Class JNDIRealm
- All Implemented Interfaces:
MBeanRegistration
,Contained
,JmxEnabled
,Lifecycle
,Realm
Implementation of Realm that works with a directory server accessed via the Java Naming and Directory Interface (JNDI) APIs. The following constraints are imposed on the data structure in the underlying directory server:
- Each user that can be authenticated is represented by an individual element in the top level
DirContext
that is accessed via theconnectionURL
property. - If a socket connection cannot be made to the
connectURL
an attempt will be made to use thealternateURL
if it exists. - Each user element has a distinguished name that can be formed by substituting the presented username into a
pattern configured by the
userPattern
property. - Alternatively, if the
userPattern
property is not specified, a unique element can be located by searching the directory context. In this case:- The
userSearch
pattern specifies the search filter after substitution of the username. - The
userBase
property can be set to the element that is the base of the subtree containing users. If not specified, the search base is the top-level context. - The
userSubtree
property can be set totrue
if you wish to search the entire subtree of the directory context. The default value offalse
requests a search of only the current level.
- The
- The user may be authenticated by binding to the directory with the username and password presented. This method
is used when the
userPassword
property is not specified. - The user may be authenticated by retrieving the value of an attribute from the directory and comparing it
explicitly with the value presented by the user. This method is used when the
userPassword
property is specified, in which case:- The element for this user must contain an attribute named by the
userPassword
property. - The value of the user password attribute is either a cleartext String, or the result of passing a cleartext
String through the
RealmBase.digest()
method (using the standard digest support included inRealmBase
). - The user is considered to be authenticated if the presented credentials (after being passed through
RealmBase.digest()
) are equal to the retrieved value for the user password attribute.
- The element for this user must contain an attribute named by the
- Each group of users that has been assigned a particular role may be represented by an individual element in the
top level
DirContext
that is accessed via theconnectionURL
property. This element has the following characteristics:- The set of all possible groups of interest can be selected by a search pattern configured by the
roleSearch
property. - The
roleSearch
pattern optionally includes pattern replacements "{0}" for the distinguished name, and/or "{1}" for the username, and/or "{2}" the value of an attribute from the user's directory entry (the attribute is specified by theuserRoleAttribute
property), of the authenticated user for which roles will be retrieved. - The
roleBase
property can be set to the element that is the base of the search for matching roles. If not specified, the entire context will be searched. - The
roleSubtree
property can be set totrue
if you wish to search the entire subtree of the directory context. The default value offalse
requests a search of only the current level. - The element includes an attribute (whose name is configured by the
roleName
property) containing the name of the role represented by this element.
- The set of all possible groups of interest can be selected by a search pattern configured by the
- In addition, roles may be represented by the values of an attribute in the user's element whose name is
configured by the
userRoleName
property. - A default role can be assigned to each user that was successfully authenticated by setting the
commonRole
property to the name of this role. The role doesn't have to exist in the directory. - If the directory server contains nested roles, you can search for them by setting
roleNested
totrue
. The default value isfalse
, so role searches will not find nested roles. - Note that the standard
<security-role-ref>
element in the web application deployment descriptor allows applications to refer to roles programmatically by names other than those used in the directory server itself.
WARNING - There is a reported bug against the Netscape provider code (com.netscape.jndi.ldap.LdapContextFactory) with respect to successfully authenticated a non-existing user. The report is here: https://bz.apache.org/bugzilla/show_bug.cgi?id=11210 . With luck, Netscape has updated their provider code and this is not an issue.
