Package org.frankframework.credentialprovider

Class RoleToGroupMappingJndiRealm

java.lang.Object
org.apache.catalina.util.LifecycleBase
org.apache.catalina.util.LifecycleMBeanBase
org.apache.catalina.realm.RealmBase
org.apache.catalina.realm.JNDIRealm
org.frankframework.credentialprovider.RoleToGroupMappingJndiRealm
All Implemented Interfaces:
MBeanRegistration, org.apache.catalina.Contained, org.apache.catalina.JmxEnabled, org.apache.catalina.Lifecycle, org.apache.catalina.Realm, RoleGroupMapper
public class RoleToGroupMappingJndiRealm extends org.apache.catalina.realm.JNDIRealm implements RoleGroupMapper
Extension of JNDIRealm where we take care of the role to ldap group mapping

Set the pathname parameter to the role-mapping file where the role to ldap group mapping is defined.

Author:
Fabian van Druenen, Gerrit van Brakel

  • Nested Class Summary

    Nested classes/interfaces inherited from class org.apache.catalina.realm.JNDIRealm

    org.apache.catalina.realm.JNDIRealm.JNDIConnection, org.apache.catalina.realm.JNDIRealm.User

    Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase

    org.apache.catalina.realm.RealmBase.AllRolesMode

    Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle

    org.apache.catalina.Lifecycle.SingleUse

  • Field Summary

    Fields inherited from class org.apache.catalina.realm.JNDIRealm

    adCompat, alternateURL, authentication, commonRole, connectionAttempt, connectionName, connectionPassword, connectionPool, connectionPoolSize, connectionTimeout, connectionURL, contextFactory, DEREF_ALIASES, derefAliases, protocol, readTimeout, referrals, roleBase, roleName, roleNested, roleSearch, roleSearchAsUser, roleSubtree, singleConnection, singleConnectionLock, sizeLimit, spnegoDelegationQop, timeLimit, useContextClassLoader, useDelegatedCredential, userBase, userPassword, userPattern, userPatternArray, userRoleAttribute, userRoleName, userSearch, userSubtree

    Fields inherited from class org.apache.catalina.realm.RealmBase

    allRolesMode, container, containerLog, realmPath, sm, stripRealmForGss, support, USER_ATTRIBUTES_DELIMITER, USER_ATTRIBUTES_WILDCARD, userAttributes, userAttributesList, validate, x509UsernameRetriever, x509UsernameRetrieverClassName

    Fields inherited from interface org.apache.catalina.Lifecycle

    AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT

  • Constructor Summary

    Constructors
    Constructor
    Description
    RoleToGroupMappingJndiRealm()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    addRoleGroupMapping(String role, String group)
    Add the role, and it's link(mapping) to the context where the webapp is running in.
    protected org.apache.tomcat.util.digester.Digester
    getDigester()
     
    List<String>
    getRoles(String username)
    Find the LDAP group memberships of this user.
    protected List<String>
    getRoles(org.apache.catalina.realm.JNDIRealm.JNDIConnection connection, org.apache.catalina.realm.JNDIRealm.User user)
    Overrides getRoles to find the nested group memberships of this user, assuming users and groups have a "memberOf" like attribute (specified by 'userRoleName' and 'roleName') that specifies the groups they are member of.
    protected void
    initMappingConfig()
    Read the mapping configuration and apply the role group mapping to the container
    protected void
    reportMappingConfig()
    Report the roles mapping configured on the container
    protected void
    startInternal()
     

