| java.lang.Object
 org.apache.catalina.realm.RealmBase
org.apache.catalina.realm.JNDIRealm
| JNDIRealm | | public class JNDIRealm extends RealmBase (Code) | | Implementation of Realm that works with a directory
server accessed via the Java Naming and Directory Interface (JNDI) APIs.
The following constraints are imposed on the data structure in the
underlying directory server:
- Each user that can be authenticated is represented by an individual
element in the top level
DirContext that is accessed
via the connectionURL property.
- Each user element has a distinguished name that can be formed by
substituting the presented username into a pattern configured by the
userPattern property.
- Alternatively, if the
userPattern property is not
specified, a unique element can be located by searching the directory
context. In this case:
- The
userSearch pattern specifies the search filter
after substitution of the username.
- The
userBase property can be set to the element that
is the base of the subtree containing users. If not specified,
the search base is the top-level context.
- The
userSubtree property can be set to
true if you wish to search the entire subtree of the
directory context. The default value of false
requests a search of only the current level.
- The user may be authenticated by binding to the directory with the
username and password presented. This method is used when the
userPassword property is not specified.
- The user may be authenticated by retrieving the value of an attribute
from the directory and comparing it explicitly with the value presented
by the user. This method is used when the
userPassword
property is specified, in which case:
- The element for this user must contain an attribute named by the
userPassword property.
- The value of the user password attribute is either a cleartext
String, or the result of passing a cleartext String through the
RealmBase.digest() method (using the standard digest
support included in RealmBase).
- The user is considered to be authenticated if the presented
credentials (after being passed through
RealmBase.digest()) are equal to the retrieved value
for the user password attribute.
- Each group of users that has been assigned a particular role may be
represented by an individual element in the top level
DirContext that is accessed via the
connectionURL property. This element has the following
characteristics:
- The set of all possible groups of interest can be selected by a
search pattern configured by the
roleSearch
property.
- The
roleSearch pattern optionally includes pattern
replacements "{0}" for the distinguished name, and/or "{1}" for
the username, of the authenticated user for which roles will be
retrieved.
- The
roleBase property can be set to the element that
is the base of the search for matching roles. If not specified,
the entire context will be searched.
- The
roleSubtree property can be set to
true if you wish to search the entire subtree of the
directory context. The default value of false
requests a search of only the current level.
- The element includes an attribute (whose name is configured by
the
roleName property) containing the name of the
role represented by this element.
- In addition, roles may be represented by the values of an attribute
in the user's element whose name is configured by the
userRoleName property.
- Note that the standard
<security-role-ref> element in
the web application deployment descriptor allows applications to refer
to roles programmatically by names other than those used in the
directory server itself.
TODO - Support connection pooling (including message
format objects) so that authenticate() does not have to be
synchronized.
author:
John Holman
author:
Craig R. McClanahan
version:
$Revision: 1.8 $ $Date: 2002/06/11 15:32:28 $ |
| Method Summary | |
| public Principal | authenticate(String username, String credentials)
Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null.
If there are any errors with the JDBC connection, executing
the query or anything we return null (don't authenticate). | | public synchronized Principal | authenticate(DirContext context, String username, String credentials)
Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null. | | protected boolean | bindAsUser(DirContext context, User user, String credentials)
| | protected boolean | checkCredentials(DirContext context, User user, String credentials)
Check whether the given User can be authenticated with the
given credentials. | | protected void | close(DirContext context)
Close any open connection to the directory server for this Realm. | | protected boolean | compareCredentials(DirContext context, User info, String credentials)
Check whether the credentials presented by the user match those
retrieved from the directory. | | public String | getConnectionName()
Return the connection username for this Realm. | | public String | getConnectionPassword()
Return the connection password for this Realm. | | public String | getConnectionURL()
Return the connection URL for this Realm. | | public String | getContextFactory()
Return the JNDI context factory for this Realm. | | protected String | getName()
Return a short name for this Realm implementation. | | protected String | getPassword(String username)
Return the password associated with the given principal's user name. | | protected Principal | getPrincipal(String username)
Return the Principal associated with the given user name. | | public String | getRoleBase()
Return the base element for role searches. | | public String | getRoleName()
Return the role name attribute name for this Realm. | | public String | getRoleSearch()
Return the message format pattern for selecting roles in this Realm. | | public boolean | getRoleSubtree()
Return the "search subtree for roles" flag. | | protected List | getRoles(DirContext context, User user)
Return a List of roles associated with the given User. | | protected User | getUser(DirContext context, String username)
Return a User object containing information about the user
with the specified username, if found in the directory;
otherwise return null.
