You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by Marco de Booij <ma...@debooy.eu> on 2014/12/27 17:29:09 UTC
Own LoginModule
I am creating my own LoginModule. I need a UserPrincipal that holds also
the common name and e-mail address of the user. I want to get these
values from the LDAP.
I started with the PropertiesLoginModule so I could read a parameter
file from the Tomee conf directory. For this I created the file
ldap.properties. I changed the server.xml and the login.conf so all
should be configured correct. I put the JAR file with my UserPrincipal,
GroupPrincipal and LoginModule in the Tomee lib directory. When I
restart Tomee and try to access the Tomcat console I enter the userame
and password. My LoginModule is accessed but it cannot read the
properties file. The URL (in the initialize method) is null.
When I put in the values of the ldap.properties in the source and
comment out the reading of the file everything seems to work fine but I
am refused access to the console (Code 403. The group manager-gui is
fetched from the LDAP and put in the subject Principal rolePrincipal list).
Any hint on what I do wrong? Here is the LoginModule class:
package eu.debooy.jaas.ldap;
import static org.apache.openejb.loader.IO.readProperties;
import eu.debooy.jaas.RolePrincipal;
import eu.debooy.jaas.UserPrincipal;
import java.io.IOException;
import java.net.URL;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.openejb.util.ConfUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author Marco de Booij
*
* Deze class zorgt ervoor dat de UserPrincipal ook wordt gevuld met
het e-mail
* adres en de volledige naam van de gebruiker.
*
* @see javax.security.auth.spi.LoginModule
*/
public class DoosLoginModule implements LoginModule {
private static final Logger LOGGER =
LoggerFactory.getLogger(DoosLoginModule.class);
private DirContext ctx;
private CallbackHandler handler;
private Properties ldap;
private RolePrincipal rolePrincipal;
private Subject subject;
private List<String> userRoles;
private UserPrincipal userPrincipal;
/**
* Initialiseer de DoosLoginModule.
*/
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?>
options) {
handler = callbackHandler;
this.subject = subject;
if (options.containsKey("ldap")) {
String properties = String.valueOf(options.get("ldap"));
LOGGER.info("ldap : " + properties );
URL propertiesUrl = ConfUtils.getConfResource(properties);
if (null == propertiesUrl) {
LOGGER.info("URL == null");
}
try {
ldap = readProperties(ConfUtils.getConfResource(properties));
LOGGER.debug("host : " + ldap.get("host"));
LOGGER.debug("factories.initctx: " +
ldap.get("factories.initctx"));
LOGGER.debug("factories.control: " +
ldap.get("factories.control"));
LOGGER.debug("user.searchbase : " + ldap.get("user.searchbase"));
LOGGER.debug("role.searchbase : " + ldap.get("role.searchbase"));
} catch (IOException e) {
LOGGER.error(e.getLocalizedMessage());
}
} else {
LOGGER.error("Missing parameter ldap");
}
}
/**
* Controleer de credentials.
*
* @exception LoginException als het authenticatie faalt.
*/
public boolean login() throws LoginException {
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("login");
callbacks[1] = new PasswordCallback("password", false);
try {
handler.handle(callbacks);
String login = ((NameCallback) callbacks[0]).getName();
String password =
String.valueOf(((PasswordCallback) callbacks[1]).getPassword());
// Aanmelden aan de LDAP server
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(LdapContext.CONTROL_FACTORIES,
ldap.getProperty("factories.control"));
env.put(Context.INITIAL_CONTEXT_FACTORY,
ldap.getProperty("factories.initctx"));
env.put(Context.PROVIDER_URL, ldap.getProperty("host"));
env.put(Context.SECURITY_PRINCIPAL, ldap.getProperty("user"));
env.put(Context.SECURITY_CREDENTIALS, ldap.getProperty("password"));
ctx = new InitialDirContext(env);
// Zoeken naar gebruiker
String zoekUid =
MessageFormat.format(ldap.getProperty("user.search"), login);
String[] attrIDs = new String[]{"cn", "mail"};
SearchControls zoek = new SearchControls();
zoek.setReturningAttributes(attrIDs);
zoek.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult>
antwoord =
ctx.search(ldap.getProperty("user.searchbase"),
zoekUid, zoek);
if (!antwoord.hasMore()) {
throw new LoginException("error.authenticatie.verkeerd");
}
SearchResult sr = (SearchResult) antwoord.next();
if (antwoord.hasMore()) {
throw new LoginException("error.authenticatie.verkeerd");
}
Attributes attrs = sr.getAttributes();
String cn = attrs.get("cn").toString().substring(4);
String email =
attrs.get("mail").toString().substring(6);
antwoord.close();
// Sla de informatie op zodat die bij de commit kunnen worden vrij-
// gegeven.