    Methods inherited from class org.apache.catalina.realm.JNDIRealm

    authenticate, authenticate, authenticate, authenticate, authenticate, authenticate, authenticate, bindAsUser, checkCredentials, close, closePooledConnections, compareCredentials, convertToHexEscape, create, doAttributeValueEscaping, doFilterEscaping, get, getAdCompat, getAlternateURL, getAuthentication, getCommonRole, getConnectionName, getConnectionPassword, getConnectionPoolSize, getConnectionTimeout, getConnectionURL, getContextFactory, getDerefAliases, getDirectoryContextEnvironment, getDistinguishedName, getForceDnHexEscape, getHostnameVerifier, getHostnameVerifierClassName, getPassword, getPrincipal, getPrincipal, getPrincipal, getPrincipal, getProtocol, getReadTimeout, getReferrals, getRoleBase, getRoleName, getRoleNested, getRoleSearch, getRoleSubtree, getSizeLimit, getSpnegoDelegationQop, getTimeLimit, getUser, getUser, getUser, getUserBase, getUserByPattern, getUserByPattern, getUserBySearch, getUserPassword, getUserPattern, getUserRoleAttribute, getUserRoleName, getUserSearch, getUserSubtree, getUseStartTls, isAvailable, isRoleSearchAsUser, isUseContextClassLoader, isUseDelegatedCredential, isUserSearchAsUser, open, parseUserPatternString, release, setAdCompat, setAlternateURL, setAuthentication, setCipherSuites, setCommonRole, setConnectionName, setConnectionPassword, setConnectionPoolSize, setConnectionTimeout, setConnectionURL, setContextFactory, setDerefAliases, setForceDnHexEscape, setHostnameVerifierClassName, setProtocol, setReadTimeout, setReferrals, setRoleBase, setRoleName, setRoleNested, setRoleSearch, setRoleSearchAsUser, setRoleSubtree, setSizeLimit, setSpnegoDelegationQop, setSslProtocol, setSslSocketFactoryClassName, setTimeLimit, setUseContextClassLoader, setUseDelegatedCredential, setUserBase, setUserPassword, setUserPattern, setUserRoleAttribute, setUserRoleName, setUserSearch, setUserSearchAsUser, setUserSubtree, setUseStartTls, stopInternal

    Methods inherited from class org.apache.catalina.realm.RealmBase

    addPropertyChangeListener, authenticate, backgroundProcess, findSecurityConstraints, getAllRolesMode, getContainer, getCredentialHandler, getDigest, getDigest, getDomainInternal, getObjectNameKeyProperties, getPrincipal, getPrincipal, getRealmPath, getRealmSuffix, getServer, getTransportGuaranteeRedirectStatus, getUserAttributes, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasRoleInternal, hasUserDataPermission, initInternal, isStripRealmForGss, main, parseUserAttributes, removePropertyChangeListener, setAllRolesMode, setContainer, setCredentialHandler, setRealmPath, setStripRealmForGss, setTransportGuaranteeRedirectStatus, setUserAttributes, setValidate, setX509UsernameRetrieverClassName, toString

    Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase

    destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister

    Methods inherited from class org.apache.catalina.util.LifecycleBase

    addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

  • Constructor Details

    • RoleToGroupMappingJndiRealm

      public RoleToGroupMappingJndiRealm()

  • Method Details

    • getRoles

      public List<String> getRoles(String username)
      Find the LDAP group memberships of this user. Based on JNDIRealm.authenticate(String username, String credentials)

    • getRoles

      protected List<String> getRoles(org.apache.catalina.realm.JNDIRealm.JNDIConnection connection, org.apache.catalina.realm.JNDIRealm.User user) throws NamingException
      Overrides getRoles to find the nested group memberships of this user, assuming users and groups have a "memberOf" like attribute (specified by 'userRoleName' and 'roleName') that specifies the groups they are member of. The original getRoles assumed groups have a 'member' attribute, specifying their members. That approach is not available in this implementation. Shamik uses the nn-tomcat-extensions JNDIRealmEx, with additional settings: - roleBase="company specific tenant base" - roleSubtree="true" - roleSearch="(&(member={0})(objectcategory=group))" - roleName="cn" - roleNested="true" This is expected to be less performant, because it searches each time over all groups.
      Overrides:
      getRoles in class org.apache.catalina.realm.JNDIRealm
      Throws:
      NamingException

    • startInternal

      protected void startInternal() throws org.apache.catalina.LifecycleException
      Overrides:
      startInternal in class org.apache.catalina.realm.JNDIRealm
      Throws:
      org.apache.catalina.LifecycleException

    • getDigester

      protected org.apache.tomcat.util.digester.Digester getDigester()
      Returns:
      a configured Digester to use for processing the XML input file, creating a new one if necessary.

    • initMappingConfig

      protected void initMappingConfig() throws IOException
      Read the mapping configuration and apply the role group mapping to the container
      Throws:
      IOException

    • reportMappingConfig

      protected void reportMappingConfig()
      Report the roles mapping configured on the container

    • addRoleGroupMapping

      public void addRoleGroupMapping(String role, String group)
      Add the role, and it's link(mapping) to the context where the webapp is running in. The tomcat implementation will use this to do the mapping, just like it's done with the web.xml "security-role-ref" specification
      Specified by:
      addRoleGroupMapping in interface RoleGroupMapper