- Author:
- John Holman, Craig R. McClanahan
-
Nested Class Summary
Modifier and TypeClassDescriptionprotected static class
Class holding the connection to the directory plus the associated non thread safe message formats.protected static class
A protected class representing a UserNested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase
RealmBase.AllRolesMode
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse
-
Field Summary
Modifier and TypeFieldDescriptionprotected boolean
Should we ignore PartialResultExceptions when iterating over NamingEnumerations?protected String
An alternate URL, to which, we should connect if connectionURL fails.protected String
The type of authentication to useprotected String
Add this role to every authenticated userprotected int
The number of connection attempts.protected String
The connection username for the server we will contact.protected String
The connection password for the server we will contact.protected SynchronizedStack<JNDIRealm.JNDIConnection>
Connection pool.protected int
The pool size limit.protected String
The timeout, in milliseconds, to use when trying to create a connection to the directory.protected String
The connection URL for the server we will contact.protected String
The JNDI context factory used to acquire our InitialContext.static final String
Constant that holds the name of the environment property for specifying the manner in which aliases should be dereferenced.protected String
How aliases should be dereferenced during search operations.protected String
The protocol that will be used in the communication with the directory server.protected String
The timeout, in milliseconds, to use when trying to read from a connection to the directory.protected String
How should we handle referrals?protected String
The base element for role searches.protected String
The name of the attribute containing roles held elsewhereprotected boolean
Should we look for nested group in order to determine roles?protected String
The message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes.protected boolean
When searching for user roles, should the search be performed as the user currently being authenticated?protected boolean
Should we search the entire subtree for matching memberships?protected JNDIRealm.JNDIConnection
Non pooled connection to our directory server.protected final Lock
The lock to ensure single connection thread safety.protected long
The sizeLimit (also known as the countLimit) to use when the realm is configured withuserSearch
.protected String
The QOP that should be used for the connection to the LDAP server after authentication.protected int
The timeLimit (in milliseconds) to use when the realm is configured withuserSearch
.protected boolean
Whether to use context ClassLoader or default ClassLoader.protected boolean
Should delegated credentials from the SPNEGO authenticator be used if availableprotected String
The base element for user searches.protected String
The attribute name used to retrieve the user password.protected String
The message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.protected String[]
A string of LDAP user patterns or paths, ":"-separated These will be used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.protected String
The name of the attribute inside the users directory entry where the value will be taken to search for roles This attribute is not used during a nested searchprotected String
The name of an attribute in the user's entry containing roles for that userprotected String
The message format used to search for a user, with "{0}" marking the spot where the username goes.protected boolean
Should we search the entire subtree for matching users?Fields inherited from class org.apache.catalina.realm.RealmBase
allRolesMode, container, containerLog, realmPath, sm, stripRealmForGss, support, USER_ATTRIBUTES_DELIMITER, USER_ATTRIBUTES_WILDCARD, userAttributes, userAttributesList, validate, x509UsernameRetriever, x509UsernameRetrieverClassName
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionauthenticate
(String username) Try to authenticate with the specified username.authenticate
(String username, String credentials) Try to authenticate using the specified username and credentials.authenticate
(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2, String algorithm) Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.authenticate
(X509Certificate[] certs) Try to authenticate using a chain ofX509Certificate
s.authenticate
(JNDIRealm.JNDIConnection connection, String username, String credentials) Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull
.authenticate
(GSSContext gssContext, boolean storeCred) Try to authenticate using aGSSContext
.authenticate
(GSSName gssName, GSSCredential gssCredential) Try to authenticate using aGSSName
.protected boolean
bindAsUser
(DirContext context, JNDIRealm.User user, String credentials) Check credentials by binding to the directory as the userprotected boolean
checkCredentials
(DirContext context, JNDIRealm.User user, String credentials) Check whether the given User can be authenticated with the given credentials.protected void
close
(JNDIRealm.JNDIConnection connection) Close any open connection to the directory server for this Realm.protected void
Close all pooled connections.protected boolean
compareCredentials
(DirContext context, JNDIRealm.User info, String credentials) Check whether the credentials presented by the user match those retrieved from the directory.protected static String
convertToHexEscape
(String input) protected JNDIRealm.JNDIConnection
create()
Create a new connection wrapper, along with the message formats.protected String
doAttributeValueEscaping
(String input) Implements the necessary escaping to represent an attribute value as a String as per RFC 4514.protected String
doFilterEscaping
(String inString) Given an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines.protected String
doRFC2254Encoding
(String inString) Deprecated.Will be removed in Tomcat 10.1.x onwardsprotected JNDIRealm.JNDIConnection
get()
Open (if necessary) and return a connection to the configured directory server for this Realm.boolean