userPrincipal = new UserPrincipal(login);
userPrincipal.setEmail(email);
userPrincipal.setVolledigeNaam(cn);
LOGGER.debug(userPrincipal.toString());
// Zoeken naar alle rollen.
String principal =
MessageFormat.format(ldap.getProperty("check.password"), cn);
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, password);
ctx = new InitialDirContext(env);
zoekUid = MessageFormat.format(ldap.getProperty("role.search"),
login);
userRoles = new ArrayList<String>();
attrIDs = new String[]{"cn"};
zoek = new SearchControls();
zoek.setReturningAttributes(attrIDs);
zoek.setSearchScope(SearchControls.SUBTREE_SCOPE);
antwoord = ctx.search(ldap.getProperty("role.searchbase"),
zoekUid, zoek);
while (antwoord.hasMore()) {
sr = (SearchResult) antwoord.next();
attrs = sr.getAttributes();
userRoles.add(attrs.get("cn").toString().substring(4));
}
antwoord.close();
LOGGER.debug(userRoles.toString());
return true;
} catch (IOException e) {
LOGGER.error(e.getLocalizedMessage());
throw new LoginException(e.getMessage());
} catch (UnsupportedCallbackException e) {
LOGGER.error(e.getLocalizedMessage());
throw new LoginException(e.getMessage());
} catch (NamingException e) {
LOGGER.error(e.getLocalizedMessage());
throw new LoginException(e.getMessage());
}
}
/**
* Zet de UserPrincipal en RolePrincipal.
*
* @exception LoginException als de commit faalt.
*/
public boolean commit() throws LoginException {
if (null == userPrincipal) {
return false;
}
subject.getPrincipals().add(userPrincipal);
if (userRoles != null && userRoles.size() > 0) {
for (String roleNaam : userRoles) {
rolePrincipal = new RolePrincipal(roleNaam);
subject.getPrincipals().add(rolePrincipal);
}
}
return true;
}
/**
* Stop het aanmelden.
*
* @exception LoginException als de abort faalt.
*/
public boolean abort() throws LoginException {
if (null == userPrincipal) {
return false;
}
userRoles = null;
userPrincipal = null;
return true;
}
/**
* Doe een logout.
*
* @exception LoginException als de logout faalt.
*/
public boolean logout() throws LoginException {
subject.getPrincipals().remove(userPrincipal);
subject.getPrincipals().remove(rolePrincipal);
return true;
}
}
Regards,
Marco
Re: Own LoginModule
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Cause your file is not in classloaader. I fear you used our internals
without understanding them.
Idea is mainly to use a local file or extract a packaged one in a jar if
noone is set up.
Le 29 déc. 2014 22:21, "Marco de Booij" <ma...@debooy.eu> a écrit :
> It now works when I put the parameters in file that configures the
> 'appName" from the security realm.
>
> I tried again to use the file but I do not get the URL in return. If I use
> the "users.properties" file in the same directory then I get a URL. Do I
> need to add my file to a variable somewhere? I can live without it but I am
> curious why it does not work this way.
