You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ow...@apache.org on 2013/05/02 21:57:28 UTC
svn commit: r1478508 - in
/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims:
LdapClaimsHandler.java LdapUtils.java
Author: owulff
Date: Thu May 2 19:57:23 2013
New Revision: 1478508
URL: http://svn.apache.org/r1478508
Log:
[CXF-4993] LdapClaimsHandler can't find attributes if user authenticated against LDAP
Added:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapUtils.java
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java?rev=1478508&r1=1478507&r2=1478508&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java Thu May 2 19:57:23 2013
@@ -16,7 +16,6 @@
* specific language governing permissions and limitations
* under the License.
*/
-
package org.apache.cxf.sts.claims;
import java.net.URI;
@@ -34,7 +33,6 @@ import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
-import javax.naming.directory.SearchControls;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.x500.X500Principal;
@@ -42,8 +40,6 @@ import org.apache.cxf.common.logging.Log
import org.apache.cxf.helpers.CastUtils;
import org.springframework.ldap.core.AttributesMapper;
import org.springframework.ldap.core.LdapTemplate;
-import org.springframework.ldap.filter.AndFilter;
-import org.springframework.ldap.filter.EqualsFilter;
public class LdapClaimsHandler implements ClaimsHandler {
@@ -130,10 +126,10 @@ public class LdapClaimsHandler implement
public ClaimCollection retrieveClaimValues(
RequestClaimCollection claims, ClaimsParameters parameters) {
-
- Principal principal = parameters.getPrincipal();
-
String user = null;
+ boolean useLdapLookup = false;
+
+ Principal principal = parameters.getPrincipal();
if (principal instanceof KerberosPrincipal) {
KerberosPrincipal kp = (KerberosPrincipal)principal;
StringTokenizer st = new StringTokenizer(kp.getName(), "@");
@@ -144,62 +140,69 @@ public class LdapClaimsHandler implement
return new ClaimCollection();
} else if (principal != null) {
user = principal.getName();
+ if (user == null) {
+ LOG.warning("User must not be null");
+ return new ClaimCollection();
+ }
+ useLdapLookup = LdapUtils.isDN(user);
+
} else {
- //[TODO] if onbehalfof -> principal == null
- LOG.info("Principal is null");
+ LOG.warning("Principal is null");
return new ClaimCollection();
}
-
- if (user == null) {
- LOG.warning("User must not be null");
- return new ClaimCollection();
- } else {
- if (LOG.isLoggable(Level.FINEST)) {
- LOG.finest("Retrieve claims for user " + user);
- }
+
+ if (LOG.isLoggable(Level.FINEST)) {
+ LOG.finest("Retrieve claims for user " + user);
}
- AndFilter filter = new AndFilter();
- filter.and(
- new EqualsFilter("objectclass", this.getObjectClass())).and(
- new EqualsFilter(this.getUserNameAttribute(), user));
-
- List<String> searchAttributeList = new ArrayList<String>();
- for (RequestClaim claim : claims) {
- if (getClaimsLdapAttributeMapping().keySet().contains(claim.getClaimType().toString())) {
- searchAttributeList.add(
- getClaimsLdapAttributeMapping().get(claim.getClaimType().toString())
- );
- } else {
- if (LOG.isLoggable(Level.FINER)) {
- LOG.finer("Unsupported claim: " + claim.getClaimType());
- }
- }
- }
+
- String[] searchAttributes = null;
- searchAttributes = searchAttributeList.toArray(new String[searchAttributeList.size()]);
- AttributesMapper mapper =
- new AttributesMapper() {
- public Object mapFromAttributes(Attributes attrs) throws NamingException {
- Map<String, Attribute> map = new HashMap<String, Attribute>();
- NamingEnumeration<? extends Attribute> attrEnum = attrs.getAll();
- while (attrEnum.hasMore()) {
- Attribute att = attrEnum.next();
- map.put(att.getID(), att);
+
+ Map<String, Attribute> ldapAttributes = null;
+ if (useLdapLookup) {
+ AttributesMapper mapper =
+ new AttributesMapper() {
+ public Object mapFromAttributes(Attributes attrs) throws NamingException {
