Apache Tomcat 6.0.53

org.apache.catalina.realm
Class JNDIRealm

java.lang.Object
  extended by org.apache.catalina.realm.RealmBase
      extended by org.apache.catalina.realm.JNDIRealm
All Implemented Interfaces:
javax.management.MBeanRegistration, Lifecycle, Realm

public class JNDIRealm
extends RealmBase

Implementation of Realm that works with a directory server accessed via the Java Naming and Directory Interface (JNDI) APIs. The following constraints are imposed on the data structure in the underlying directory server:

TODO - Support connection pooling (including message format objects) so that authenticate() does not have to be synchronized.

WARNING - There is a reported bug against the Netscape provider code (com.netscape.jndi.ldap.LdapContextFactory) with respect to successfully authenticated a non-existing user. The report is here: http://bz.apache.org/bugzilla/show_bug.cgi?id=11210 . With luck, Netscape has updated their provider code and this is not an issue.

Author:
John Holman, Craig R. McClanahan

Nested Class Summary
protected static class JNDIRealm.User
          A protected class representing a User
 
Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase
RealmBase.AllRolesMode
 
Field Summary
protected  boolean adCompat
          Should we ignore PartialResultExceptions when iterating over NamingEnumerations?
protected  java.lang.String alternateURL
          An alternate URL, to which, we should connect if connectionURL fails.
protected  java.lang.String authentication
          The type of authentication to use
protected  java.lang.String commonRole
          Add this role to every authenticated user
protected  int connectionAttempt
          The number of connection attempts.
protected  java.lang.String connectionName
          The connection username for the server we will contact.
protected  java.lang.String connectionPassword
          The connection password for the server we will contact.
protected  java.lang.String connectionTimeout
          The timeout, in milliseconds, to use when trying to create a connection to the directory.
protected  java.lang.String connectionURL
          The connection URL for the server we will contact.
protected  javax.naming.directory.DirContext context
          The directory context linking us to our directory server.
protected  java.lang.String contextFactory
          The JNDI context factory used to acquire our InitialContext.
static java.lang.String DEREF_ALIASES
          Constant that holds the name of the environment property for specifying the manner in which aliases should be dereferenced.
protected  java.lang.String derefAliases
          How aliases should be dereferenced during search operations.
protected static java.lang.String info
          Descriptive information about this Realm implementation.
protected static java.lang.String name
          Descriptive information about this Realm implementation.
protected  java.lang.String protocol
          The protocol that will be used in the communication with the directory server.
protected  java.lang.String referrals
          How should we handle referrals?
protected  java.lang.String roleBase
          The base element for role searches.
protected  java.text.MessageFormat roleFormat
          The MessageFormat object associated with the current roleSearch.
protected  java.lang.String roleName
          The name of the attribute containing roles held elsewhere
protected  boolean roleNested
          Should we look for nested group in order to determine roles?
protected  java.lang.String roleSearch
          The message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes.
protected  boolean roleSubtree
          Should we search the entire subtree for matching memberships?
protected  java.lang.String userBase
          The base element for user searches.
protected  java.lang.String userPassword
          The attribute name used to retrieve the user password.
protected  java.lang.String userPattern
          The message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.
protected  java.lang.String[] userPatternArray
          A string of LDAP user patterns or paths, ":"-separated These will be used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.
protected  java.text.MessageFormat[] userPatternFormatArray
          An array of MessageFormat objects associated with the current userPatternArray.
protected  java.lang.String userRoleName
          The name of an attribute in the user's entry containing roles for that user
protected  java.lang.String userSearch
          The message format used to search for a user, with "{0}" marking the spot where the username goes.
protected  java.text.MessageFormat userSearchFormat
          The MessageFormat object associated with the current userSearch.
protected  boolean userSubtree
          Should we search the entire subtree for matching users?
 
