You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Philippe Maseres <p....@citb.bull.net> on 2003/03/13 09:48:54 UTC
JNDI realm - recursive group/role matching (Tomcat 4.1.18)
Hello all.
I need to set up Tomcat to use a LDAP directory for authentication and
authorization. I successfully configured my iPlanet directory and a JNDI
realm in Tomcat, and users and roles checkings work well, but with a
restriction. My directory schema, which is quite classical, provides a
dedicated tree with two sub-trees : one for users and another for groups.
Users assignment in groups is made through the common multivalued attribute
'uniqueMember'. According to my JNDI realm setup, Tomcat matches users from
groups using their DN and deduces the right roles. However, i need to
organize users in the directory in a hierarchic classification where persons
don't belong directly to groups that represent applications roles. At the
opposite, users are assigned to profiles themselves forming a compound tree
which terminal leaves are the actual roles mapped to the applications
constraints. Unfortunately, Tomcat seems not to process the role matching
recursively, ie. retrieving first groups from the user's DN, and then groups
from each found group. In a past project, the BEA Weblogic LDAP realm was
used to perform such a recursive matching with no particular setting. Is
there any way to use Tomcat the same way, with its JNDI realm implementation
? Is there any alternative JNDI realm that could be used, or should i
implement it myself ?
Thanks for answers...
Philippe Maseres
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: JNDI realm - recursive group/role matching (Tomcat 4.1.18)
Posted by Philippe Maseres <p....@citb.bull.net>.
Hello.
I know it's not trivial, but it could be done. Below, a quicly done test
class that overrides the JNDIRealm to retrieve groups from groups. As i
explained in another mail i posted in the developer mailing list, the main
problem is not the code to do it, but how integrate it within Tomcat : the
JNDIRealm uses 'package scoped' classes, and if you want to change it you
must either create your new class with few overriden methods in the same
package, and it's not very "elegant", or rewrite a full implementation. For
that, as this new feature is probably as common as to be integrated in the
Tomcat delivery, i hope one of the apache's members takes it into account in
a future version of the JNDIRealm.
Regards.
<<< NEW getRoles() CODE >>>
package org.apache.catalina.realm;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class SmartJNDIRealm extends JNDIRealm {
protected List getRoles(final DirContext dirContext, final User user)
throws NamingException {
List plainList = super.getRoles(dirContext, user);
if (plainList == null)
return plainList;
HashSet recursiveSet = new HashSet();
for (Iterator i = plainList.iterator(); i.hasNext();) {
String groupName = (String) i.next();
recursiveGroupSearch(dirContext, recursiveSet, groupName);
}
if (debug >= 2) {
log(" * Returning set with " + recursiveSet.size() + " roles");
for (Iterator i = recursiveSet.iterator(); i.hasNext();)
log(" * - Recursively found role " + i.next());
}
return new ArrayList(recursiveSet);
}
protected void recursiveGroupSearch(final DirContext dirContext, Set
recursiveSet, String groupname) throws NamingException {
if (debug >= 3)
log(" *** Recursive search for group '" + groupname + "'");
// Adding the given group to the result set if not already found
if (!recursiveSet.contains(groupname)) {
recursiveSet.add(groupname);
// Prepare the parameters for searching groups
String filter = roleFormat.format(new String[] { roleName + "=" +
groupname + "," + roleBase });
SearchControls controls = new SearchControls();
controls.setSearchScope(roleSubtree ? SearchControls.SUBTREE_SCOPE :
SearchControls.ONELEVEL_SCOPE);
controls.setReturningAttributes(new String[] { roleName });
if (debug >= 3) {
log(" * Searching recursively role base '" + roleBase + "' for
attribute '" + roleName + "'");
log(" * With filter expression '" + filter + "'");
}
// Searching groups that assign the given group
NamingEnumeration gne = context.search(roleBase, filter, controls);
if (gne != null) {
// Iterate over the resulting groups
while (gne.hasMore()) {
SearchResult sr = (SearchResult) gne.next();
Attributes attributes = sr.getAttributes();
if (attributes != null) {
Attribute attribute = attributes.get(roleName);
if (attribute != null)
recursiveGroupSearch(dirContext, recursiveSet, (String)
attribute.get());
}
}
}
}
}
public String getInfo() {
return "org.apache.catalina.realm.SmartJNDIRealm/1.0";
}
protected String getName() {
return "SmartJNDIRealm";
}
}
Philippe Maseres
<<<Philippe>>> -----Message d'origine-----
<<<Philippe>>> De : Jon Roberts [mailto:jon@mentata.com]
<<<Philippe>>> Envoye : jeudi 13 mars 2003 20:21
<<<Philippe>>> A : Tomcat Users List
<<<Philippe>>> Objet : Re: JNDI realm - recursive group/role
<<<Philippe>>> matching (Tomcat 4.1.18)
<<<Philippe>>>
<<<Philippe>>>
<<<Philippe>>> I can't speak for tomcat, but I can say that what
<<<Philippe>>> you are asking is not
<<<Philippe>>> trivial. LDAP was not designed to support multi-join
<<<Philippe>>> queries. However,
<<<Philippe>>> as I recall the iPlanet/Sun ONE directory server has
<<<Philippe>>> a feature called
<<<Philippe>>> "dynamic groups" that may help you solve this
<<<Philippe>>> problem on the directory side.
