nl.nn.credentialprovider

Class RoleToGroupMappingJndiRealm

java.lang.Object

org.apache.catalina.util.LifecycleBase

org.apache.catalina.util.LifecycleMBeanBase

org.apache.catalina.realm.RealmBase

org.apache.catalina.realm.JNDIRealm

nl.nn.credentialprovider.RoleToGroupMappingJndiRealm

All Implemented Interfaces:

MBeanRegistration, RoleGroupMapper, org.apache.catalina.Contained, org.apache.catalina.JmxEnabled, org.apache.catalina.Lifecycle, org.apache.catalina.Realm

public class RoleToGroupMappingJndiRealm
extends org.apache.catalina.realm.JNDIRealm
implements RoleGroupMapper

Extension of JNDIRealm where we take care of the role to ldap group mapping Set the pathname parameter to the role-mapping file where the role to ldap group mapping is defined.

Author:

Fabian van Druenen, Gerrit van Brakel

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.catalina.realm.JNDIRealm

org.apache.catalina.realm.JNDIRealm.JNDIConnection, org.apache.catalina.realm.JNDIRealm.User

Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase

org.apache.catalina.realm.RealmBase.AllRolesMode

Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle

org.apache.catalina.Lifecycle.SingleUse

Field Summary

Fields inherited from class org.apache.catalina.realm.JNDIRealm

adCompat, alternateURL, authentication, commonRole, connectionAttempt, connectionName, connectionPassword, connectionPool, connectionPoolSize, connectionTimeout, connectionURL, contextFactory, DEREF_ALIASES, derefAliases, protocol, readTimeout, referrals, roleBase, roleName, roleNested, roleSearch, roleSearchAsUser, roleSubtree, singleConnection, singleConnectionLock, sizeLimit, spnegoDelegationQop, timeLimit, useContextClassLoader, useDelegatedCredential, userBase, userPassword, userPattern, userPatternArray, userRoleAttribute, userRoleName, userSearch, userSubtree

Fields inherited from class org.apache.catalina.realm.RealmBase

allRolesMode, container, containerLog, realmPath, sm, stripRealmForGss, support, USER_ATTRIBUTES_DELIMITER, USER_ATTRIBUTES_WILDCARD, userAttributes, userAttributesList, validate, x509UsernameRetriever, x509UsernameRetrieverClassName

Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase

mserver

Fields inherited from interface org.apache.catalina.Lifecycle

AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT

Constructor Summary

Constructors

Constructor and Description
RoleToGroupMappingJndiRealm()

Method Summary

Modifier and Type	Method and Description
void	addRoleGroupMapping(String role, String group) Add the role and it's link(mapping) to the context where the webapp is running in.
protected org.apache.tomcat.util.digester.Digester	getDigester()
String	getPathname()
protected List<String>	getRoles(org.apache.catalina.realm.JNDIRealm.JNDIConnection connection, org.apache.catalina.realm.JNDIRealm.User user) Overrides getRoles to find the nested group memberships of this user, assuming users and groups have a "memberOf" like attribute (specifed by 'userRoleName' and 'roleName') that specifies the groups they are member of.
List<String>	getRoles(org.apache.catalina.realm.JNDIRealm.JNDIConnection connection, String username) Find the LDAP group memberships of this user.
List<String>	getRoles(String username) Find the LDAP group memberships of this user.
protected void	initMappingConfig() Read the mapping configuration and apply the role group mapping to the container
protected void	reportMappingConfig() Report the roles mapping configured on the container
void	setPathname(String pathname)
protected void	startInternal()