If the userPassword configuration attribute is
specified, the value of that attribute is retrieved from the
user's directory entry. | | public String | getUserBase()
Return the base element for user searches. | | protected User | getUserByPattern(DirContext context, String username, String[] attrIds)
Use the UserPattern configuration attribute to
locate the directory entry for the user with the specified
username and return a User object; otherwise return
null. | | protected User | getUserBySearch(DirContext context, String username, String[] attrIds)
Search the directory to return a User object containing
information about the user with the specified username, if
found in the directory; otherwise return null. | | public String | getUserPassword()
Return the password attribute used to retrieve the user password. | | public String | getUserPattern()
Return the message format pattern for selecting users in this Realm. | | public String | getUserRoleName()
Return the user role name attribute name for this Realm. | | public String | getUserSearch()
Return the message format pattern for selecting users in this Realm. | | public boolean | getUserSubtree()
Return the "search subtree for users" flag. | | protected DirContext | open()
Open (if necessary) and return a connection to the configured
directory server for this Realm. | | protected void | release(DirContext context)
Release our use of this connection so that it can be recycled. | | public void | setConnectionName(String connectionName)
Set the connection username for this Realm. | | public void | setConnectionPassword(String connectionPassword)
Set the connection password for this Realm. | | public void | setConnectionURL(String connectionURL)
Set the connection URL for this Realm. | | public void | setContextFactory(String contextFactory)
Set the JNDI context factory for this Realm. | | public void | setRoleBase(String roleBase)
Set the base element for role searches. | | public void | setRoleName(String roleName)
Set the role name attribute name for this Realm. | | public void | setRoleSearch(String roleSearch)
Set the message format pattern for selecting roles in this Realm. | | public void | setRoleSubtree(boolean roleSubtree)
Set the "search subtree for roles" flag. | | public void | setUserBase(String userBase)
Set the base element for user searches. | | public void | setUserPassword(String userPassword)
Set the password attribute used to retrieve the user password. | | public void | setUserPattern(String userPattern)
Set the message format pattern for selecting users in this Realm. | | public void | setUserRoleName(String userRoleName)
Set the user role name attribute name for this Realm. | | public void | setUserSearch(String userSearch)
Set the message format pattern for selecting users in this Realm. | | public void | setUserSubtree(boolean userSubtree)
Set the "search subtree for users" flag. | | public void | start()
Prepare for active use of the public methods of this Component. | | public void | stop()
Gracefully shut down active use of the public methods of this Component. |
| connectionName | | protected String connectionName(Code) | | The connection username for the server we will contact.
|
| connectionPassword | | protected String connectionPassword(Code) | | The connection password for the server we will contact.
|
| connectionURL | | protected String connectionURL(Code) | | The connection URL for the server we will contact.
|
| context | | protected DirContext context(Code) | | The directory context linking us to our directory server.
|
| contextFactory | | protected String contextFactory(Code) | | The JNDI context factory used to acquire our InitialContext. By
default, assumes use of an LDAP server using the standard JNDI LDAP
provider.
|
| info | | final protected static String info(Code) | | Descriptive information about this Realm implementation.
|
| name | | final protected static String name(Code) | | Descriptive information about this Realm implementation.
|
| roleBase | | protected String roleBase(Code) | | The base element for role searches.
|
| roleFormat | | protected MessageFormat roleFormat(Code) | | The MessageFormat object associated with the current
roleSearch.