<<<Philippe>>>
<<<Philippe>>> Jon Roberts
<<<Philippe>>> www.mentata.com
<<<Philippe>>>
<<<Philippe>>> Philippe Maseres wrote:
<<<Philippe>>> > Hello all.
<<<Philippe>>> > I need to set up Tomcat to use a LDAP directory
<<<Philippe>>> for authentication and
<<<Philippe>>> > authorization. I successfully configured my
<<<Philippe>>> iPlanet directory and a JNDI
<<<Philippe>>> > realm in Tomcat, and users and roles checkings
<<<Philippe>>> work well, but with a
<<<Philippe>>> > restriction. My directory schema, which is quite
<<<Philippe>>> classical, provides a
<<<Philippe>>> > dedicated tree with two sub-trees : one for users
<<<Philippe>>> and another for groups.
<<<Philippe>>> > Users assignment in groups is made through the
<<<Philippe>>> common multivalued attribute
<<<Philippe>>> > 'uniqueMember'. According to my JNDI realm setup,
<<<Philippe>>> Tomcat matches users from
<<<Philippe>>> > groups using their DN and deduces the right roles.
<<<Philippe>>> However, i need to
<<<Philippe>>> > organize users in the directory in a hierarchic
<<<Philippe>>> classification where persons
<<<Philippe>>> > don't belong directly to groups that represent
<<<Philippe>>> applications roles. At the
<<<Philippe>>> > opposite, users are assigned to profiles
<<<Philippe>>> themselves forming a compound tree
<<<Philippe>>> > which terminal leaves are the actual roles mapped
<<<Philippe>>> to the applications
<<<Philippe>>> > constraints. Unfortunately, Tomcat seems not to
<<<Philippe>>> process the role matching
<<<Philippe>>> > recursively, ie. retrieving first groups from the
<<<Philippe>>> user's DN, and then groups
<<<Philippe>>> > from each found group. In a past project, the BEA
<<<Philippe>>> Weblogic LDAP realm was
<<<Philippe>>> > used to perform such a recursive matching with no
<<<Philippe>>> particular setting. Is
<<<Philippe>>> > there any way to use Tomcat the same way, with its
<<<Philippe>>> JNDI realm implementation
<<<Philippe>>> > ? Is there any alternative JNDI realm that could
<<<Philippe>>> be used, or should i
<<<Philippe>>> > implement it myself ?
<<<Philippe>>> > Thanks for answers...
<<<Philippe>>>
<<<Philippe>>>
<<<Philippe>>> -----------------------------------------------------
<<<Philippe>>> ----------------
<<<Philippe>>> To unsubscribe, e-mail:
<<<Philippe>>> tomcat-user-unsubscribe@jakarta.apache.org
<<<Philippe>>> For additional commands, e-mail:
<<<Philippe>>> tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: JNDI realm - recursive group/role matching (Tomcat 4.1.18)
Posted by Philippe Maseres <p....@citb.bull.net>.
Hello.
I know it's not trivial, but it could be done. Below, a quicly done test
class that overrides the JNDIRealm to retrieve groups from groups. As i
explained in another mail i posted in the developer mailing list, the main
problem is not the code to do it, but how integrate it within Tomcat : the
JNDIRealm uses 'package scoped' classes, and if you want to change it you
must either create your new class with few overriden methods in the same
package, and it's not very "elegant", or rewrite a full implementation. For
that, as this new feature is probably as common as to be integrated in the
Tomcat delivery, i hope one of the apache's members takes it into account in
a future version of the JNDIRealm.
Regards.