Fields inherited from class org.apache.catalina.realm.RealmBase
allRolesMode, container, containerLog, controller, digest, digestEncoding, domain, host, initialized, lifecycle, md, md5Encoder, md5Helper, mserver, oname, path, realmPath, sm, started, support, type, validate, x509UsernameRetriever, x509UsernameRetrieverClassName
 
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, DESTROY_EVENT, INIT_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
 
Constructor Summary
JNDIRealm()
           
 
Method Summary
 java.security.Principal authenticate(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String credentials)
          Return the Principal associated with the specified username and credentials, if there is one; otherwise return null.
 java.security.Principal authenticate(java.lang.String username, java.lang.String credentials)
          Return the Principal associated with the specified username and credentials, if there is one; otherwise return null.
protected  boolean bindAsUser(javax.naming.directory.DirContext context, JNDIRealm.User user, java.lang.String credentials)
          Check credentials by binding to the directory as the user
protected  boolean checkCredentials(javax.naming.directory.DirContext context, JNDIRealm.User user, java.lang.String credentials)
          Check whether the given User can be authenticated with the given credentials.
protected  void close(javax.naming.directory.DirContext context)
          Close any open connection to the directory server for this Realm.
protected  boolean compareCredentials(javax.naming.directory.DirContext context, JNDIRealm.User info, java.lang.String credentials)
          Check whether the credentials presented by the user match those retrieved from the directory.
protected  java.lang.String doRFC2254Encoding(java.lang.String inString)
          Given an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines.
 boolean getAdCompat()
          Returns the current settings for handling PartialResultExceptions
 java.lang.String getAlternateURL()
          Getter for property alternateURL.
 java.lang.String getAuthentication()
          Return the type of authentication to use.
 java.lang.String getCommonRole()
          Return the common role
 java.lang.String getConnectionName()
          Return the connection username for this Realm.
 java.lang.String getConnectionPassword()
          Return the connection password for this Realm.
 java.lang.String getConnectionTimeout()
          Return the connection timeout.
 java.lang.String getConnectionURL()
          Return the connection URL for this Realm.
 java.lang.String getContextFactory()
          Return the JNDI context factory for this Realm.
 java.lang.String getDerefAliases()
          Return the derefAliases setting to be used.
protected  java.util.Hashtable<java.lang.String,java.lang.String> getDirectoryContextEnvironment()
          Create our directory context configuration.
protected  java.lang.String getDistinguishedName(javax.naming.directory.DirContext context, java.lang.String base, javax.naming.directory.SearchResult result)
          Returns the distinguished name of a search result.
 java.lang.String getInfo()
          Return descriptive information about this Realm implementation and the corresponding version number, in the format <description>/<version>.
protected  java.lang.String getName()
          Return a short name for this Realm implementation.
protected  java.lang.String getPassword(java.lang.String username)
          Return the password associated with the given principal's user name.
protected  java.security.Principal getPrincipal(javax.naming.directory.DirContext context, java.lang.String username)
          Return the Principal associated with the given user name.
protected  java.security.Principal getPrincipal(java.lang.String username)
          Return the Principal associated with the given user name.
 java.lang.String getProtocol()
          Return the protocol to be used.
 java.lang.String getReferrals()
          Returns the current settings for handling JNDI referrals.
 java.lang.String getRoleBase()
          Return the base element for role searches.
 java.lang.String getRoleName()
          Return the role name attribute name for this Realm.
 boolean getRoleNested()
          Return the "The nested group search flag" flag.
protected  java.util.List<java.lang.String> getRoles(javax.naming.directory.DirContext context, JNDIRealm.User user)
          Return a List of roles associated with the given User.
 java.lang.String getRoleSearch()
          Return the message format pattern for selecting roles in this Realm.
 boolean getRoleSubtree()
          Return the "search subtree for roles" flag.
protected  JNDIRealm.User getUser(javax.naming.directory.DirContext context, java.lang.String username)
          Return a User object containing information about the user with the specified username, if found in the directory; otherwise return null.