|
| roleName | | protected String roleName(Code) | | The name of the attribute containing roles held elsewhere
|
| roleSearch | | protected String roleSearch(Code) | | The message format used to select roles for a user, with "{0}" marking
the spot where the distinguished name of the user goes.
|
| roleSubtree | | protected boolean roleSubtree(Code) | | Should we search the entire subtree for matching memberships?
|
| userBase | | protected String userBase(Code) | | The base element for user searches.
|
| userPassword | | protected String userPassword(Code) | | The attribute name used to retrieve the user password.
|
| userPattern | | protected String userPattern(Code) | | The message format used to form the distinguished name of a
user, with "{0}" marking the spot where the specified username
goes.
|
| userPatternFormat | | protected MessageFormat userPatternFormat(Code) | | The MessageFormat object associated with the current
userPattern.
|
| userRoleName | | protected String userRoleName(Code) | | The name of an attribute in the user's entry containing
roles for that user
|
| userSearch | | protected String userSearch(Code) | | The message format used to search for a user, with "{0}" marking
the spot where the username goes.
|
| userSearchFormat | | protected MessageFormat userSearchFormat(Code) | | The MessageFormat object associated with the current
userSearch.
|
| userSubtree | | protected boolean userSubtree(Code) | | Should we search the entire subtree for matching users?
|
| authenticate | | public Principal authenticate(String username, String credentials)(Code) | | Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null.
If there are any errors with the JDBC connection, executing
the query or anything we return null (don't authenticate). This
event is also logged, and the connection will be closed so that
a subsequent request will automatically re-open it.
Parameters:
username - Username of the Principal to look up
Parameters:
credentials - Password or other credentials to use inauthenticating this username |
| authenticate | | public synchronized Principal authenticate(DirContext context, String username, String credentials) throws NamingException(Code) | | Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null.
Parameters:
context - The directory context
Parameters:
username - Username of the Principal to look up
Parameters:
credentials - Password or other credentials to use inauthenticating this username
exception:
NamingException - if a directory server error occurs |
| bindAsUser | | protected boolean bindAsUser(DirContext context, User user, String credentials) throws NamingException(Code) | | Check credentials by binding to the directory as the user
Parameters:
context - The directory context
Parameters:
user - The User to be authenticated
Parameters:
credentials - Authentication credentials
exception:
NamingException - if a directory server error occurs |
| checkCredentials | | protected boolean checkCredentials(DirContext context, User user, String credentials) throws NamingException(Code) | | Check whether the given User can be authenticated with the
given credentials. If the userPassword
configuration attribute is specified, the credentials
previously retrieved from the directory are compared explicitly
with those presented by the user. Otherwise the presented
credentials are checked by binding to the directory as the
user.
Parameters:
context - The directory context
Parameters:
user - The User to be authenticated
Parameters:
credentials - The credentials presented by the user
exception:
NamingException - if a directory server error occurs |
| close | | protected void close(DirContext context)(Code) | | Close any open connection to the directory server for this Realm.
Parameters:
context - The directory context to be closed |
| compareCredentials | | protected boolean compareCredentials(DirContext context, User info, String credentials) throws NamingException(Code) | | Check whether the credentials presented by the user match those
retrieved from the directory.
Parameters:
context - The directory context
Parameters:
user - The User to be authenticated
Parameters:
credentials - Authentication credentials
exception:
NamingException - if a directory server error occurs |
| getConnectionName | | public String getConnectionName()(Code) | | Return the connection username for this Realm.
|
| getConnectionPassword | | public String getConnectionPassword()(Code) | | Return the connection password for this Realm.
|
| getConnectionURL | | public String getConnectionURL()(Code) | | Return the connection URL for this Realm.
|
| getContextFactory | | public String getContextFactory()(Code) | | Return the JNDI context factory for this Realm.
|
| getName | | protected String getName()(Code) | | Return a short name for this Realm implementation.
|
| getPassword | | protected String getPassword(String username)(Code) | | Return the password associated with the given principal's user name.
