Author: markt
Date: Sun Dec 14 13:07:11 2014
New Revision: 1645455
URL: http://svn.apache.org/r1645455
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57209
Add new JNDIRealm configuration userSearchAsUser
Modified:
tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
tomcat/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml
tomcat/trunk/webapps/docs/config/realm.xml
Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1645455&r1=1645454&r2=1645455&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Sun Dec 14
13:07:11 2014
@@ -269,6 +269,15 @@ public class JNDIRealm extends RealmBase
/**
+ * When searching for users, should the search be performed as the user
+ * currently being authenticated? If false, {@link #connectionName} and
+ * {@link #connectionPassword} will be used if specified, else an anonymous
+ * connection will be used.
+ */
+ private boolean userSearchAsUser = false;
+
+
+ /**
* The MessageFormat object associated with the current
* <code>userSearch</code>.
*/
@@ -658,6 +667,16 @@ public class JNDIRealm extends RealmBase
}
+ public boolean isUserSearchAsUser() {
+ return userSearchAsUser;
+ }
+
+
+ public void setUserSearchAsUser(boolean userSearchAsUser) {
+ this.userSearchAsUser = userSearchAsUser;
+ }
+
+
/**
* Return the "search subtree for users" flag.
*/
@@ -779,10 +798,12 @@ public class JNDIRealm extends RealmBase
return roleSearchAsUser;
}
+
public void setRoleSearchAsUser(boolean roleSearchAsUser) {
this.roleSearchAsUser = roleSearchAsUser;
}
+
/**
* Return the "search subtree for roles" flag.
*/
@@ -1280,7 +1301,17 @@ public class JNDIRealm extends RealmBase
containerLog.debug("Found user by pattern [" + user + "]");
}
} else {
- user = getUserBySearch(context, username, attrIds);
+ boolean thisUserSearchAsUser = isUserSearchAsUser();
+ try {
+ if (thisUserSearchAsUser) {
+ userCredentialsAdd(context, username, credentials);
+ }
+ user = getUserBySearch(context, username, attrIds);
+ } finally {
+ if (thisUserSearchAsUser) {
+ userCredentialsRemove(context);
+ }
+ }
if (containerLog.isDebugEnabled()) {
containerLog.debug("Found user by search [" + user + "]");
}
@@ -1727,13 +1758,14 @@ public class JNDIRealm extends RealmBase
// Perform the configured search and process the results
NamingEnumeration<SearchResult> results = null;
+ boolean thisRoleSearchAsUser = isRoleSearchAsUser();
try {
- if (roleSearchAsUser) {
+ if (thisRoleSearchAsUser) {
userCredentialsAdd(context, dn, user.getPassword());
}
results = context.search(base, filter, controls);
} finally {
- if (roleSearchAsUser) {
+ if (thisRoleSearchAsUser) {
userCredentialsRemove(context);
}
}
Modified: tomcat/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml?rev=1645455&r1=1645454&r2=1645455&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml
(original)
+++ tomcat/trunk/java/org/apache/catalina/realm/mbeans-descriptors.xml Sun Dec
14 13:07:11 2014
@@ -317,6 +317,11 @@
description="The message format used to select roles for a user"
type="java.lang.String"/>
+ <attribute name="roleSearchAsUser"
+ description="Should the search for user roles be performed as the
authenticating user?"
+ is="true"
+ type="boolean"/>
+
<attribute name="roleSubtree"
description="Should we search the entire subtree for matching
memberships?"
type="boolean"/>
@@ -338,13 +343,18 @@
description="The message format used to select a user"
type="java.lang.String"/>
- <attribute name="userRoleName"
+ <attribute name="userRoleName"
description="The name of the attribute in the user's entry
containing roles for that user"
type="java.lang.String"/>
- <attribute name="userSearch"
- description="The message format used to search for a user"
- type="java.lang.String"/>
+ <attribute name="userSearch"
+ description="The message format used to search for a user"
+ type="java.lang.String"/>
+
+ <attribute name="userSearchAsUser"
+ description="Should the search for the user's DN be performed as the
authenticating user?"
+ is="true"
+ type="boolean"/>
<attribute name="userSubtree"
description="Should we search the entire subtree for matching users?"
Modified: tomcat/trunk/webapps/docs/config/realm.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1645455&r1=1645454&r2=1645455&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/trunk/webapps/docs/config/realm.xml Sun Dec 14 13:07:11 2014
@@ -663,6 +663,16 @@
user's entry.</p>
</attribute>
+ <attribute name="userSearchAsUser" required="false">
+ <p> When searching for a user's entry, should the search be performed
as
+ the user currently being authenticated? If false,
+ <code>connectionName</code> and <code>connectionPassword</code> will be
+ used if specified, else an anonymous. If not specified, the default
+ value of <code>false</code> is used. Note that when accessing the
+ directory using delegated credentials, this attribute is always ignored
+ and the search is performed using the delegated credentials.</p>
+ </attribute>
+
<attribute name="userSubtree" required="false">
<p>Set to <code>true</code> if you want to search the entire
subtree of the element specified by the <code>userBase</code>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
