You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2013/01/14 19:25:08 UTC
[1/2] git commit: ISIS-298: starting on ldap realm impl
ISIS-298: starting on ldap realm impl
Project: http://git-wip-us.apache.org/repos/asf/isis/repo
Commit: http://git-wip-us.apache.org/repos/asf/isis/commit/c5c49a7a
Tree: http://git-wip-us.apache.org/repos/asf/isis/tree/c5c49a7a
Diff: http://git-wip-us.apache.org/repos/asf/isis/diff/c5c49a7a
Branch: refs/heads/master
Commit: c5c49a7ae64e0c0182d382506971593abc29de3b
Parents: 84c5044
Author: Dan Haywood <da...@apache.org>
Authored: Thu Jan 10 18:02:08 2013 +0000
Committer: Dan Haywood <da...@apache.org>
Committed: Mon Jan 14 14:10:58 2013 +0000
----------------------------------------------------------------------
.../shiro/authentication/LdapRealmWithRoles.java | 127 +++++++++++++++
.../src/main/webapp/WEB-INF/shiro.ini | 29 +++-
.../viewer-webapp/src/main/webapp/about/index.html | 4 +-
.../viewer-webapp/src/main/webapp/about/index.html | 4 +-
4 files changed, 155 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/isis/blob/c5c49a7a/component/security/shiro/src/main/java/org/apache/isis/security/shiro/authentication/LdapRealmWithRoles.java
----------------------------------------------------------------------
diff --git a/component/security/shiro/src/main/java/org/apache/isis/security/shiro/authentication/LdapRealmWithRoles.java b/component/security/shiro/src/main/java/org/apache/isis/security/shiro/authentication/LdapRealmWithRoles.java
new file mode 100644
index 0000000..f6c6a76
--- /dev/null
+++ b/component/security/shiro/src/main/java/org/apache/isis/security/shiro/authentication/LdapRealmWithRoles.java
@@ -0,0 +1,127 @@
+package org.apache.isis.security.shiro.authentication;
+
+import java.util.Collections;
+import java.util.Set;
+
+import javax.naming.AuthenticationException;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.LdapContext;
+
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.authz.SimpleAuthorizationInfo;
+import org.apache.shiro.realm.ldap.LdapContextFactory;
+import org.apache.shiro.realm.ldap.LdapUtils;
+import org.apache.shiro.subject.PrincipalCollection;
+
+import com.google.common.collect.Sets;
+
+/**
+ * Implementation of {@link org.apache.shiro.realm.ldap.JndiLdapRealm} that also
+ * returns each user's groups.
+ *
+ * <p>
+ * Sample config for <tt>shiro.ini</tt>:
+ *
+ * <pre>
+ * ldapRealm = org.apache.isis.security.shiro.LdapRealmWithRoles
+ * ldapRealm.userDnTemplate = uid={0},ou=users,o=mojo
+ * ldapRealm.contextFactory.url = ldap://localhost:10389
+ * ldapRealm.contextFactory.authenticationMechanism = simple
+ * ldapRealm.contextFactory.systemUsername = admin
+ * ldapRealm.contextFactory.systemPassword = secret
+ *
+ * ldapRealm.searchBase = ou=groups,o=mojo
+ * ldapRealm.groupNameAttribute = cn
+ * ldapRealm.groupMembersAttribute = uniqueMember
+ * </pre>
+ */
+public class LdapRealmWithRoles extends org.apache.shiro.realm.ldap.JndiLdapRealm {
+
+ private String searchBase;
+ private String groupNameAttribute;
+ private String groupMembersAttribute;
+// private Map<String, String> groupRolesMap;
+
+ private final static SearchControls SUBTREE_SCOPE = new SearchControls();
+ static {
+ SUBTREE_SCOPE.setSearchScope(SearchControls.SUBTREE_SCOPE);
+ }
+
+ /**
+ * Get groups from LDAP.
+ *
+ * @param principals
+ * the principals of the Subject whose AuthenticationInfo should
+ * be queried from the LDAP server.
+ * @param ldapContextFactory
+ * factory used to retrieve LDAP connections.
+ * @return an {@link AuthorizationInfo} instance containing information
+ * retrieved from the LDAP server.
+ * @throws NamingException
+ * if any LDAP errors occur during the search.