|
| getPrincipal | | protected Principal getPrincipal(String username)(Code) | | Return the Principal associated with the given user name.
|
| getRoleBase | | public String getRoleBase()(Code) | | Return the base element for role searches.
|
| getRoleName | | public String getRoleName()(Code) | | Return the role name attribute name for this Realm.
|
| getRoleSearch | | public String getRoleSearch()(Code) | | Return the message format pattern for selecting roles in this Realm.
|
| getRoleSubtree | | public boolean getRoleSubtree()(Code) | | Return the "search subtree for roles" flag.
|
| getRoles | | protected List getRoles(DirContext context, User user) throws NamingException(Code) | | Return a List of roles associated with the given User. Any
roles present in the user's directory entry are supplemented by
a directory search. If no roles are associated with this user,
a zero-length List is returned.
Parameters:
context - The directory context we are searching
Parameters:
user - The User to be checked
exception:
NamingException - if a directory server error occurs |
| getUser | | protected User getUser(DirContext context, String username) throws NamingException(Code) | | Return a User object containing information about the user
with the specified username, if found in the directory;
otherwise return null.
If the userPassword configuration attribute is
specified, the value of that attribute is retrieved from the
user's directory entry. If the userRoleName
configuration attribute is specified, all values of that
attribute are retrieved from the directory entry.
Parameters:
context - The directory context
Parameters:
username - Username to be looked up
exception:
NamingException - if a directory server error occurs |
| getUserBase | | public String getUserBase()(Code) | | Return the base element for user searches.
|
| getUserByPattern | | protected User getUserByPattern(DirContext context, String username, String[] attrIds) throws NamingException(Code) | | Use the UserPattern configuration attribute to
locate the directory entry for the user with the specified
username and return a User object; otherwise return
null.
Parameters:
context - The directory context
Parameters:
username - The username
Parameters:
attrIds - String[]containing names of attributes toretrieve.
exception:
NamingException - if a directory server error occurs |
| getUserBySearch | | protected User getUserBySearch(DirContext context, String username, String[] attrIds) throws NamingException(Code) | | Search the directory to return a User object containing
information about the user with the specified username, if
found in the directory; otherwise return null.
Parameters:
context - The directory context
Parameters:
username - The username
Parameters:
attrIds - String[]containing names of attributes to retrieve.
exception:
NamingException - if a directory server error occurs |
| getUserPassword | | public String getUserPassword()(Code) | | Return the password attribute used to retrieve the user password.
|
| getUserPattern | | public String getUserPattern()(Code) | | Return the message format pattern for selecting users in this Realm.
|
| getUserRoleName | | public String getUserRoleName()(Code) | | Return the user role name attribute name for this Realm.
|
| getUserSearch | | public String getUserSearch()(Code) | | Return the message format pattern for selecting users in this Realm.
|
| getUserSubtree | | public boolean getUserSubtree()(Code) | | Return the "search subtree for users" flag.
|
| release | | protected void release(DirContext context)(Code) | | Release our use of this connection so that it can be recycled.
Parameters:
context - The directory context to release |
| setConnectionName | | public void setConnectionName(String connectionName)(Code) | | Set the connection username for this Realm.
Parameters:
connectionName - The new connection username |
| setConnectionPassword | | public void setConnectionPassword(String connectionPassword)(Code) | | Set the connection password for this Realm.
Parameters:
connectionPassword - The new connection password |
| setConnectionURL | | public void setConnectionURL(String connectionURL)(Code) | | Set the connection URL for this Realm.
Parameters:
connectionURL - The new connection URL |
| setContextFactory | | public void setContextFactory(String contextFactory)(Code) | | Set the JNDI context factory for this Realm.
Parameters:
contextFactory - The new context factory |
| setRoleBase | | public void setRoleBase(String roleBase)(Code) | | Set the base element for role searches.
Parameters:
roleBase - The new base element |
| setRoleName | | public void setRoleName(String roleName)(Code) | | Set the role name attribute name for this Realm.