>
> Regards,
>
> Marco
> Op 28-12-14 om 13:39 schreef Marco de Booij:
>
>> I did not use a debugger but I added a lot of LOGGER.info statements (I
>> already removed most of them) . As you can see I added 2 LOGGER.info
>> statements in the initialize method. The first one gives "ldap
>> : ldap.properties" and the second one, in the if statement, displays "URL
>> == null" so this means that the ConfUtils.getConfResource cannot create an
>> URL.
>>
>> The content of the login.properties is:
>> LdapLogin {
>> eu.debooy.jaas.ldap.DoosLoginModule required
>> debug=true
>> ldap="ldap.properties";
>> };
>> It cannot be the file atrributes as the groups.properties is used by the
>> PropertiesLoginModule:
>> -rw-r--r-- 1 tomee tomee 114 mei 20 2014 groups.properties
>> -rw-r--r-- 1 tomee tomee 337 dec 27 15:37 ldap.properties
>>
>> Thanks for the link. The problem remains that it does not keep the cn and
>> mail attribute in the UserPrincipal. About my problem with using a file in
>> the conf directory. I will put the parameters in the login.properties
>> instead of reading them from the ldap.properties file.
>>
>> Regards,
>>
>> Marco
>>
>> Op 28-12-14 om 11:50 schreef Romain Manni-Bucau:
>>
>>> Hi
>>>
>>> Did you debug your loginmodule?
>>>
>>> Fyi jvm has a ldap one
>>> https://docs.oracle.com/javase/6/docs/jre/api/
>>> security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html
>>> Le 27 déc. 2014 18:38, "Marco de Booij" <ma...@debooy.eu> a
>>> écrit :
>>>
>>> I am creating my own LoginModule. I need a UserPrincipal that holds also
>>>> the common name and e-mail address of the user. I want to get these
>>>> values
>>>> from the LDAP.
>>>>
>>>> I started with the PropertiesLoginModule so I could read a parameter
>>>> file
>>>> from the Tomee conf directory. For this I created the file
>>>> ldap.properties.
>>>> I changed the server.xml and the login.conf so all should be configured
>>>> correct. I put the JAR file with my UserPrincipal, GroupPrincipal and
>>>> LoginModule in the Tomee lib directory. When I restart Tomee and try to
>>>> access the Tomcat console I enter the userame and password. My
>>>> LoginModule
>>>> is accessed but it cannot read the properties file. The URL (in the
>>>> initialize method) is null.
>>>>
>>>> When I put in the values of the ldap.properties in the source and
>>>> comment
>>>> out the reading of the file everything seems to work fine but I am
>>>> refused
>>>> access to the console (Code 403. The group manager-gui is fetched from
>>>> the
>>>> LDAP and put in the subject Principal rolePrincipal list).
>>>>
>>>
>
Re: Own LoginModule
Posted by Marco de Booij <ma...@debooy.eu>.
It now works when I put the parameters in file that configures the
'appName" from the security realm.
I tried again to use the file but I do not get the URL in return. If I
use the "users.properties" file in the same directory then I get a URL.
Do I need to add my file to a variable somewhere? I can live without it
but I am curious why it does not work this way.
Regards,
Marco
Op 28-12-14 om 13:39 schreef Marco de Booij:
> I did not use a debugger but I added a lot of LOGGER.info statements
> (I already removed most of them) . As you can see I added 2
> LOGGER.info statements in the initialize method. The first one gives
> "ldap : ldap.properties" and the second one, in the if
> statement, displays "URL == null" so this means that the
> ConfUtils.getConfResource cannot create an URL.
>
> The content of the login.properties is:
> LdapLogin {
> eu.debooy.jaas.ldap.DoosLoginModule required
> debug=true
> ldap="ldap.properties";
> };
> It cannot be the file atrributes as the groups.properties is used by
> the PropertiesLoginModule:
> -rw-r--r-- 1 tomee tomee 114 mei 20 2014 groups.properties
> -rw-r--r-- 1 tomee tomee 337 dec 27 15:37 ldap.properties
>
> Thanks for the link. The problem remains that it does not keep the cn
> and mail attribute in the UserPrincipal. About my problem with using a
> file in the conf directory. I will put the parameters in the
> login.properties instead of reading them from the ldap.properties file.