Getter for property alternateURL.int
Create our directory context configuration.protected String
getDistinguishedName
(DirContext context, String base, SearchResult result) Returns the distinguished name of a search result.boolean
protected String
getPassword
(String username) Get the password for the specified user.protected Principal
getPrincipal
(String username) Get the principal associated with the specified user.protected Principal
getPrincipal
(String username, GSSCredential gssCredential) Get the principal associated with the specified user name.protected Principal
getPrincipal
(JNDIRealm.JNDIConnection connection, String username, GSSCredential gssCredential) Get the principal associated with the specified certificate.protected Principal
getPrincipal
(GSSName gssName, GSSCredential gssCredential) Get the principal associated with the specifiedGSSName
.boolean
getRoles
(JNDIRealm.JNDIConnection connection, JNDIRealm.User user) Return a List of roles associated with the given User.boolean
long
int
protected JNDIRealm.User
getUser
(JNDIRealm.JNDIConnection connection, String username) Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull
.protected JNDIRealm.User
getUser
(JNDIRealm.JNDIConnection connection, String username, String credentials) Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull
.protected JNDIRealm.User
getUser
(JNDIRealm.JNDIConnection connection, String username, String credentials, int curUserPattern) Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull
.protected JNDIRealm.User
getUserByPattern
(DirContext context, String username, String[] attrIds, String dn) Use the distinguished name to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull
.protected JNDIRealm.User
getUserByPattern
(JNDIRealm.JNDIConnection connection, String username, String credentials, String[] attrIds, int curUserPattern) Use theUserPattern
configuration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull
.protected JNDIRealm.User
getUserBySearch
(JNDIRealm.JNDIConnection connection, String username, String[] attrIds) Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull
.boolean
boolean
boolean
Return the availability of the realm for authentication.boolean
boolean
Returns whether to use the context or default ClassLoader.boolean
boolean
protected void
open
(JNDIRealm.JNDIConnection connection) Create a new connection to the directory server.protected String[]
parseUserPatternString
(String userPatternString) Given a string containing LDAP patterns for user locations (separated by parentheses in a pseudo-LDAP search string format - "(location1)(location2)", returns an array of those paths.protected void
release
(JNDIRealm.JNDIConnection connection) Release our use of this connection so that it can be recycled.void
setAdCompat
(boolean adCompat) How do we handle PartialResultExceptions?void
setAlternateURL
(String alternateURL) Setter for property alternateURL.void
setAuthentication
(String authentication) Set the type of authentication to use.void
setCipherSuites
(String suites) Set the allowed cipher suites when opening a connection using StartTLS.void
setCommonRole
(String commonRole) Set the common rolevoid
setConnectionName
(String connectionName) Set the connection username for this Realm.void
setConnectionPassword
(String connectionPassword) Set the connection password for this Realm.void
setConnectionPoolSize
(int connectionPoolSize) Set the connection pool sizevoid
setConnectionTimeout
(String timeout) Set the connection timeout.void
setConnectionURL
(String connectionURL) Set the connection URL for this Realm.void
setContextFactory
(String contextFactory) Set the JNDI context factory for this Realm.void
setDerefAliases
(String derefAliases) Set the value for derefAliases to be used when searching the directory.void
setForceDnHexEscape
(boolean forceDnHexEscape) void
setHostnameVerifierClassName
(String verifierClassName) Set theHostnameVerifier
to be used when opening connections using StartTLS.void
setProtocol
(String protocol) Set the protocol for this Realm.void
setReadTimeout
(String timeout) Set the read timeout.void
setReferrals
(String referrals) How do we handle JNDI referrals?void
setRoleBase
(String roleBase) Set the base element for role searches.void
setRoleName
(String roleName) Set the role name attribute name for this Realm.void
setRoleNested
(boolean roleNested) Set the "search subtree for roles" flag.void
setRoleSearch
(String roleSearch) Set the message format pattern for selecting roles in this Realm.void
setRoleSearchAsUser
(boolean roleSearchAsUser) void
setRoleSubtree
(boolean roleSubtree) Set the "search subtree for roles" flag.void
setSizeLimit
(long sizeLimit) void
setSpnegoDelegationQop
(String spnegoDelegationQop) void
setSslProtocol
(String protocol) Set the ssl protocol to be used for connections using StartTLS.void
setSslSocketFactoryClassName
(String factoryClassName) Set theSSLSocketFactory
to be used when opening connections using StartTLS.void
setTimeLimit
(int timeLimit) void
setUseContextClassLoader
(boolean useContext) Sets whether to use the context or default ClassLoader.void
setUseDelegatedCredential
(boolean useDelegatedCredential) void
setUserBase
(String userBase) Set the base element for user searches.void
setUserPassword
(String userPassword) Set the password attribute used to retrieve the user password.void
setUserPattern
(String userPattern) Set the message format pattern for selecting users in this Realm.void
setUserRoleAttribute
(String userRoleAttribute) void
setUserRoleName
(String userRoleName) Set the user role name attribute name for this Realm.void
setUserSearch
(String userSearch) Set the message format pattern for selecting users in this Realm.void
setUserSearchAsUser
(boolean userSearchAsUser) void
setUserSubtree
(boolean userSubtree) Set the "search subtree for users" flag.void
setUseStartTls
(boolean useStartTls) Flag whether StartTLS should be used when connecting to the ldap serverprotected void
Prepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal()
.protected void
Gracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal()
.Methods inherited from class org.apache.catalina.realm.RealmBase
