserRoleAttribute() { > > + return userRoleAttribute; > > + } > > + > > + public void setUserRoleAttribute(String userRoleAttribute) { > > + this.userRoleAttribute = userRoleAttribute; > > + } > > + > > /** > > * Return the message format pattern for selecting users in this > Realm. > > */ > > @@ -839,6 +856,8 @@ public class JNDIRealm extends RealmBase > > } > > > > > > + > > + > > /** > > * Set the message format pattern for selecting users in this > Realm. > > * This may be one simple pattern, or multiple patterns to be > tried, > > @@ -1230,6 +1249,9 @@ public class JNDIRealm extends RealmBase > > list.add(userPassword); > > if (userRoleName != null) > > list.add(userRoleName); > > + if (userRoleAttribute != null) { > > + list.add(userRoleAttribute); > > + } > > String[] attrIds = new String[list.size()]; > > list.toArray(attrIds); > > > > @@ -1265,7 +1287,7 @@ public class JNDIRealm extends RealmBase > > > > // If no attributes are requested, no need to look for them > > if (attrIds == null || attrIds.length == 0) { > > - return new User(username, dn, null, null); > > + return new User(username, dn, null, null,null); > > } > > > > // Get required attributes from user entry > > @@ -1283,12 +1305,17 @@ public class JNDIRealm extends RealmBase > > if (userPassword != null) > > password = getAttributeValue(userPassword, attrs); > > > > + String userRoleAttrValue = null; > > + if (userRoleAttribute != null) { > > + userRoleAttrValue = getAttributeValue(userRoleAttribute, > attrs); > > + } > > + > > // Retrieve values of userRoleName attribute > > ArrayList<String> roles = null; > > if (userRoleName != null) > > roles = addAttributeValues(userRoleName, attrs, roles); > > > > - return new User(username, dn, password, roles); > > + return new User(username, dn, password, roles, > userRoleAttrValue); > > } > > > > > > @@ -1427,12 +1454,17 @@ public class JNDIRealm extends RealmBase > > if (userPassword != null) > > password = getAttributeValue(userPassword, attrs); > > > > + String userRoleAttrValue = null; > > + if (userRoleAttribute != null) { > > + userRoleAttrValue = getAttributeValue(userRoleAttribute, > attrs); > > + } > > + > > // Retrieve values of userRoleName attribute > > ArrayList<String> roles = null; > > if (userRoleName != null) > > roles = addAttributeValues(userRoleName, attrs, roles); > > > > - return new User(username, dn, password, roles); > > + return new User(username, dn, password, roles, password); > > The above line is likely wrong. The last argument should not be > "password". > > > } > > > > > > @@ -1675,6 +1707,7 @@ public class JNDIRealm extends RealmBase > > > > String dn = user.getDN(); > > String username = user.getUserName(); > > + String userRoleId = user.getUserRoleId(); > > > > if (dn == null || username == null) > > return (null); > > @@ -1702,7 +1735,7 @@ public class JNDIRealm extends RealmBase > > return (list); > > > > // Set up parameters for an appropriate search > > - String filter = roleFormat.format(new String[] { > doRFC2254Encoding(dn), username }); > > + String filter = roleFormat.format(new String[] { > doRFC2254Encoding(dn), username, userRoleId }); > > SearchControls controls = new SearchControls(); > > if (roleSubtree) > > controls.setSearchScope(SearchControls.SUBTREE_SCOPE); > > @@ -1775,7 +1808,7 @@ public class JNDIRealm extends RealmBase > > Map<String, String> newThisRound = new > HashMap<String, String>(); // Stores the groups we find in this > iteration > > > > for (Entry<String, String> group : > newGroups.entrySet()) { > > - filter = roleFormat.format(new String[] { > group.getKey(), group.getValue() }); > > + filter = roleFormat.format(new String[] { > group.getKey(), group.getValue(), group.getValue() }); > > > > if (containerLog.isTraceEnabled()) { > > containerLog.trace("Perform a nested group > search with base "+ roleBase + " and filter " + filter); > > @@ -2359,9 +2392,11 @@ public class JNDIRealm extends RealmBase > > private final String dn; > > private final String password; > > private final List<String> roles; > > + private final String userRoleId; > > + > > > > public User(String username, String dn, String password, > > - List<String> roles) { > > + List<String> roles, String userRoleId) { > > this.username = username; > > this.dn = dn; > > this.password = password; > > @@ -2370,6 +2405,7 @@ public class JNDIRealm extends RealmBase > > } else { > > this.roles = Collections.unmodifiableList(roles); > > } > > + this.userRoleId = userRoleId; > > } > > > > public String getUserName() { > > @@ -2387,6 +2423,12 @@ public class JNDIRealm extends RealmBase > > public List<String> getRoles() { > > return roles; > > } > > + > > + public String getUserRoleId() { > > + return userRoleId; > > + } > > + > > + > > } > > } > > > >(...) > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org