>
> Regards,
>
> Marco
>
> Op 28-12-14 om 11:50 schreef Romain Manni-Bucau:
>> Hi
>>
>> Did you debug your loginmodule?
>>
>> Fyi jvm has a ldap one
>> https://docs.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html
>>
>> Le 27 déc. 2014 18:38, "Marco de Booij" <ma...@debooy.eu> a
>> écrit :
>>
>>> I am creating my own LoginModule. I need a UserPrincipal that holds
>>> also
>>> the common name and e-mail address of the user. I want to get these
>>> values
>>> from the LDAP.
>>>
>>> I started with the PropertiesLoginModule so I could read a parameter
>>> file
>>> from the Tomee conf directory. For this I created the file
>>> ldap.properties.
>>> I changed the server.xml and the login.conf so all should be configured
>>> correct. I put the JAR file with my UserPrincipal, GroupPrincipal and
>>> LoginModule in the Tomee lib directory. When I restart Tomee and try to
>>> access the Tomcat console I enter the userame and password. My
>>> LoginModule
>>> is accessed but it cannot read the properties file. The URL (in the
>>> initialize method) is null.
>>>
>>> When I put in the values of the ldap.properties in the source and
>>> comment
>>> out the reading of the file everything seems to work fine but I am
>>> refused
>>> access to the console (Code 403. The group manager-gui is fetched
>>> from the
>>> LDAP and put in the subject Principal rolePrincipal list).
Re: Own LoginModule
Posted by Marco de Booij <ma...@debooy.eu>.
I did not use a debugger but I added a lot of LOGGER.info statements (I
already removed most of them) . As you can see I added 2 LOGGER.info
statements in the initialize method. The first one gives
"ldap : ldap.properties" and the second one, in the if
statement, displays "URL == null" so this means that the
ConfUtils.getConfResource cannot create an URL.
The content of the login.properties is:
LdapLogin {
eu.debooy.jaas.ldap.DoosLoginModule required
debug=true
ldap="ldap.properties";
};
It cannot be the file atrributes as the groups.properties is used by the
PropertiesLoginModule:
-rw-r--r-- 1 tomee tomee 114 mei 20 2014 groups.properties
-rw-r--r-- 1 tomee tomee 337 dec 27 15:37 ldap.properties
Thanks for the link. The problem remains that it does not keep the cn
and mail attribute in the UserPrincipal. About my problem with using a
file in the conf directory. I will put the parameters in the
login.properties instead of reading them from the ldap.properties file.
Regards,
Marco
Op 28-12-14 om 11:50 schreef Romain Manni-Bucau:
> Hi
>
> Did you debug your loginmodule?
>
> Fyi jvm has a ldap one
> https://docs.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html
> Le 27 déc. 2014 18:38, "Marco de Booij" <ma...@debooy.eu> a écrit :
>
>> I am creating my own LoginModule. I need a UserPrincipal that holds also
>> the common name and e-mail address of the user. I want to get these values
>> from the LDAP.
>>
>> I started with the PropertiesLoginModule so I could read a parameter file
>> from the Tomee conf directory. For this I created the file ldap.properties.
>> I changed the server.xml and the login.conf so all should be configured
>> correct. I put the JAR file with my UserPrincipal, GroupPrincipal and
>> LoginModule in the Tomee lib directory. When I restart Tomee and try to
>> access the Tomcat console I enter the userame and password. My LoginModule
>> is accessed but it cannot read the properties file. The URL (in the
>> initialize method) is null.