Methods inherited from class org.apache.catalina.realm.JNDIRealm

authenticate, authenticate, authenticate, authenticate, authenticate, authenticate, authenticate, bindAsUser, checkCredentials, close, closePooledConnections, compareCredentials, convertToHexEscape, create, doAttributeValueEscaping, doFilterEscaping, doRFC2254Encoding, get, getAdCompat, getAlternateURL, getAuthentication, getCommonRole, getConnectionName, getConnectionPassword, getConnectionPoolSize, getConnectionTimeout, getConnectionURL, getContextFactory, getDerefAliases, getDirectoryContextEnvironment, getDistinguishedName, getForceDnHexEscape, getHostnameVerifier, getHostnameVerifierClassName, getPassword, getPrincipal, getPrincipal, getPrincipal, getPrincipal, getProtocol, getReadTimeout, getReferrals, getRoleBase, getRoleName, getRoleNested, getRoleSearch, getRoleSubtree, getSizeLimit, getSpnegoDelegationQop, getTimeLimit, getUser, getUser, getUser, getUserBase, getUserByPattern, getUserByPattern, getUserBySearch, getUserPassword, getUserPattern, getUserRoleAttribute, getUserRoleName, getUserSearch, getUserSubtree, getUseStartTls, isAvailable, isRoleSearchAsUser, isUseContextClassLoader, isUseDelegatedCredential, isUserSearchAsUser, open, parseUserPatternString, release, setAdCompat, setAlternateURL, setAuthentication, setCipherSuites, setCommonRole, setConnectionName, setConnectionPassword, setConnectionPoolSize, setConnectionTimeout, setConnectionURL, setContextFactory, setDerefAliases, setForceDnHexEscape, setHostnameVerifierClassName, setProtocol, setReadTimeout, setReferrals, setRoleBase, setRoleName, setRoleNested, setRoleSearch, setRoleSearchAsUser, setRoleSubtree, setSizeLimit, setSpnegoDelegationQop, setSslProtocol, setSslSocketFactoryClassName, setTimeLimit, setUseContextClassLoader, setUseDelegatedCredential, setUserBase, setUserPassword, setUserPattern, setUserRoleAttribute, setUserRoleName, setUserSearch, setUserSearchAsUser, setUserSubtree, setUseStartTls, stopInternal

Methods inherited from class org.apache.catalina.realm.RealmBase

addPropertyChangeListener, authenticate, backgroundProcess, findSecurityConstraints, getAllRolesMode, getContainer, getCredentialHandler, getDigest, getDigest, getDomainInternal, getObjectNameKeyProperties, getPrincipal, getRealmPath, getRealmSuffix, getRoles, getServer, getTransportGuaranteeRedirectStatus, getUserAttributes, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasRoleInternal, hasUserDataPermission, initInternal, isStripRealmForGss, main, parseUserAttributes, removePropertyChangeListener, setAllRolesMode, setContainer, setCredentialHandler, setRealmPath, setStripRealmForGss, setTransportGuaranteeRedirectStatus, setUserAttributes, setValidate, setX509UsernameRetrieverClassName, toString

Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase

destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister

Methods inherited from class org.apache.catalina.util.LifecycleBase

addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

RoleToGroupMappingJndiRealm

public RoleToGroupMappingJndiRealm()

Method Detail

getRoles

public List<String> getRoles(String username)

Find the LDAP group memberships of this user. Based on JNDIRealm.authenticate(String username, String credentials)

getRoles

public List<String> getRoles(org.apache.catalina.realm.JNDIRealm.JNDIConnection connection,
                             String username)
                      throws NamingException

Find the LDAP group memberships of this user. Based on JNDIRealm.authenticate(JNDIConnection connection, String username, String credentials)

Throws:

NamingException

getRoles

protected List<String> getRoles(org.apache.catalina.realm.JNDIRealm.JNDIConnection connection,
                                org.apache.catalina.realm.JNDIRealm.User user)
                         throws NamingException

Overrides getRoles to find the nested group memberships of this user, assuming users and groups have a "memberOf" like attribute (specifed by 'userRoleName' and 'roleName') that specifies the groups they are member of. The original getRoles assumed groups have a 'member' attribute, specifying their members. That approach is not available in this implementation. Shamik uses the nn-tomcat-extensions JNDIRealmEx, with additional settings: - roleBase="company specific tenant base" - roleSubtree="true" - roleSearch="(&(member={0})(objectcategory=group))" - roleName="cn" - roleNested="true" This is expected to be less performant, because it searches each time over all groups.

Overrides:

getRoles in class org.apache.catalina.realm.JNDIRealm

Throws:

NamingException

startInternal

protected void startInternal()
                      throws org.apache.catalina.LifecycleException

Overrides:

startInternal in class org.apache.catalina.realm.JNDIRealm

Throws:

org.apache.catalina.LifecycleException

getDigester

protected org.apache.tomcat.util.digester.Digester getDigester()

Returns:

a configured Digester to use for processing the XML input file, creating a new one if necessary.

initMappingConfig

protected void initMappingConfig()
                          throws IOException

Read the mapping configuration and apply the role group mapping to the container

Throws:

IOException

reportMappingConfig

protected void reportMappingConfig()

Report the roles mapping configured on the container

addRoleGroupMapping

public void addRoleGroupMapping(String role,
                                String group)

Add the role and it's link(mapping) to the context where the webapp is running in. The tomcat implementation will use this to do the mapping, just like its done with the web.xml "security-role-ref" specification

Specified by:

addRoleGroupMapping in interface RoleGroupMapper

getPathname

public String getPathname()

setPathname

public void setPathname(String pathname)