protected  JNDIRealm.User getUser(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String credentials)
          Return a User object containing information about the user with the specified username, if found in the directory; otherwise return null.
protected  JNDIRealm.User getUser(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String credentials, int curUserPattern)
          Return a User object containing information about the user with the specified username, if found in the directory; otherwise return null.
 java.lang.String getUserBase()
          Return the base element for user searches.
protected  JNDIRealm.User getUserByPattern(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String[] attrIds, java.lang.String dn)
          Use the distinguished name to locate the directory entry for the user with the specified username and return a User object; otherwise return null.
protected  JNDIRealm.User getUserByPattern(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String credentials, java.lang.String[] attrIds, int curUserPattern)
          Use the UserPattern configuration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise return null.
protected  JNDIRealm.User getUserBySearch(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String[] attrIds)
          Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise return null.
 java.lang.String getUserPassword()
          Return the password attribute used to retrieve the user password.
 java.lang.String getUserPattern()
          Return the message format pattern for selecting users in this Realm.
 java.lang.String getUserRoleName()
          Return the user role name attribute name for this Realm.
 java.lang.String getUserSearch()
          Return the message format pattern for selecting users in this Realm.
 boolean getUserSubtree()
          Return the "search subtree for users" flag.
protected  javax.naming.directory.DirContext open()
          Open (if necessary) and return a connection to the configured directory server for this Realm.
protected  java.lang.String[] parseUserPatternString(java.lang.String userPatternString)
          Given a string containing LDAP patterns for user locations (separated by parentheses in a pseudo-LDAP search string format - "(location1)(location2)", returns an array of those paths.
protected  void release(javax.naming.directory.DirContext context)
          Release our use of this connection so that it can be recycled.
 void setAdCompat(boolean adCompat)
          How do we handle PartialResultExceptions?
 void setAlternateURL(java.lang.String alternateURL)
          Setter for property alternateURL.
 void setAuthentication(java.lang.String authentication)
          Set the type of authentication to use.
 void setCommonRole(java.lang.String commonRole)
          Set the common role
 void setConnectionName(java.lang.String connectionName)
          Set the connection username for this Realm.
 void setConnectionPassword(java.lang.String connectionPassword)
          Set the connection password for this Realm.
 void setConnectionTimeout(java.lang.String timeout)
          Set the connection timeout.
 void setConnectionURL(java.lang.String connectionURL)
          Set the connection URL for this Realm.
 void setContextFactory(java.lang.String contextFactory)
          Set the JNDI context factory for this Realm.
 void setDerefAliases(java.lang.String derefAliases)
          Set the value for derefAliases to be used when searching the directory.
 void setProtocol(java.lang.String protocol)
          Set the protocol for this Realm.
 void setReferrals(java.lang.String referrals)
          How do we handle JNDI referrals?
 void setRoleBase(java.lang.String roleBase)
          Set the base element for role searches.
 void setRoleName(java.lang.String roleName)
          Set the role name attribute name for this Realm.
 void setRoleNested(boolean roleNested)
          Set the "search subtree for roles" flag.
 void setRoleSearch(java.lang.String roleSearch)
          Set the message format pattern for selecting roles in this Realm.
 void setRoleSubtree(boolean roleSubtree)
          Set the "search subtree for roles" flag.
 void setUserBase(java.lang.String userBase)
          Set the base element for user searches.
 void setUserPassword(java.lang.String userPassword)
          Set the password attribute used to retrieve the user password.
 void setUserPattern(java.lang.String userPattern)
          Set the message format pattern for selecting users in this Realm.
 void setUserRoleName(java.lang.String userRoleName)
          Set the user role name attribute name for this Realm.
 void setUserSearch(java.lang.String userSearch)
          Set the message format pattern for selecting users in this Realm.
 void setUserSubtree(boolean userSubtree)
          Set the "search subtree for users" flag.
 void start()
          Prepare for active use of the public methods of this Component.
 void stop()
          Gracefully shut down active use of the public methods of this Component.
 