>>
>> When I put in the values of the ldap.properties in the source and comment
>> out the reading of the file everything seems to work fine but I am refused
>> access to the console (Code 403. The group manager-gui is fetched from the
>> LDAP and put in the subject Principal rolePrincipal list).
>>
>> Any hint on what I do wrong? Here is the LoginModule class:
>>
>> package eu.debooy.jaas.ldap;
>>
>>
>> /**
>> * @author Marco de Booij
>> *
>> * Deze class zorgt ervoor dat de UserPrincipal ook wordt gevuld met het
>> e-mail
>> * adres en de volledige naam van de gebruiker.
>> *
>> * @see javax.security.auth.spi.LoginModule
>> */
>> public class DoosLoginModule implements LoginModule {
>> private static final Logger LOGGER =
>> LoggerFactory.getLogger(DoosLoginModule.class);
>>
>> private DirContext ctx;
>> private CallbackHandler handler;
>> private Properties ldap;
>> private RolePrincipal rolePrincipal;
>> private Subject subject;
>> private List<String> userRoles;
>> private UserPrincipal userPrincipal;
>>
>> /**
>> * Initialiseer de DoosLoginModule.
>> */
>> public void initialize(Subject subject, CallbackHandler callbackHandler,
>> Map<String, ?> sharedState, Map<String, ?>
>> options) {
>> handler = callbackHandler;
>> this.subject = subject;
>> if (options.containsKey("ldap")) {
>> String properties = String.valueOf(options.get("ldap"));
>> LOGGER.info("ldap : " + properties );
>> URL propertiesUrl = ConfUtils.getConfResource(properties);
>> if (null == propertiesUrl) {
>> LOGGER.info("URL == null");
>> }
>> try {
>> ldap = readProperties(ConfUtils.getConfResource(properties));
>> LOGGER.debug("host : " + ldap.get("host"));
>> LOGGER.debug("factories.initctx: " +
>> ldap.get("factories.initctx"));
>> LOGGER.debug("factories.control: " +
>> ldap.get("factories.control"));
>> LOGGER.debug("user.searchbase : " + ldap.get("user.searchbase"));
>> LOGGER.debug("role.searchbase : " + ldap.get("role.searchbase"));
>> } catch (IOException e) {
>> LOGGER.error(e.getLocalizedMessage());
>> }
>> } else {
>> LOGGER.error("Missing parameter ldap");
>> }
>> }
>>
Re: Own LoginModule
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi
Did you debug your loginmodule?
Fyi jvm has a ldap one
https://docs.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html
Le 27 déc. 2014 18:38, "Marco de Booij" <ma...@debooy.eu> a écrit :
> I am creating my own LoginModule. I need a UserPrincipal that holds also
> the common name and e-mail address of the user. I want to get these values
> from the LDAP.
>
> I started with the PropertiesLoginModule so I could read a parameter file
> from the Tomee conf directory. For this I created the file ldap.properties.
> I changed the server.xml and the login.conf so all should be configured
> correct. I put the JAR file with my UserPrincipal, GroupPrincipal and
> LoginModule in the Tomee lib directory. When I restart Tomee and try to
> access the Tomcat console I enter the userame and password. My LoginModule
> is accessed but it cannot read the properties file. The URL (in the
> initialize method) is null.
>
> When I put in the values of the ldap.properties in the source and comment
> out the reading of the file everything seems to work fine but I am refused
> access to the console (Code 403. The group manager-gui is fetched from the
> LDAP and put in the subject Principal rolePrincipal list).