Parameters:
roleName - The new role name attribute name |
| setRoleSearch | | public void setRoleSearch(String roleSearch)(Code) | | Set the message format pattern for selecting roles in this Realm.
Parameters:
roleSearch - The new role search pattern |
| setRoleSubtree | | public void setRoleSubtree(boolean roleSubtree)(Code) | | Set the "search subtree for roles" flag.
Parameters:
roleSubtree - The new search flag |
| setUserBase | | public void setUserBase(String userBase)(Code) | | Set the base element for user searches.
Parameters:
userBase - The new base element |
| setUserPassword | | public void setUserPassword(String userPassword)(Code) | | Set the password attribute used to retrieve the user password.
Parameters:
userPassword - The new password attribute |
| setUserPattern | | public void setUserPattern(String userPattern)(Code) | | Set the message format pattern for selecting users in this Realm.
Parameters:
userPattern - The new user pattern |
| setUserRoleName | | public void setUserRoleName(String userRoleName)(Code) | | Set the user role name attribute name for this Realm.
Parameters:
userRoleName - The new userRole name attribute name |
| setUserSearch | | public void setUserSearch(String userSearch)(Code) | | Set the message format pattern for selecting users in this Realm.
Parameters:
userSearch - The new user search pattern |
| setUserSubtree | | public void setUserSubtree(boolean userSubtree)(Code) | | Set the "search subtree for users" flag.
Parameters:
userSubtree - The new search flag |
| start | | public void start() throws LifecycleException(Code) | | Prepare for active use of the public methods of this Component.
exception:
LifecycleException - if this component detects a fatal errorthat prevents it from being started |
| stop | | public void stop() throws LifecycleException(Code) | | Gracefully shut down active use of the public methods of this Component.
exception:
LifecycleException - if this component detects a fatal errorthat needs to be reported |
| Methods inherited from org.apache.catalina.realm.RealmBase | final public static String Digest(String credentials, String algorithm)(Code)(Java Doc)
public void addLifecycleListener(LifecycleListener listener)(Code)(Java Doc)
public void addPropertyChangeListener(PropertyChangeListener listener)(Code)(Java Doc)
public Principal authenticate(String username, String credentials)(Code)(Java Doc)
public Principal authenticate(String username, byte[] credentials)(Code)(Java Doc)
public Principal authenticate(String username, String clientDigest, String nOnce, String nc, String cnonce, String qop, String realm, String md5a2)(Code)(Java Doc)
public Principal authenticate(X509Certificate certs)(Code)(Java Doc)
protected String digest(String credentials)(Code)(Java Doc)
public LifecycleListener[] findLifecycleListeners()(Code)(Java Doc)
public Container getContainer()(Code)(Java Doc)
public int getDebug()(Code)(Java Doc)
public String getDigest()(Code)(Java Doc)
protected String getDigest(String username, String realmName)(Code)(Java Doc)
public String getInfo()(Code)(Java Doc)
abstract protected String getName()(Code)(Java Doc)
abstract protected String getPassword(String username)(Code)(Java Doc)
abstract protected Principal getPrincipal(String username)(Code)(Java Doc)
public boolean getValidate()(Code)(Java Doc)
protected boolean hasMessageDigest()(Code)(Java Doc)
public boolean hasRole(Principal principal, String role)(Code)(Java Doc)
protected void log(String message)(Code)(Java Doc)
protected void log(String message, Throwable throwable)(Code)(Java Doc)
public static void main(String args)(Code)(Java Doc)
public void removeLifecycleListener(LifecycleListener listener)(Code)(Java Doc)
public void removePropertyChangeListener(PropertyChangeListener listener)(Code)(Java Doc)
public void setContainer(Container container)(Code)(Java Doc)
public void setDebug(int debug)(Code)(Java Doc)
public void setDigest(String digest)(Code)(Java Doc)
public void setValidate(boolean validate)(Code)(Java Doc)
public void start() throws LifecycleException(Code)(Java Doc)
public void stop() throws LifecycleException(Code)(Java Doc)
|
|
|