Methods inherited from class org.apache.catalina.realm.RealmBase
addLifecycleListener, addPropertyChangeListener, authenticate, authenticate, authenticate, backgroundProcess, destroy, digest, Digest, findLifecycleListeners, findSecurityConstraints, getAllRolesMode, getContainer, getController, getDigest, getDigest, getDigestEncoding, getDomain, getObjectName, getPrincipal, getRealmPath, getRealmSuffix, getType, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasUserDataPermission, init, main, postDeregister, postRegister, preDeregister, preRegister, removeLifecycleListener, removePropertyChangeListener, setAllRolesMode, setContainer, setController, setDigest, setDigestEncoding, setRealmPath, setValidate, setX509UsernameRetrieverClassName
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

authentication

protected java.lang.String authentication
The type of authentication to use


connectionName

protected java.lang.String connectionName
The connection username for the server we will contact.


connectionPassword

protected java.lang.String connectionPassword
The connection password for the server we will contact.


connectionURL

protected java.lang.String connectionURL
The connection URL for the server we will contact.


context

protected javax.naming.directory.DirContext context
The directory context linking us to our directory server.


contextFactory

protected java.lang.String contextFactory
The JNDI context factory used to acquire our InitialContext. By default, assumes use of an LDAP server using the standard JNDI LDAP provider.


derefAliases

protected java.lang.String derefAliases
How aliases should be dereferenced during search operations.


DEREF_ALIASES

public static final java.lang.String DEREF_ALIASES
Constant that holds the name of the environment property for specifying the manner in which aliases should be dereferenced.

See Also:
Constant Field Values

info

protected static final java.lang.String info
Descriptive information about this Realm implementation.

See Also:
Constant Field Values

name

protected static final java.lang.String name
Descriptive information about this Realm implementation.

See Also:
Constant Field Values

protocol

protected java.lang.String protocol
The protocol that will be used in the communication with the directory server.


adCompat

protected boolean adCompat
Should we ignore PartialResultExceptions when iterating over NamingEnumerations? Microsoft Active Directory often returns referrals, which lead to PartialResultExceptions. Unfortunately there's no stable way to detect, if the Exceptions really come from an AD referral. Set to true to ignore PartialResultExceptions.


referrals

protected java.lang.String referrals
How should we handle referrals? Microsoft Active Directory often returns referrals. If you need to follow them set referrals to "follow". Caution: if your DNS is not part of AD, the LDAP client lib might try to resolve your domain name in DNS to find another LDAP server.


userBase

protected java.lang.String userBase
The base element for user searches.


userSearch

protected java.lang.String userSearch
The message format used to search for a user, with "{0}" marking the spot where the username goes.


userSearchFormat

protected java.text.MessageFormat userSearchFormat
The MessageFormat object associated with the current userSearch.


userSubtree

protected boolean userSubtree
Should we search the entire subtree for matching users?


userPassword

protected java.lang.String userPassword
The attribute name used to retrieve the user password.


userPatternArray

protected java.lang.String[] userPatternArray
A string of LDAP user patterns or paths, ":"-separated These will be used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes. This is similar to userPattern, but allows for multiple searches for a user.


userPattern

protected java.lang.String userPattern
The message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.


userPatternFormatArray

protected java.text.MessageFormat[] userPatternFormatArray
An array of MessageFormat objects associated with the current userPatternArray.


roleBase

protected java.lang.String roleBase
The base element for role searches.


roleFormat

protected java.text.MessageFormat roleFormat
The MessageFormat object associated with the current roleSearch.


userRoleName

protected java.lang.String userRoleName
The name of an attribute in the user's entry containing roles for that user


roleName

protected java.lang.String roleName
The name of the attribute containing roles held elsewhere


roleSearch

protected java.lang.String roleSearch
The message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes.


roleSubtree

protected boolean roleSubtree
Should we search the entire subtree for matching memberships?


roleNested

protected boolean roleNested
Should we look for nested group in order to determine roles?


alternateURL

protected java.lang.String alternateURL
An alternate URL, to which, we should connect if connectionURL fails.


connectionAttempt

protected int connectionAttempt
The number of connection attempts. If greater than zero we use the alternate url.


commonRole

protected java.lang.String commonRole
Add this role to every authenticated user


connectionTimeout

protected java.lang.String connectionTimeout
The timeout, in milliseconds, to use when trying to create a connection to the directory. The default is 5000 (5 seconds).