>
> Any hint on what I do wrong? Here is the LoginModule class:
>
> package eu.debooy.jaas.ldap;
>
> import static org.apache.openejb.loader.IO.readProperties;
>
> import eu.debooy.jaas.RolePrincipal;
> import eu.debooy.jaas.UserPrincipal;
>
> import java.io.IOException;
> import java.net.URL;
> import java.text.MessageFormat;
> import java.util.ArrayList;
> import java.util.Hashtable;
> import java.util.List;
> import java.util.Map;
> import java.util.Properties;
>
> import javax.naming.Context;
> import javax.naming.NamingEnumeration;
> import javax.naming.NamingException;
> import javax.naming.directory.Attributes;
> import javax.naming.directory.DirContext;
> import javax.naming.directory.InitialDirContext;
> import javax.naming.directory.SearchControls;
> import javax.naming.directory.SearchResult;
> import javax.naming.ldap.LdapContext;
> import javax.security.auth.Subject;
> import javax.security.auth.callback.Callback;
> import javax.security.auth.callback.CallbackHandler;
> import javax.security.auth.callback.NameCallback;
> import javax.security.auth.callback.PasswordCallback;
> import javax.security.auth.callback.UnsupportedCallbackException;
> import javax.security.auth.login.LoginException;
> import javax.security.auth.spi.LoginModule;
>
> import org.apache.openejb.util.ConfUtils;
> import org.slf4j.Logger;
> import org.slf4j.LoggerFactory;
>
>
> /**
> * @author Marco de Booij
> *
> * Deze class zorgt ervoor dat de UserPrincipal ook wordt gevuld met het
> e-mail
> * adres en de volledige naam van de gebruiker.
> *
> * @see javax.security.auth.spi.LoginModule
> */
> public class DoosLoginModule implements LoginModule {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(DoosLoginModule.class);
>
> private DirContext ctx;
> private CallbackHandler handler;
> private Properties ldap;
> private RolePrincipal rolePrincipal;
> private Subject subject;
> private List<String> userRoles;
> private UserPrincipal userPrincipal;
>
> /**
> * Initialiseer de DoosLoginModule.
> */
> public void initialize(Subject subject, CallbackHandler callbackHandler,
> Map<String, ?> sharedState, Map<String, ?>
> options) {
> handler = callbackHandler;
> this.subject = subject;
> if (options.containsKey("ldap")) {
> String properties = String.valueOf(options.get("ldap"));
> LOGGER.info("ldap : " + properties );
> URL propertiesUrl = ConfUtils.getConfResource(properties);
> if (null == propertiesUrl) {
> LOGGER.info("URL == null");
> }
> try {
> ldap = readProperties(ConfUtils.getConfResource(properties));
> LOGGER.debug("host : " + ldap.get("host"));
> LOGGER.debug("factories.initctx: " +
> ldap.get("factories.initctx"));
> LOGGER.debug("factories.control: " +
> ldap.get("factories.control"));
> LOGGER.debug("user.searchbase : " + ldap.get("user.searchbase"));
> LOGGER.debug("role.searchbase : " + ldap.get("role.searchbase"));
> } catch (IOException e) {
> LOGGER.error(e.getLocalizedMessage());
> }
> } else {
> LOGGER.error("Missing parameter ldap");
> }
> }
>
> /**
> * Controleer de credentials.
> *
> * @exception LoginException als het authenticatie faalt.
> */
> public boolean login() throws LoginException {
> Callback[] callbacks = new Callback[2];
> callbacks[0] = new NameCallback("login");
> callbacks[1] = new PasswordCallback("password", false);
>
> try {
> handler.handle(callbacks);
> String login = ((NameCallback) callbacks[0]).getName();
> String password =
> String.valueOf(((PasswordCallback) callbacks[1]).getPassword());
>
> // Aanmelden aan de LDAP server
> Hashtable<String, String> env = new Hashtable<String, String>();
> env.put(LdapContext.CONTROL_FACTORIES,
> ldap.getProperty("factories.control"));
> env.put(Context.INITIAL_CONTEXT_FACTORY,
> ldap.getProperty("factories.initctx"));
> env.put(Context.PROVIDER_URL, ldap.getProperty("host"));
> env.put(Context.SECURITY_PRINCIPAL, ldap.getProperty("user"));
> env.put(Context.SECURITY_CREDENTIALS, ldap.getProperty("password"));
> ctx = new InitialDirContext(env);
>
> // Zoeken naar gebruiker
> String zoekUid =
> MessageFormat.format(ldap.getProperty("user.search"), login);
> String[] attrIDs = new String[]{"cn", "mail"};
> SearchControls zoek = new SearchControls();
> zoek.setReturningAttributes(attrIDs);
> zoek.setSearchScope(SearchControls.SUBTREE_SCOPE);
> NamingEnumeration<SearchResult>
> antwoord =
> ctx.search(ldap.getProperty("user.searchbase"),
> zoekUid, zoek);
> if (!antwoord.hasMore()) {
> throw new LoginException("error.authenticatie.verkeerd");
> }
> SearchResult sr = (SearchResult) antwoord.next();
> if (antwoord.hasMore()) {
> throw new LoginException("error.authenticatie.verkeerd");
> }
> Attributes attrs = sr.getAttributes();
> String cn = attrs.get("cn").toString().substring(4);
> String email = attrs.get("mail").toString().
