Re: svn commit: r1355615 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/config/realm.xml
2012/6/30 fha...@apache.org: Author: fhanik Date: Sat Jun 30 01:04:59 2012 New Revision: 1355615 URL: http://svn.apache.org/viewvc?rev=1355615view=rev Log: With more and more use of RFC 2307 http://tools.ietf.org/html/rfc2307 There is a new way to search for roles using the memberUid that can contain the value of another attribute within the users directory entry. This may not be very specific to 2307, but that is where I see this combination of role searches occur the most. Example: http://www.openldap.org/lists/openldap-technical/200904/msg00024.html Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java tomcat/trunk/webapps/docs/config/realm.xml Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1355615r1=1355614r2=1355615view=diff == --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Sat Jun 30 01:04:59 2012 @@ -126,8 +126,9 @@ import org.ietf.jgss.GSSCredential; * property./li * liThe coderoleSearch/code pattern optionally includes pattern * replacements {0} for the distinguished name, and/or {1} for - * the username, of the authenticated user for which roles will be - * retrieved./li + * the username, and/or {2} the value of the userRoleAttribute + * attribute from the users entry, of the authenticated user + * for which roles will be retrieved./li * liThe coderoleBase/code property can be set to the element that * is the base of the search for matching roles. If not specified, * the entire context will be searched./li @@ -292,6 +293,14 @@ public class JNDIRealm extends RealmBase */ protected String userPassword = null; +/** + * The name of the attribute inside the users + * directory entry where the value will be + * taken to search for roles + * This attribute is not used during a nested search + */ +protected String userRoleAttribute = null; + /** * A string of LDAP user patterns or paths, :-separated @@ -829,6 +838,14 @@ public class JNDIRealm extends RealmBase } +public String getUserRoleAttribute() { +return userRoleAttribute; +} + +public void setUserRoleAttribute(String userRoleAttribute) { +this.userRoleAttribute = userRoleAttribute; +} + /** * Return the message format pattern for selecting users in this Realm. */ @@ -839,6 +856,8 @@ public class JNDIRealm extends RealmBase } + + /** * Set the message format pattern for selecting users in this Realm. * This may be one simple pattern, or multiple patterns to be tried, @@ -1230,6 +1249,9 @@ public class JNDIRealm extends RealmBase list.add(userPassword); if (userRoleName != null) list.add(userRoleName); +if (userRoleAttribute != null) { +list.add(userRoleAttribute); +} String[] attrIds = new String[list.size()]; list.toArray(attrIds); @@ -1265,7 +1287,7 @@ public class JNDIRealm extends RealmBase // If no attributes are requested, no need to look for them if (attrIds == null || attrIds.length == 0) { -return new User(username, dn, null, null); +return new User(username, dn, null, null,null); } // Get required attributes from user entry @@ -1283,12 +1305,17 @@ public class JNDIRealm extends RealmBase if (userPassword != null) password = getAttributeValue(userPassword, attrs); +String userRoleAttrValue = null; +if (userRoleAttribute != null) { +userRoleAttrValue = getAttributeValue(userRoleAttribute, attrs); +} + // Retrieve values of userRoleName attribute ArrayListString roles = null; if (userRoleName != null) roles = addAttributeValues(userRoleName, attrs, roles); -return new User(username, dn, password, roles); +return new User(username, dn, password, roles, userRoleAttrValue); } @@ -1427,12 +1454,17 @@ public class JNDIRealm extends RealmBase if (userPassword != null) password = getAttributeValue(userPassword, attrs); +String userRoleAttrValue = null; +if (userRoleAttribute != null) { +userRoleAttrValue = getAttributeValue(userRoleAttribute, attrs); +} + // Retrieve values of userRoleName attribute ArrayListString roles = null; if (userRoleName != null) roles = addAttributeValues(userRoleName, attrs, roles); -return new User(username,
RE: svn commit: r1355615 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/config/realm.xml
Thanks for the review and fix -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Sunday, July 01, 2012 6:06 AM To: Tomcat Developers List Subject: Re: svn commit: r1355615 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/config/realm.xml 2012/6/30 fha...@apache.org: Author: fhanik Date: Sat Jun 30 01:04:59 2012 New Revision: 1355615 URL: http://svn.apache.org/viewvc?rev=1355615view=rev Log: With more and more use of RFC 2307 http://tools.ietf.org/html/rfc2307 There is a new way to search for roles using the memberUid that can contain the value of another attribute within the users directory entry. This may not be very specific to 2307, but that is where I see this combination of role searches occur the most. Example: http://www.openldap.org/lists/openldap- technical/200904/msg00024.html Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java tomcat/trunk/webapps/docs/config/realm.xml Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm /JNDIRealm.java?rev=1355615r1=1355614r2=1355615view=diff == --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Sat Jun 30 01:04:59 2012 @@ -126,8 +126,9 @@ import org.ietf.jgss.GSSCredential; * property./li * liThe coderoleSearch/code pattern optionally includes pattern * replacements {0} for the distinguished name, and/or {1} for - * the username, of the authenticated user for which roles will be - * retrieved./li + * the username, and/or {2} the value of the userRoleAttribute + * attribute from the users entry, of the authenticated user + * for which roles will be retrieved./li * liThe coderoleBase/code property can be set to the element that * is the base of the search for matching roles. If not specified, * the entire context will be searched./li @@ -292,6 +293,14 @@ public class JNDIRealm extends RealmBase */ protected String userPassword = null; +/** + * The name of the attribute inside the users + * directory entry where the value will be + * taken to search for roles + * This attribute is not used during a nested search + */ +protected String userRoleAttribute = null; + /** * A string of LDAP user patterns or paths, :-separated @@ -829,6 +838,14 @@ public class JNDIRealm extends RealmBase } +public String getUserRoleAttribute() { +return userRoleAttribute; +} + +public void setUserRoleAttribute(String userRoleAttribute) { +this.userRoleAttribute = userRoleAttribute; +} + /** * Return the message format pattern for selecting users in this Realm. */ @@ -839,6 +856,8 @@ public class JNDIRealm extends RealmBase } + + /** * Set the message format pattern for selecting users in this Realm. * This may be one simple pattern, or multiple patterns to be tried, @@ -1230,6 +1249,9 @@ public class JNDIRealm extends RealmBase list.add(userPassword); if (userRoleName != null) list.add(userRoleName); +if (userRoleAttribute != null) { +list.add(userRoleAttribute); +} String[] attrIds = new String[list.size()]; list.toArray(attrIds); @@ -1265,7 +1287,7 @@ public class JNDIRealm extends RealmBase // If no attributes are requested, no need to look for them if (attrIds == null || attrIds.length == 0) { -return new User(username, dn, null, null); +return new User(username, dn, null, null,null); } // Get required attributes from user entry @@ -1283,12 +1305,17 @@ public class JNDIRealm extends RealmBase if (userPassword != null) password = getAttributeValue(userPassword, attrs); +String userRoleAttrValue = null; +if (userRoleAttribute != null) { +userRoleAttrValue = getAttributeValue(userRoleAttribute, attrs); +} + // Retrieve values of userRoleName attribute ArrayListString roles = null; if (userRoleName != null) roles = addAttributeValues(userRoleName, attrs, roles); -return new User(username, dn, password, roles); +return new User(username, dn, password, roles, userRoleAttrValue); } @@ -1427,12 +1454,17 @@ public class JNDIRealm extends RealmBase if (userPassword != null) password