addPropertyChangeListener, authenticate, backgroundProcess, findSecurityConstraints, getAllRolesMode, getContainer, getCredentialHandler, getDigest, getDigest, getDomainInternal, getObjectNameKeyProperties, getPrincipal, getPrincipal, getRealmPath, getRealmSuffix, getRoles, getServer, getTransportGuaranteeRedirectStatus, getUserAttributes, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasRoleInternal, hasUserDataPermission, initInternal, isStripRealmForGss, main, parseUserAttributes, removePropertyChangeListener, setAllRolesMode, setContainer, setCredentialHandler, setRealmPath, setStripRealmForGss, setTransportGuaranteeRedirectStatus, setUserAttributes, setValidate, setX509UsernameRetrieverClassName, toString
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
Field Details
-
authentication
The type of authentication to use -
connectionName
The connection username for the server we will contact. -
connectionPassword
The connection password for the server we will contact. -
connectionURL
The connection URL for the server we will contact. -
contextFactory
The JNDI context factory used to acquire our InitialContext. By default, assumes use of an LDAP server using the standard JNDI LDAP provider. -
derefAliases
How aliases should be dereferenced during search operations. -
DEREF_ALIASES
Constant that holds the name of the environment property for specifying the manner in which aliases should be dereferenced.- See Also:
-
protocol
The protocol that will be used in the communication with the directory server. -
adCompat
protected boolean adCompatShould we ignore PartialResultExceptions when iterating over NamingEnumerations? Microsoft Active Directory often returns referrals, which lead to PartialResultExceptions. Unfortunately there's no stable way to detect, if the Exceptions really come from an AD referral. Set to true to ignore PartialResultExceptions. -
referrals
How should we handle referrals? Microsoft Active Directory often returns referrals. If you need to follow them set referrals to "follow". Caution: if your DNS is not part of AD, the LDAP client lib might try to resolve your domain name in DNS to find another LDAP server. -
userBase
The base element for user searches. -
userSearch
The message format used to search for a user, with "{0}" marking the spot where the username goes. -
userSubtree
protected boolean userSubtreeShould we search the entire subtree for matching users? -
userPassword
The attribute name used to retrieve the user password. -
userRoleAttribute
The name of the attribute inside the users directory entry where the value will be taken to search for roles This attribute is not used during a nested search -
userPatternArray
A string of LDAP user patterns or paths, ":"-separated These will be used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes. This is similar to userPattern, but allows for multiple searches for a user. -
userPattern
The message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes. -
roleBase
The base element for role searches. -
userRoleName
The name of an attribute in the user's entry containing roles for that user -
roleName
The name of the attribute containing roles held elsewhere -
roleSearch
The message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes. The "{1}" and "{2}" are described in the Configuration Reference. -
roleSubtree
protected boolean roleSubtreeShould we search the entire subtree for matching memberships? -
roleNested
protected boolean roleNestedShould we look for nested group in order to determine roles? -
roleSearchAsUser
protected boolean roleSearchAsUserWhen searching for user roles, should the search be performed as the user currently being authenticated? If false,connectionName
andconnectionPassword
will be used if specified, else an anonymous connection will be used. -
alternateURL
An alternate URL, to which, we should connect if connectionURL fails. -
connectionAttempt
protected int connectionAttemptThe number of connection attempts. If greater than zero we use the alternate url. -
commonRole
Add this role to every authenticated user -
connectionTimeout
The timeout, in milliseconds, to use when trying to create a connection to the directory. The default is 5000 (5 seconds). -
readTimeout
The timeout, in milliseconds, to use when trying to read from a connection to the directory. The default is 5000 (5 seconds). -
sizeLimit
protected long sizeLimitThe sizeLimit (also known as the countLimit) to use when the realm is configured withuserSearch
. Zero for no limit. -
timeLimit
protected int timeLimitThe timeLimit (in milliseconds) to use when the realm is configured withuserSearch
. Zero for no limit. -
useDelegatedCredential
protected boolean useDelegatedCredentialShould delegated credentials from the SPNEGO authenticator be used if available -
spnegoDelegationQop
The QOP that should be used for the connection to the LDAP server after authentication. This value is used to set thejavax.security.sasl.qop
environment property for the LDAP connection. -
singleConnection
Non pooled connection to our directory server. -
singleConnectionLock
The lock to ensure single connection thread safety. -
connectionPool
Connection pool. -
connectionPoolSize
protected int connectionPoolSizeThe pool size limit. If 1, pooling is not used. -
useContextClassLoader
protected boolean useContextClassLoaderWhether to use context ClassLoader or default ClassLoader. True means use context ClassLoader, and True is the default value.
-
-
Constructor Details
-
JNDIRealm
public JNDIRealm()
-
-
Method Details
-
getForceDnHexEscape
public boolean getForceDnHexEscape() -
setForceDnHexEscape
public void setForceDnHexEscape(boolean forceDnHexEscape) -
getAuthentication
- Returns:
- the type of authentication to use.
-
setAuthentication
Set the type of authentication to use.- Parameters:
authentication
- The authentication
-
getConnectionName
- Returns:
- the connection username for this Realm.
-
setConnectionName
Set the connection username for this Realm.- Parameters:
connectionName
- The new connection username
-
getConnectionPassword
- Returns:
- the connection password for this Realm.