> substring(6);
> antwoord.close();
> // Sla de informatie op zodat die bij de commit kunnen worden vrij-
> // gegeven.
> userPrincipal = new UserPrincipal(login);
> userPrincipal.setEmail(email);
> userPrincipal.setVolledigeNaam(cn);
> LOGGER.debug(userPrincipal.toString());
> // Zoeken naar alle rollen.
> String principal =
> MessageFormat.format(ldap.getProperty("check.password"), cn);
> env.put(Context.SECURITY_PRINCIPAL, principal);
> env.put(Context.SECURITY_CREDENTIALS, password);
> ctx = new InitialDirContext(env);
> zoekUid = MessageFormat.format(ldap.
> getProperty("role.search"),
> login);
> userRoles = new ArrayList<String>();
> attrIDs = new String[]{"cn"};
> zoek = new SearchControls();
> zoek.setReturningAttributes(attrIDs);
> zoek.setSearchScope(SearchControls.SUBTREE_SCOPE);
> antwoord = ctx.search(ldap.getProperty("role.searchbase"),
> zoekUid, zoek);
> while (antwoord.hasMore()) {
> sr = (SearchResult) antwoord.next();
> attrs = sr.getAttributes();
> userRoles.add(attrs.get("cn").toString().substring(4));
> }
> antwoord.close();
> LOGGER.debug(userRoles.toString());
>
> return true;
> } catch (IOException e) {
> LOGGER.error(e.getLocalizedMessage());
> throw new LoginException(e.getMessage());
> } catch (UnsupportedCallbackException e) {
> LOGGER.error(e.getLocalizedMessage());
> throw new LoginException(e.getMessage());
> } catch (NamingException e) {
> LOGGER.error(e.getLocalizedMessage());
> throw new LoginException(e.getMessage());
> }
> }
>
> /**
> * Zet de UserPrincipal en RolePrincipal.
> *
> * @exception LoginException als de commit faalt.
> */
> public boolean commit() throws LoginException {
> if (null == userPrincipal) {
> return false;
> }
>
> subject.getPrincipals().add(userPrincipal);
>
> if (userRoles != null && userRoles.size() > 0) {
> for (String roleNaam : userRoles) {
> rolePrincipal = new RolePrincipal(roleNaam);
> subject.getPrincipals().add(rolePrincipal);
> }
> }
>
> return true;
> }
>
> /**
> * Stop het aanmelden.
> *
> * @exception LoginException als de abort faalt.
> */
> public boolean abort() throws LoginException {
> if (null == userPrincipal) {
> return false;
> }
>
> userRoles = null;
> userPrincipal = null;
>
> return true;
> }
>
> /**
> * Doe een logout.
> *
> * @exception LoginException als de logout faalt.
> */
> public boolean logout() throws LoginException {
> subject.getPrincipals().remove(userPrincipal);
> subject.getPrincipals().remove(rolePrincipal);
>
> return true;
> }
> }
>
> Regards,
>
> Marco
>