Constructor Detail

JNDIRealm

public JNDIRealm()
Method Detail

getAuthentication

public java.lang.String getAuthentication()
Return the type of authentication to use.


setAuthentication

public void setAuthentication(java.lang.String authentication)
Set the type of authentication to use.

Parameters:
authentication - The authentication

getConnectionName

public java.lang.String getConnectionName()
Return the connection username for this Realm.


setConnectionName

public void setConnectionName(java.lang.String connectionName)
Set the connection username for this Realm.

Parameters:
connectionName - The new connection username

getConnectionPassword

public java.lang.String getConnectionPassword()
Return the connection password for this Realm.


setConnectionPassword

public void setConnectionPassword(java.lang.String connectionPassword)
Set the connection password for this Realm.

Parameters:
connectionPassword - The new connection password

getConnectionURL

public java.lang.String getConnectionURL()
Return the connection URL for this Realm.


setConnectionURL

public void setConnectionURL(java.lang.String connectionURL)
Set the connection URL for this Realm.

Parameters:
connectionURL - The new connection URL

getContextFactory

public java.lang.String getContextFactory()
Return the JNDI context factory for this Realm.


setContextFactory

public void setContextFactory(java.lang.String contextFactory)
Set the JNDI context factory for this Realm.

Parameters:
contextFactory - The new context factory

getDerefAliases

public java.lang.String getDerefAliases()
Return the derefAliases setting to be used.


setDerefAliases

public void setDerefAliases(java.lang.String derefAliases)
Set the value for derefAliases to be used when searching the directory.

Parameters:
derefAliases - New value of property derefAliases.

getProtocol

public java.lang.String getProtocol()
Return the protocol to be used.


setProtocol

public void setProtocol(java.lang.String protocol)
Set the protocol for this Realm.

Parameters:
protocol - The new protocol.

getAdCompat

public boolean getAdCompat()
Returns the current settings for handling PartialResultExceptions


setAdCompat

public void setAdCompat(boolean adCompat)
How do we handle PartialResultExceptions? True: ignore all PartialResultExceptions.


getReferrals

public java.lang.String getReferrals()
Returns the current settings for handling JNDI referrals.


setReferrals

public void setReferrals(java.lang.String referrals)
How do we handle JNDI referrals? ignore, follow, or throw (see javax.naming.Context.REFERRAL for more information).


getUserBase

public java.lang.String getUserBase()
Return the base element for user searches.


setUserBase

public void setUserBase(java.lang.String userBase)
Set the base element for user searches.

Parameters:
userBase - The new base element

getUserSearch

public java.lang.String getUserSearch()
Return the message format pattern for selecting users in this Realm.


setUserSearch

public void setUserSearch(java.lang.String userSearch)
Set the message format pattern for selecting users in this Realm.

Parameters:
userSearch - The new user search pattern

getUserSubtree

public boolean getUserSubtree()
Return the "search subtree for users" flag.


setUserSubtree

public void setUserSubtree(boolean userSubtree)
Set the "search subtree for users" flag.

Parameters:
userSubtree - The new search flag

getUserRoleName

public java.lang.String getUserRoleName()
Return the user role name attribute name for this Realm.


setUserRoleName

public void setUserRoleName(java.lang.String userRoleName)
Set the user role name attribute name for this Realm.

Parameters:
userRoleName - The new userRole name attribute name

getRoleBase

public java.lang.String getRoleBase()
Return the base element for role searches.


setRoleBase

public void setRoleBase(java.lang.String roleBase)
Set the base element for role searches.