+ Map<String, Attribute> map = new HashMap<String, Attribute>();
+ NamingEnumeration<? extends Attribute> attrEnum = attrs.getAll();
+ while (attrEnum.hasMore()) {
+ Attribute att = attrEnum.next();
+ map.put(att.getID(), att);
+ }
+ return map;
+ }
+ };
+
+ Object result = ldap.lookup(user, mapper);
+ ldapAttributes = CastUtils.cast((Map<?, ?>)result);
+ } else {
+ List<String> searchAttributeList = new ArrayList<String>();
+ for (RequestClaim claim : claims) {
+ if (getClaimsLdapAttributeMapping().keySet().contains(claim.getClaimType().toString())) {
+ searchAttributeList.add(
+ getClaimsLdapAttributeMapping().get(claim.getClaimType().toString())
+ );
+ } else {
+ if (LOG.isLoggable(Level.FINER)) {
+ LOG.finer("Unsupported claim: " + claim.getClaimType());
}
- return map;
}
- };
-
+ }
+
+ String[] searchAttributes = null;
+ searchAttributes = searchAttributeList.toArray(new String[searchAttributeList.size()]);
+
+ ldapAttributes = LdapUtils.getAttributesOfEntry(ldap, this.userBaseDn, this.getObjectClass(),
+ this.getUserNameAttribute(), user, searchAttributes);
+ }
- List<?> result = ldap.search((this.userBaseDn == null) ? "" : this.userBaseDn, filter.toString(),
- SearchControls.SUBTREE_SCOPE, searchAttributes, mapper);
-
- Map<String, Attribute> ldapAttributes = null;
- if (result != null && result.size() > 0) {
- ldapAttributes = CastUtils.cast((Map<?, ?>)result.get(0));
+ if (ldapAttributes == null || ldapAttributes.size() == 0) {
+ //No result
+ if (LOG.isLoggable(Level.INFO)) {
+ LOG.finest("User '" + user + "' not found");
+ }
+ return new ClaimCollection();
}
ClaimCollection claimsColl = new ClaimCollection();
@@ -258,5 +261,8 @@ public class LdapClaimsHandler implement
return claimsColl;
}
+
+
}
+
Added: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapUtils.java?rev=1478508&view=auto
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapUtils.java (added)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapUtils.java Thu May 2 19:57:23 2013
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.claims;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.SearchControls;
+import javax.security.auth.x500.X500Principal;
+
+import org.apache.cxf.helpers.CastUtils;
+
+import org.springframework.ldap.core.AttributesMapper;
+import org.springframework.ldap.core.LdapTemplate;
+import org.springframework.ldap.filter.AndFilter;
+import org.springframework.ldap.filter.EqualsFilter;
+
+public final class LdapUtils {
+
+ private LdapUtils() {
+ }
+
+ public static boolean isDN(String user) {
+ try {
+ new X500Principal(user);
+ return true;
+ //Principal contains a DN -> ldap.lookup
+ } catch (Exception ex) {
+ //Principal does not contain a DN -> ldap.search
+ return false;
+ }
+ }
+
+ public static Map<String, Attribute> getAttributesOfEntry(LdapTemplate ldapTemplate, String baseDN,
+ String objectClass, String filterAttributeName, String filterAttributeValue,
+ String[] searchAttributes) {
+
+ Map<String, Attribute> ldapAttributes = null;
+
+ AttributesMapper mapper =
+ new AttributesMapper() {
+ public Object mapFromAttributes(Attributes attrs) throws NamingException {
+ Map<String, Attribute> map = new HashMap<String, Attribute>();
+ NamingEnumeration<? extends Attribute> attrEnum = attrs.getAll();
+ while (attrEnum.hasMore()) {
+ Attribute att = attrEnum.next();
+ map.put(att.getID(), att);
+ }
+ return map;
+ }
+ };
+
+ List<?> result = null;
+ AndFilter filter = new AndFilter();
+ filter.and(
+ new EqualsFilter("objectclass", objectClass)).and(
+ new EqualsFilter(filterAttributeName, filterAttributeValue));
+
+ result = ldapTemplate.search((baseDN == null) ? "" : baseDN, filter.toString(),
+ SearchControls.SUBTREE_SCOPE, searchAttributes, mapper);
+ if (result != null && result.size() > 0) {
+ //not only the first one....
+ ldapAttributes = CastUtils.cast((Map<?, ?>)result.get(0));
+ }
+
+ return ldapAttributes;
+ }
+}