<<< NEW getRoles() CODE >>>
package org.apache.catalina.realm;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class SmartJNDIRealm extends JNDIRealm {
protected List getRoles(final DirContext dirContext, final User user)
throws NamingException {
List plainList = super.getRoles(dirContext, user);
if (plainList == null)
return plainList;
HashSet recursiveSet = new HashSet();
for (Iterator i = plainList.iterator(); i.hasNext();) {
String groupName = (String) i.next();
recursiveGroupSearch(dirContext, recursiveSet, groupName);
}
if (debug >= 2) {
log(" * Returning set with " + recursiveSet.size() + " roles");
for (Iterator i = recursiveSet.iterator(); i.hasNext();)
log(" * - Recursively found role " + i.next());
}
return new ArrayList(recursiveSet);
}
protected void recursiveGroupSearch(final DirContext dirContext, Set
recursiveSet, String groupname) throws NamingException {
if (debug >= 3)
log(" *** Recursive search for group '" + groupname + "'");
// Adding the given group to the result set if not already found
if (!recursiveSet.contains(groupname)) {
recursiveSet.add(groupname);
// Prepare the parameters for searching groups
String filter = roleFormat.format(new String[] { roleName + "=" +
groupname + "," + roleBase });
SearchControls controls = new SearchControls();
controls.setSearchScope(roleSubtree ? SearchControls.SUBTREE_SCOPE :
SearchControls.ONELEVEL_SCOPE);
controls.setReturningAttributes(new String[] { roleName });
if (debug >= 3) {
log(" * Searching recursively role base '" + roleBase + "' for
attribute '" + roleName + "'");
log(" * With filter expression '" + filter + "'");
}
// Searching groups that assign the given group
NamingEnumeration gne = context.search(roleBase, filter, controls);
if (gne != null) {
// Iterate over the resulting groups
while (gne.hasMore()) {
SearchResult sr = (SearchResult) gne.next();
Attributes attributes = sr.getAttributes();
if (attributes != null) {
Attribute attribute = attributes.get(roleName);
if (attribute != null)
recursiveGroupSearch(dirContext, recursiveSet, (String)
attribute.get());
}
}
}
}
}
public String getInfo() {
return "org.apache.catalina.realm.SmartJNDIRealm/1.0";
}
protected String getName() {
return "SmartJNDIRealm";
}
}
Philippe Maseres
<<<Philippe>>> -----Message d'origine-----
<<<Philippe>>> De : Jon Roberts [mailto:jon@mentata.com]
<<<Philippe>>> Envoye : jeudi 13 mars 2003 20:21
<<<Philippe>>> A : Tomcat Users List
<<<Philippe>>> Objet : Re: JNDI realm - recursive group/role
<<<Philippe>>> matching (Tomcat 4.1.18)
<<<Philippe>>>
<<<Philippe>>>
<<<Philippe>>> I can't speak for tomcat, but I can say that what
<<<Philippe>>> you are asking is not
<<<Philippe>>> trivial. LDAP was not designed to support multi-join
<<<Philippe>>> queries. However,
<<<Philippe>>> as I recall the iPlanet/Sun ONE directory server has
<<<Philippe>>> a feature called
<<<Philippe>>> "dynamic groups" that may help you solve this
<<<Philippe>>> problem on the directory side.
<<<Philippe>>>
<<<Philippe>>> Jon Roberts
<<<Philippe>>> www.mentata.com
<<<Philippe>>>
<<<Philippe>>> Philippe Maseres wrote:
<<<Philippe>>> > Hello all.
<<<Philippe>>> > I need to set up Tomcat to use a LDAP directory
<<<Philippe>>> for authentication and
<<<Philippe>>> > authorization. I successfully configured my
<<<Philippe>>> iPlanet directory and a JNDI
<<<Philippe>>> > realm in Tomcat, and users and roles checkings
<<<Philippe>>> work well, but with a
<<<Philippe>>> > restriction. My directory schema, which is quite
<<<Philippe>>> classical, provides a
<<<Philippe>>> > dedicated tree with two sub-trees : one for users
<<<Philippe>>> and another for groups.
<<<Philippe>>> > Users assignment in groups is made through the
<<<Philippe>>> common multivalued attribute
<<<Philippe>>> > 'uniqueMember'. According to my JNDI realm setup,
<<<Philippe>>> Tomcat matches users from
<<<Philippe>>> > groups using their DN and deduces the right roles.