Parameters:
roleBase - The new base element

getRoleName

public java.lang.String getRoleName()
Return the role name attribute name for this Realm.


setRoleName

public void setRoleName(java.lang.String roleName)
Set the role name attribute name for this Realm.

Parameters:
roleName - The new role name attribute name

getRoleSearch

public java.lang.String getRoleSearch()
Return the message format pattern for selecting roles in this Realm.


setRoleSearch

public void setRoleSearch(java.lang.String roleSearch)
Set the message format pattern for selecting roles in this Realm.

Parameters:
roleSearch - The new role search pattern

getRoleSubtree

public boolean getRoleSubtree()
Return the "search subtree for roles" flag.


setRoleSubtree

public void setRoleSubtree(boolean roleSubtree)
Set the "search subtree for roles" flag.

Parameters:
roleSubtree - The new search flag

getRoleNested

public boolean getRoleNested()
Return the "The nested group search flag" flag.


setRoleNested

public void setRoleNested(boolean roleNested)
Set the "search subtree for roles" flag.

Parameters:
roleNested - The nested group search flag

getUserPassword

public java.lang.String getUserPassword()
Return the password attribute used to retrieve the user password.


setUserPassword

public void setUserPassword(java.lang.String userPassword)
Set the password attribute used to retrieve the user password.

Parameters:
userPassword - The new password attribute

getUserPattern

public java.lang.String getUserPattern()
Return the message format pattern for selecting users in this Realm.


setUserPattern

public void setUserPattern(java.lang.String userPattern)
Set the message format pattern for selecting users in this Realm. This may be one simple pattern, or multiple patterns to be tried, separated by parentheses. (for example, either "cn={0}", or "(cn={0})(cn={0},o=myorg)" Full LDAP search strings are also supported, but only the "OR", "|" syntax, so "(|(cn={0})(cn={0},o=myorg))" is also valid. Complex search strings with &, etc are NOT supported.

Parameters:
userPattern - The new user pattern

getAlternateURL

public java.lang.String getAlternateURL()
Getter for property alternateURL.

Returns:
Value of property alternateURL.

setAlternateURL

public void setAlternateURL(java.lang.String alternateURL)
Setter for property alternateURL.

Parameters:
alternateURL - New value of property alternateURL.

getCommonRole

public java.lang.String getCommonRole()
Return the common role


setCommonRole

public void setCommonRole(java.lang.String commonRole)
Set the common role

Parameters:
commonRole - The common role

getConnectionTimeout

public java.lang.String getConnectionTimeout()
Return the connection timeout.


setConnectionTimeout

public void setConnectionTimeout(java.lang.String timeout)
Set the connection timeout.

Parameters:
timeout - The new connection timeout

getInfo

public java.lang.String getInfo()
Return descriptive information about this Realm implementation and the corresponding version number, in the format <description>/<version>.

Specified by:
getInfo in interface Realm
Overrides:
getInfo in class RealmBase

authenticate

public java.security.Principal authenticate(java.lang.String username,
                                            java.lang.String credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise return null. If there are any errors with the JDBC connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it.

Specified by:
authenticate in interface Realm
Overrides:
authenticate in class RealmBase
Parameters:
username - Username of the Principal to look up
credentials - Password or other credentials to use in authenticating this username

authenticate

public java.security.Principal authenticate(javax.naming.directory.DirContext context,
                                            java.lang.String username,
                                            java.lang.String credentials)
                                     throws javax.naming.NamingException
Return the Principal associated with the specified username and credentials, if there is one; otherwise return null.

Parameters:
context - The directory context
username - Username of the Principal to look up
credentials - Password or other credentials to use in authenticating this username
Throws:
javax.naming.NamingException - if a directory server error occurs

getUser

protected JNDIRealm.User getUser(javax.naming.directory.DirContext context,
                                 java.lang.String username)
                          throws javax.naming.NamingException
Return a User object containing information about the user with the specified username, if found in the directory; otherwise return null.