-
setConnectionPassword
Set the connection password for this Realm.- Parameters:
connectionPassword
- The new connection password
-
getConnectionURL
- Returns:
- the connection URL for this Realm.
-
setConnectionURL
Set the connection URL for this Realm.- Parameters:
connectionURL
- The new connection URL
-
getContextFactory
- Returns:
- the JNDI context factory for this Realm.
-
setContextFactory
Set the JNDI context factory for this Realm.- Parameters:
contextFactory
- The new context factory
-
getDerefAliases
- Returns:
- the derefAliases setting to be used.
-
setDerefAliases
Set the value for derefAliases to be used when searching the directory.- Parameters:
derefAliases
- New value of property derefAliases.
-
getProtocol
- Returns:
- the protocol to be used.
-
setProtocol
Set the protocol for this Realm.- Parameters:
protocol
- The new protocol.
-
getAdCompat
public boolean getAdCompat()- Returns:
- the current settings for handling PartialResultExceptions
-
setAdCompat
public void setAdCompat(boolean adCompat) How do we handle PartialResultExceptions? True: ignore all PartialResultExceptions.- Parameters:
adCompat
-true
to ignore partial results
-
getReferrals
- Returns:
- the current settings for handling JNDI referrals.
-
setReferrals
How do we handle JNDI referrals? ignore, follow, or throw (see javax.naming.Context.REFERRAL for more information).- Parameters:
referrals
- The referral handling
-
getUserBase
- Returns:
- the base element for user searches.
-
setUserBase
Set the base element for user searches.- Parameters:
userBase
- The new base element
-
getUserSearch
- Returns:
- the message format pattern for selecting users in this Realm.
-
setUserSearch
Set the message format pattern for selecting users in this Realm.- Parameters:
userSearch
- The new user search pattern
-
isUserSearchAsUser
public boolean isUserSearchAsUser() -
setUserSearchAsUser
public void setUserSearchAsUser(boolean userSearchAsUser) -
getUserSubtree
public boolean getUserSubtree()- Returns:
- the "search subtree for users" flag.
-
setUserSubtree
public void setUserSubtree(boolean userSubtree) Set the "search subtree for users" flag.- Parameters:
userSubtree
- The new search flag
-
getUserRoleName
- Returns:
- the user role name attribute name for this Realm.
-
setUserRoleName
Set the user role name attribute name for this Realm.- Parameters:
userRoleName
- The new userRole name attribute name
-
getRoleBase
- Returns:
- the base element for role searches.
-
setRoleBase
Set the base element for role searches.- Parameters:
roleBase
- The new base element
-
getRoleName
- Returns:
- the role name attribute name for this Realm.
-
setRoleName
Set the role name attribute name for this Realm.- Parameters:
roleName
- The new role name attribute name
-
getRoleSearch
- Returns:
- the message format pattern for selecting roles in this Realm.
-
setRoleSearch
Set the message format pattern for selecting roles in this Realm.- Parameters:
roleSearch
- The new role search pattern
-
isRoleSearchAsUser
public boolean isRoleSearchAsUser() -
setRoleSearchAsUser
public void setRoleSearchAsUser(boolean roleSearchAsUser) -
getRoleSubtree
public boolean getRoleSubtree()- Returns:
- the "search subtree for roles" flag.
-
setRoleSubtree
public void setRoleSubtree(boolean roleSubtree) Set the "search subtree for roles" flag.- Parameters:
roleSubtree
- The new search flag
-
getRoleNested
public boolean getRoleNested()- Returns:
- the "The nested group search flag" flag.
-
setRoleNested
public void setRoleNested(boolean roleNested) Set the "search subtree for roles" flag.- Parameters:
roleNested
- The nested group search flag
-
getUserPassword
- Returns:
- the password attribute used to retrieve the user password.
-
setUserPassword
Set the password attribute used to retrieve the user password.- Parameters:
userPassword
- The new password attribute
-
getUserRoleAttribute
-
setUserRoleAttribute
-
getUserPattern
- Returns:
- the message format pattern for selecting users in this Realm.
-
setUserPattern
Set the message format pattern for selecting users in this Realm. This may be one simple pattern, or multiple patterns to be tried, separated by parentheses. (for example, either "cn={0}", or "(cn={0})(cn={0},o=myorg)" Full LDAP search strings are also supported, but only the "OR", "|" syntax, so "(|(cn={0})(cn={0},o=myorg))" is also valid. Complex search strings with &, etc are NOT supported.- Parameters:
userPattern
- The new user pattern
-
getAlternateURL
Getter for property alternateURL.- Returns:
- Value of property alternateURL.
-
setAlternateURL
Setter for property alternateURL.- Parameters:
alternateURL
- New value of property alternateURL.