<<<Philippe>>> However, i need to
<<<Philippe>>> > organize users in the directory in a hierarchic
<<<Philippe>>> classification where persons
<<<Philippe>>> > don't belong directly to groups that represent
<<<Philippe>>> applications roles. At the
<<<Philippe>>> > opposite, users are assigned to profiles
<<<Philippe>>> themselves forming a compound tree
<<<Philippe>>> > which terminal leaves are the actual roles mapped
<<<Philippe>>> to the applications
<<<Philippe>>> > constraints. Unfortunately, Tomcat seems not to
<<<Philippe>>> process the role matching
<<<Philippe>>> > recursively, ie. retrieving first groups from the
<<<Philippe>>> user's DN, and then groups
<<<Philippe>>> > from each found group. In a past project, the BEA
<<<Philippe>>> Weblogic LDAP realm was
<<<Philippe>>> > used to perform such a recursive matching with no
<<<Philippe>>> particular setting. Is
<<<Philippe>>> > there any way to use Tomcat the same way, with its
<<<Philippe>>> JNDI realm implementation
<<<Philippe>>> > ? Is there any alternative JNDI realm that could
<<<Philippe>>> be used, or should i
<<<Philippe>>> > implement it myself ?
<<<Philippe>>> > Thanks for answers...
<<<Philippe>>>
<<<Philippe>>>
<<<Philippe>>> -----------------------------------------------------
<<<Philippe>>> ----------------
<<<Philippe>>> To unsubscribe, e-mail:
<<<Philippe>>> tomcat-user-unsubscribe@jakarta.apache.org
<<<Philippe>>> For additional commands, e-mail:
<<<Philippe>>> tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
RE: Connection to Remote SQL Server and IIS
Posted by George Sexton <gs...@mhsoftware.com>.
Download the Microsoft JDBC driver from:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4f8f2f01-1ed7-4c4d-
8f7b-3d47969e66ae&DisplayLang=en
Read the Tomcat docs on IIS integration. Even though the docs are for tomcat
3.3, they apply equally to tomcat 4.1
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/tomcat-iis-howto.html
George Sexton
MH Software, Inc.
Home of Connect Daily Web Calendar Software
http://www.mhsoftware.com/connectdaily.htm
Voice: 303 438 9585
-----Original Message-----
From: Victor Gonzalez [mailto:vgonzalez@cyberworks.com.mx]
Sent: Thursday, March 13, 2003 12:32 PM
To: 'Tomcat Users List'
Subject: Connection to Remote SQL Server and IIS
Importance: High
Hi everybody,
I need to know how to do to implementing Tomcat 4.1.18 with both a
remote SQL Server and IIS 5.0,
Please,
Tnks all,
Regards,
Victor Gonzalez
***************
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Connection to Remote SQL Server and IIS
Posted by Victor Gonzalez <vg...@cyberworks.com.mx>.
Hi everybody,
I need to know how to do to implementing Tomcat 4.1.18 with both a
remote SQL Server and IIS 5.0,
Please,
Tnks all,
Regards,
Victor Gonzalez
***************
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: JNDI realm - recursive group/role matching (Tomcat 4.1.18)
Posted by Jon Roberts <jo...@mentata.com>.
I can't speak for tomcat, but I can say that what you are asking is not
trivial. LDAP was not designed to support multi-join queries. However,
as I recall the iPlanet/Sun ONE directory server has a feature called
"dynamic groups" that may help you solve this problem on the directory side.
Jon Roberts
www.mentata.com
Philippe Maseres wrote:
> Hello all.
> I need to set up Tomcat to use a LDAP directory for authentication and
> authorization. I successfully configured my iPlanet directory and a JNDI
> realm in Tomcat, and users and roles checkings work well, but with a
> restriction. My directory schema, which is quite classical, provides a
> dedicated tree with two sub-trees : one for users and another for groups.
> Users assignment in groups is made through the common multivalued attribute
> 'uniqueMember'. According to my JNDI realm setup, Tomcat matches users from
> groups using their DN and deduces the right roles. However, i need to
> organize users in the directory in a hierarchic classification where persons
> don't belong directly to groups that represent applications roles. At the
> opposite, users are assigned to profiles themselves forming a compound tree
> which terminal leaves are the actual roles mapped to the applications
> constraints. Unfortunately, Tomcat seems not to process the role matching
> recursively, ie. retrieving first groups from the user's DN, and then groups
> from each found group. In a past project, the BEA Weblogic LDAP realm was
> used to perform such a recursive matching with no particular setting. Is
> there any way to use Tomcat the same way, with its JNDI realm implementation
> ? Is there any alternative JNDI realm that could be used, or should i
> implement it myself ?
> Thanks for answers...
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org