Parameters:
context - The directory context
username - Username to be looked up
Throws:
javax.naming.NamingException - if a directory server error occurs
See Also:
getUser(DirContext, String, String, int)

getUser

protected JNDIRealm.User getUser(javax.naming.directory.DirContext context,
                                 java.lang.String username,
                                 java.lang.String credentials)
                          throws javax.naming.NamingException
Return a User object containing information about the user with the specified username, if found in the directory; otherwise return null.

Parameters:
context - The directory context
username - Username to be looked up
credentials - User credentials (optional)
Throws:
javax.naming.NamingException - if a directory server error occurs
See Also:
getUser(DirContext, String, String, int)

getUser

protected JNDIRealm.User getUser(javax.naming.directory.DirContext context,
                                 java.lang.String username,
                                 java.lang.String credentials,
                                 int curUserPattern)
                          throws javax.naming.NamingException
Return a User object containing information about the user with the specified username, if found in the directory; otherwise return null. If the userPassword configuration attribute is specified, the value of that attribute is retrieved from the user's directory entry. If the userRoleName configuration attribute is specified, all values of that attribute are retrieved from the directory entry.

Parameters:
context - The directory context
username - Username to be looked up
credentials - User credentials (optional)
curUserPattern - Index into userPatternFormatArray
Throws:
javax.naming.NamingException - if a directory server error occurs

getUserByPattern

protected JNDIRealm.User getUserByPattern(javax.naming.directory.DirContext context,
                                          java.lang.String username,
                                          java.lang.String[] attrIds,
                                          java.lang.String dn)
                                   throws javax.naming.NamingException
Use the distinguished name to locate the directory entry for the user with the specified username and return a User object; otherwise return null.

Parameters:
context - The directory context
username - The username
attrIds - String[]containing names of attributes to
dn - Distinguished name of the user retrieve.
Throws:
javax.naming.NamingException - if a directory server error occurs

getUserByPattern

protected JNDIRealm.User getUserByPattern(javax.naming.directory.DirContext context,
                                          java.lang.String username,
                                          java.lang.String credentials,
                                          java.lang.String[] attrIds,
                                          int curUserPattern)
                                   throws javax.naming.NamingException
Use the UserPattern configuration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise return null.

Parameters:
context - The directory context
username - The username
credentials - User credentials (optional)
attrIds - String[]containing names of attributes to
curUserPattern - Index into userPatternFormatArray
Throws:
javax.naming.NamingException - if a directory server error occurs
See Also:
getUserByPattern(DirContext, String, String[], String)

getUserBySearch

protected JNDIRealm.User getUserBySearch(javax.naming.directory.DirContext context,
                                         java.lang.String username,
                                         java.lang.String[] attrIds)
                                  throws javax.naming.NamingException
Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise return null.

Parameters:
context - The directory context
username - The username
attrIds - String[]containing names of attributes to retrieve.
Throws:
javax.naming.NamingException - if a directory server error occurs

checkCredentials

protected boolean checkCredentials(javax.naming.directory.DirContext context,
                                   JNDIRealm.User user,
                                   java.lang.String credentials)
                            throws javax.naming.NamingException
Check whether the given User can be authenticated with the given credentials. If the userPassword configuration attribute is specified, the credentials previously retrieved from the directory are compared explicitly with those presented by the user. Otherwise the presented credentials are checked by binding to the directory as the user.

Parameters:
context - The directory context
user - The User to be authenticated
credentials - The credentials presented by the user
Throws:
javax.naming.NamingException - if a directory server error occurs

compareCredentials

protected boolean compareCredentials(javax.naming.directory.DirContext context,
                                     JNDIRealm.User info,
                                     java.lang.String credentials)
                              throws javax.naming.NamingException
Check whether the credentials presented by the user match those retrieved from the directory.