-
getCommonRole
- Returns:
- the common role
-
setCommonRole
Set the common role- Parameters:
commonRole
- The common role
-
getConnectionTimeout
- Returns:
- the connection timeout.
-
setConnectionTimeout
Set the connection timeout.- Parameters:
timeout
- The new connection timeout
-
getReadTimeout
- Returns:
- the read timeout.
-
setReadTimeout
Set the read timeout.- Parameters:
timeout
- The new read timeout
-
getSizeLimit
public long getSizeLimit() -
setSizeLimit
public void setSizeLimit(long sizeLimit) -
getTimeLimit
public int getTimeLimit() -
setTimeLimit
public void setTimeLimit(int timeLimit) -
isUseDelegatedCredential
public boolean isUseDelegatedCredential() -
setUseDelegatedCredential
public void setUseDelegatedCredential(boolean useDelegatedCredential) -
getSpnegoDelegationQop
-
setSpnegoDelegationQop
-
getUseStartTls
public boolean getUseStartTls()- Returns:
- flag whether to use StartTLS for connections to the ldap server
-
setUseStartTls
public void setUseStartTls(boolean useStartTls) Flag whether StartTLS should be used when connecting to the ldap server- Parameters:
useStartTls
-true
when StartTLS should be used. Default isfalse
.
-
setCipherSuites
Set the allowed cipher suites when opening a connection using StartTLS. The cipher suites are expected as a comma separated list.- Parameters:
suites
- comma separated list of allowed cipher suites
-
getConnectionPoolSize
public int getConnectionPoolSize()- Returns:
- the connection pool size, or the default value 1 if pooling is disabled
-
setConnectionPoolSize
public void setConnectionPoolSize(int connectionPoolSize) Set the connection pool size- Parameters:
connectionPoolSize
- the new pool size
-
getHostnameVerifierClassName
- Returns:
- name of the
HostnameVerifier
class used for connections using StartTLS, or the empty string, if the default verifier should be used.
-
setHostnameVerifierClassName
Set theHostnameVerifier
to be used when opening connections using StartTLS. An instance of the given class name will be constructed using the default constructor.- Parameters:
verifierClassName
- class name of theHostnameVerifier
to be constructed
-
getHostnameVerifier
- Returns:
- the
HostnameVerifier
to use for peer certificate verification when opening connections using StartTLS.
-
setSslSocketFactoryClassName
Set theSSLSocketFactory
to be used when opening connections using StartTLS. An instance of the factory with the given name will be created using the default constructor. The SSLSocketFactory can also be set usingsetSslProtocol(String)
.- Parameters:
factoryClassName
- class name of the factory to be constructed
-
setSslProtocol
Set the ssl protocol to be used for connections using StartTLS.- Parameters:
protocol
- one of the allowed ssl protocol names
-
setUseContextClassLoader
public void setUseContextClassLoader(boolean useContext) Sets whether to use the context or default ClassLoader. True means use context ClassLoader.- Parameters:
useContext
- True means use context ClassLoader
-
isUseContextClassLoader
public boolean isUseContextClassLoader()Returns whether to use the context or default ClassLoader. True means to use the context ClassLoader.- Returns:
- The value of useContextClassLoader
-
authenticate
Try to authenticate using the specified username and credentials.If there are any errors with the JNDI connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it.
- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
username
- Username of the Principal to look upcredentials
- Password or other credentials to use in authenticating this username- Returns:
- the associated principal, or
null
if there is none
-
authenticate
public Principal authenticate(JNDIRealm.JNDIConnection connection, String username, String credentials) throws NamingException Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull
.- Parameters:
connection
- The directory contextusername
- Username of the Principal to look upcredentials
- Password or other credentials to use in authenticating this username- Returns:
- the associated principal, or
null
if there is none. - Throws:
NamingException
- if a directory server error occurs
-
authenticate
Description copied from interface:Realm
Try to authenticate with the specified username.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
username
- Username of the Principal to look up- Returns:
- the associated principal, or
null
if none is associated.
-
authenticate
public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2, String algorithm) Description copied from interface:Realm
Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.The default implementation calls
Realm.authenticate(String, String, String, String, String, String, String, String)
for backwards compatibility which effectively forces the use of MD5 regardless of the algorithm specified in the call to this method.Implementations are expected to override the default implementation and take account of the algorithm parameter.
- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
username
- Username of the Principal to look upclientDigest
- Digest which has been submitted by the clientnonce
- Unique (or supposedly unique) token which has been used for this requestnc
- the nonce countercnonce
- the client chosen nonceqop
- the "quality of protection" (nc
andcnonce
will only be used, ifqop
is notnull
).realm
- Realm namedigestA2
- Second digest calculated as digest(Method + ":" + uri)algorithm
- The message digest algorithm to use- Returns:
- the associated principal, or
null
if there is none.