Parameters:
context - The directory context
info - The User to be authenticated
credentials - Authentication credentials
Throws:
javax.naming.NamingException - if a directory server error occurs

bindAsUser

protected boolean bindAsUser(javax.naming.directory.DirContext context,
                             JNDIRealm.User user,
                             java.lang.String credentials)
                      throws javax.naming.NamingException
Check credentials by binding to the directory as the user

Parameters:
context - The directory context
user - The User to be authenticated
credentials - Authentication credentials
Throws:
javax.naming.NamingException - if a directory server error occurs

getRoles

protected java.util.List<java.lang.String> getRoles(javax.naming.directory.DirContext context,
                                                    JNDIRealm.User user)
                                             throws javax.naming.NamingException
Return a List of roles associated with the given User. Any roles present in the user's directory entry are supplemented by a directory search. If no roles are associated with this user, a zero-length List is returned.

Parameters:
context - The directory context we are searching
user - The User to be checked
Throws:
javax.naming.NamingException - if a directory server error occurs

close

protected void close(javax.naming.directory.DirContext context)
Close any open connection to the directory server for this Realm.

Parameters:
context - The directory context to be closed

getName

protected java.lang.String getName()
Return a short name for this Realm implementation.

Specified by:
getName in class RealmBase

getPassword

protected java.lang.String getPassword(java.lang.String username)
Return the password associated with the given principal's user name.

Specified by:
getPassword in class RealmBase

getPrincipal

protected java.security.Principal getPrincipal(java.lang.String username)
Return the Principal associated with the given user name.

Specified by:
getPrincipal in class RealmBase

getPrincipal

protected java.security.Principal getPrincipal(javax.naming.directory.DirContext context,
                                               java.lang.String username)
                                        throws javax.naming.NamingException
Return the Principal associated with the given user name.

Throws:
javax.naming.NamingException

open

protected javax.naming.directory.DirContext open()
                                          throws javax.naming.NamingException
Open (if necessary) and return a connection to the configured directory server for this Realm.

Throws:
javax.naming.NamingException - if a directory server error occurs

getDirectoryContextEnvironment

protected java.util.Hashtable<java.lang.String,java.lang.String> getDirectoryContextEnvironment()
Create our directory context configuration.

Returns:
java.util.Hashtable the configuration for the directory context.

release

protected void release(javax.naming.directory.DirContext context)
Release our use of this connection so that it can be recycled.

Parameters:
context - The directory context to release

start

public void start()
           throws LifecycleException
Prepare for active use of the public methods of this Component.

Specified by:
start in interface Lifecycle
Overrides:
start in class RealmBase
Throws:
LifecycleException - if this component detects a fatal error that prevents it from being started

stop

public void stop()
          throws LifecycleException
Gracefully shut down active use of the public methods of this Component.

Specified by:
stop in interface Lifecycle
Overrides:
stop in class RealmBase
Throws:
LifecycleException - if this component detects a fatal error that needs to be reported

parseUserPatternString

protected java.lang.String[] parseUserPatternString(java.lang.String userPatternString)
Given a string containing LDAP patterns for user locations (separated by parentheses in a pseudo-LDAP search string format - "(location1)(location2)", returns an array of those paths. Real LDAP search strings are supported as well (though only the "|" "OR" type).

Parameters:
userPatternString - - a string LDAP search paths surrounded by parentheses

doRFC2254Encoding

protected java.lang.String doRFC2254Encoding(java.lang.String inString)
Given an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines. The character mapping is as follows: char -> Replacement --------------------------- * -> \2a ( -> \28 ) -> \29 \ -> \5c \0 -> \00

Parameters:
inString - string to escape according to RFC 2254 guidelines
Returns:
String the escaped/encoded result

getDistinguishedName

protected java.lang.String getDistinguishedName(javax.naming.directory.DirContext context,
                                                java.lang.String base,
                                                javax.naming.directory.SearchResult result)
                                         throws javax.naming.NamingException
Returns the distinguished name of a search result.

Parameters:
context - Our DirContext
base - The base DN
result - The search result
Returns:
String containing the distinguished name
Throws:
javax.naming.NamingException

Apache Tomcat 6.0.53

Copyright © 2000-2017 Apache Software Foundation. All Rights Reserved.