-
authenticate
Description copied from interface:Realm
Try to authenticate using a chain ofX509Certificate
s.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
certs
- Array of client certificates, with the first one in the array being the certificate of the client itself.- Returns:
- the associated principal, or
null
if there is none
-
authenticate
Description copied from interface:Realm
Try to authenticate using aGSSContext
.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
gssContext
- The gssContext processed by theAuthenticator
.storeCred
- Should the realm attempt to store the delegated credentials in the returned Principal?- Returns:
- the associated principal, or
null
if there is none
-
authenticate
Description copied from interface:Realm
Try to authenticate using aGSSName
. Note that this default method will be turned into an abstract one in Tomcat 10.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
gssName
- TheGSSName
of the principal to look upgssCredential
- TheGSSCredential
of the principal, may benull
- Returns:
- the associated principal, or
null
if there is none
-
getUser
protected JNDIRealm.User getUser(JNDIRealm.JNDIConnection connection, String username) throws NamingException Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull
.- Parameters:
connection
- The directory contextusername
- Username to be looked up- Returns:
- the User object
- Throws:
NamingException
- if a directory server error occurs- See Also:
-
getUser
protected JNDIRealm.User getUser(JNDIRealm.JNDIConnection connection, String username, String credentials) throws NamingException Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull
.- Parameters:
connection
- The directory contextusername
- Username to be looked upcredentials
- User credentials (optional)- Returns:
- the User object
- Throws:
NamingException
- if a directory server error occurs- See Also:
-
getUser
protected JNDIRealm.User getUser(JNDIRealm.JNDIConnection connection, String username, String credentials, int curUserPattern) throws NamingException Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull
. If theuserPassword
configuration attribute is specified, the value of that attribute is retrieved from the user's directory entry. If theuserRoleName
configuration attribute is specified, all values of that attribute are retrieved from the directory entry.- Parameters:
connection
- The directory contextusername
- Username to be looked upcredentials
- User credentials (optional)curUserPattern
- Index into userPatternFormatArray- Returns:
- the User object
- Throws:
NamingException
- if a directory server error occurs
-
getUserByPattern
protected JNDIRealm.User getUserByPattern(DirContext context, String username, String[] attrIds, String dn) throws NamingException Use the distinguished name to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull
.- Parameters:
context
- The directory contextusername
- The usernameattrIds
- String[]containing names of attributes todn
- Distinguished name of the user retrieve.- Returns:
- the User object
- Throws:
NamingException
- if a directory server error occurs
-
getUserByPattern
protected JNDIRealm.User getUserByPattern(JNDIRealm.JNDIConnection connection, String username, String credentials, String[] attrIds, int curUserPattern) throws NamingException Use theUserPattern
configuration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull
.- Parameters:
connection
- The directory contextusername
- The usernamecredentials
- User credentials (optional)attrIds
- String[]containing names of attributes tocurUserPattern
- Index into userPatternFormatArray- Returns:
- the User object
- Throws:
NamingException
- if a directory server error occurs- See Also:
-
getUserBySearch
protected JNDIRealm.User getUserBySearch(JNDIRealm.JNDIConnection connection, String username, String[] attrIds) throws NamingException Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull
.- Parameters:
connection
- The directory contextusername
- The usernameattrIds
- String[]containing names of attributes to retrieve.- Returns:
- the User object
- Throws:
NamingException
- if a directory server error occurs
-
checkCredentials
protected boolean checkCredentials(DirContext context, JNDIRealm.User user, String credentials) throws NamingException Check whether the given User can be authenticated with the given credentials. If theuserPassword
configuration attribute is specified, the credentials previously retrieved from the directory are compared explicitly with those presented by the user. Otherwise the presented credentials are checked by binding to the directory as the user.- Parameters:
context
- The directory contextuser
- The User to be authenticatedcredentials
- The credentials presented by the user- Returns:
true
if the credentials are validated- Throws:
NamingException
- if a directory server error occurs
-
compareCredentials
protected boolean compareCredentials(DirContext context, JNDIRealm.User info, String credentials) throws NamingException Check whether the credentials presented by the user match those retrieved from the directory.- Parameters:
context
- The directory contextinfo
- The User to be authenticatedcredentials
- Authentication credentials- Returns:
true
if the credentials are validated- Throws:
NamingException
- if a directory server error occurs
-
bindAsUser
protected boolean bindAsUser(DirContext context, JNDIRealm.User user, String credentials) throws NamingException Check credentials by binding to the directory as the user- Parameters:
context
- The directory contextuser
- The User to be authenticatedcredentials
- Authentication credentials- Returns:
true
if the credentials are validated- Throws:
NamingException
- if a directory server error occurs
-
getRoles
protected List<String> getRoles(JNDIRealm.JNDIConnection connection, JNDIRealm.User user) throws NamingException Return a List of roles associated with the given User. Any roles present in the user's directory entry are supplemented by a directory search. If no roles are associated with this user, a zero-length List is returned.- Parameters:
connection
- The directory context we are searchinguser
- The User to be checked- Returns:
- the list of role names
- Throws:
NamingException
- if a directory server error occurs
-
close
Close any open connection to the directory server for this Realm.- Parameters:
connection
- The directory context to be closed
-
closePooledConnections
protected void closePooledConnections()Close all pooled connections. -
getPassword
Description copied from class:RealmBase
Get the password for the specified user.- Specified by:
getPassword
in classRealmBase
- Parameters:
username
- The user name- Returns:
- the password associated with the given principal's user name.
-
getPrincipal
Description copied from class:RealmBase
Get the principal associated with the specified user.- Specified by:
getPrincipal
in classRealmBase
- Parameters:
username
- The user name- Returns:
- the Principal associated with the given user name.
-
getPrincipal
Description copied from class:RealmBase
Get the principal associated with the specifiedGSSName
.- Overrides:
getPrincipal
in classRealmBase
- Parameters:
gssName
- The GSS namegssCredential
- the GSS credential of the principal- Returns:
- the principal associated with the given user name.
-
getPrincipal
Description copied from class:RealmBase
Get the principal associated with the specified user name.- Overrides:
getPrincipal
in classRealmBase
- Parameters:
username
- The user namegssCredential
- the GSS credential of the principal- Returns:
- the principal associated with the given user name.
-
getPrincipal
protected Principal getPrincipal(JNDIRealm.JNDIConnection connection, String username, GSSCredential gssCredential) throws NamingException Get the principal associated with the specified certificate.- Parameters:
connection
- The directory contextusername
- The user namegssCredential
- The credentials- Returns:
- the Principal associated with the given certificate.
- Throws:
NamingException
- if a directory server error occurs
-
get
Open (if necessary) and return a connection to the configured directory server for this Realm.- Returns:
- the connection
- Throws:
NamingException
- if a directory server error occurs
-
release
Release our use of this connection so that it can be recycled.- Parameters:
connection
- The directory context to release
-
create
Create a new connection wrapper, along with the message formats.- Returns:
- the new connection
-
open
Create a new connection to the directory server.- Parameters:
connection
- The directory server connection wrapper- Throws:
NamingException
- if a directory server error occurs
-
isAvailable
public boolean isAvailable()Description copied from interface:Realm
Return the availability of the realm for authentication.- Returns:
true
if the realm is able to perform authentication
-
getDirectoryContextEnvironment
Create our directory context configuration.- Returns:
- java.util.Hashtable the configuration for the directory context.
-
startInternal
Prepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal()
.- Overrides:
startInternal
in classRealmBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
stopInternal
Gracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal()
.- Overrides:
stopInternal
in classRealmBase
- Throws:
LifecycleException
- if this component detects a fatal error that needs to be reported
-
parseUserPatternString
Given a string containing LDAP patterns for user locations (separated by parentheses in a pseudo-LDAP search string format - "(location1)(location2)", returns an array of those paths. Real LDAP search strings are supported as well (though only the "|" "OR" type).- Parameters:
userPatternString
- - a string LDAP search paths surrounded by parentheses- Returns:
- a parsed string array
-
doRFC2254Encoding
Deprecated.Will be removed in Tomcat 10.1.x onwardsGiven an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines. The character mapping is as follows: char -> Replacement --------------------------- * -> \2a ( -> \28 ) -> \29 \ -> \5c \0 -> \00- Parameters:
inString
- string to escape according to RFC 2254 guidelines- Returns:
- String the escaped/encoded result
-
doFilterEscaping
Given an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines. The character mapping is as follows: char -> Replacement --------------------------- * -> \2a ( -> \28 ) -> \29 \ -> \5c \0 -> \00- Parameters:
inString
- string to escape according to RFC 2254 guidelines- Returns:
- String the escaped/encoded result
-
getDistinguishedName
protected String getDistinguishedName(DirContext context, String base, SearchResult result) throws NamingException Returns the distinguished name of a search result.- Parameters:
context
- Our DirContextbase
- The base DNresult
- The search result- Returns:
- String containing the distinguished name
- Throws:
NamingException
- if a directory server error occurs
-
doAttributeValueEscaping
Implements the necessary escaping to represent an attribute value as a String as per RFC 4514.- Parameters:
input
- The original attribute value- Returns:
- The string representation of the attribute value
-
convertToHexEscape
-