+ */
+ @Override
+ protected AuthorizationInfo queryForAuthorizationInfo(final PrincipalCollection principals, final LdapContextFactory ldapContextFactory) throws NamingException {
+ final Set<String> roleNames = getRoles(principals, ldapContextFactory);
+ return new SimpleAuthorizationInfo(roleNames);
+ }
+
+ private Set<String> getRoles(final PrincipalCollection principals, final LdapContextFactory ldapContextFactory) throws NamingException {
+ final String username = (String) getAvailablePrincipal(principals);
+
+ LdapContext systemLdapCtx = null;
+ try {
+ systemLdapCtx = ldapContextFactory.getSystemLdapContext();
+ return rolesFor(username, systemLdapCtx);
+ } catch (AuthenticationException ex) {
+ // principal was not authenticated on LDAP
+ return Collections.emptySet();
+ } finally {
+ LdapUtils.closeContext(systemLdapCtx);
+ }
+ }
+
+ private Set<String> rolesFor(final String groupName, final LdapContext ldapCtx) throws NamingException {
+ final Set<String> roleNames = Sets.newLinkedHashSet();
+ final NamingEnumeration<SearchResult> searchResultEnum = ldapCtx.search(searchBase, groupNameAttribute + "=" + groupName, SUBTREE_SCOPE);
+ while (searchResultEnum.hasMore()) {
+ final SearchResult sr = searchResultEnum.next();
+ final NamingEnumeration<? extends Attribute> attributeEnum = sr.getAttributes().getAll();
+ while (attributeEnum.hasMore()) {
+ final Attribute attr = attributeEnum.next();
+ if (!groupMembersAttribute.equalsIgnoreCase(attr.getID())) {
+ continue;
+ }
+ final NamingEnumeration<?> e = attr.getAll();
+ while (e.hasMore()) {
+ Object next = e.next();
+
+ roleNames.add(next.toString());
+
+// String role = groupRolesMap.get(next);
+// if (role != null) {
+// roleNames.add(role);
+// }
+ }
+ }
+ }
+ return roleNames;
+ }
+
+ public void setSearchBase(String searchBase) {
+ this.searchBase = searchBase;
+ }
+
+ public void setGroupNameAttribute(String groupNameAttribute) {
+ this.groupNameAttribute = groupNameAttribute;
+ }
+
+ public void setGroupMembersAttribute(String groupMembersAttribute) {
+ this.groupMembersAttribute = groupMembersAttribute;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/isis/blob/c5c49a7a/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/WEB-INF/shiro.ini
----------------------------------------------------------------------
diff --git a/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/WEB-INF/shiro.ini b/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/WEB-INF/shiro.ini
index b40ba5e..9ec0675 100644
--- a/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/WEB-INF/shiro.ini
+++ b/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/WEB-INF/shiro.ini
@@ -17,6 +17,24 @@
# under the License.
#
+[main]
+#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
+#ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5
+#ldapRealm.contextFactory.authenticationMechanism = none
+
+ldapRealm = org.apache.isis.security.shiro.authentication.LdapRealmWithRoles
+ldapRealm.userDnTemplate = uid={0},ou=users,o=mojo
+ldapRealm.contextFactory.url = ldap://localhost:10389/o=mojo
+ldapRealm.contextFactory.systemUsername = uid=admin,ou=system
+ldapRealm.contextFactory.systemPassword = secret
+ldapRealm.contextFactory.authenticationMechanism = simple
+
+
+ldapRealm.searchBase = ou=groups,o=mojo
+ldapRealm.groupNameAttribute = cn
+ldapRealm.groupMembersAttribute = uniqueMember
+
+securityManager.realms = $ldapRealm,$iniRealm
# -----------------------------------------------------------------------------
@@ -29,11 +47,12 @@
[users]
# user = password, role1, role2, role3, ...
-sven = pass, admin_role
-dick = pass, user_role, self-install_role
-bob = pass, user_role, self-install_role
-joe = pass, user_role, self-install_role
-guest = guest, user_role
+
+#sven = pass, admin_role
+#dick = pass, user_role, self-install_role
+#bob = pass, user_role, self-install_role
+#joe = pass, user_role, self-install_role
+#guest = guest, user_role
http://git-wip-us.apache.org/repos/asf/isis/blob/c5c49a7a/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/about/index.html
----------------------------------------------------------------------
diff --git a/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/about/index.html b/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/about/index.html
index 3df7cfb..1711149 100644
--- a/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/about/index.html
+++ b/example/application/quickstart_wicket_restful_jdo/viewer-webapp/src/main/webapp/about/index.html
@@ -74,13 +74,13 @@ th, td {
</tr>
<tr>
<td>Wicket Viewer</td>
- <td><a href="/wicket/">/wicket/</a></td>
+ <td><a href="wicket/">wicket/</a></td>
<td>Provides a generic UI for end-users, built with <a href="http://wicket.apache.org">Apache Wicket</a>™</td>
<td><a href="http://isis.apache.org/components/viewers/wicket/about.html">wicket viewer</a></td>
</tr>
<tr>
<td>RestfulObjects Viewer</td>
- <td><a href="/restful/">/restful/</a></td>
+ <td><a href="restful/">restful/</a></td>
<td>Provides a RESTful API conformant with the <a href="http://restfulobjects.org">Restful Objects</a> spec</td>
<td><a href="http://isis.apache.org/components/viewers/restfulobjects/about.html">restfulobjects viewer</a></td>
</tr>
http://git-wip-us.apache.org/repos/asf/isis/blob/c5c49a7a/example/archetype/quickstart_wicket_restful_jdo/src/main/resources/archetype-resources/viewer-webapp/src/main/webapp/about/index.html
----------------------------------------------------------------------
diff --git a/example/archetype/quickstart_wicket_restful_jdo/src/main/resources/archetype-resources/viewer-webapp/src/main/webapp/about/index.html b/example/archetype/quickstart_wicket_restful_jdo/src/main/resources/archetype-resources/viewer-webapp/src/main/webapp/about/index.html
index bc5409b..e40efa1 100644
--- a/example/archetype/quickstart_wicket_restful_jdo/src/main/resources/archetype-resources/viewer-webapp/src/main/webapp/about/index.html
+++ b/example/archetype/quickstart_wicket_restful_jdo/src/main/resources/archetype-resources/viewer-webapp/src/main/webapp/about/index.html
@@ -77,13 +77,13 @@ ${symbol_pound}wrapper {
</tr>
<tr>
<td>Wicket Viewer</td>
- <td><a href="/wicket/">/wicket/</a></td>
+ <td><a href="wicket/">wicket/</a></td>
<td>Provides a generic UI for end-users, built with <a href="http://wicket.apache.org">Apache Wicket</a>™</td>
<td><a href="http://isis.apache.org/components/viewers/wicket/about.html">wicket viewer</a></td>
</tr>
<tr>
<td>RestfulObjects Viewer</td>
- <td><a href="/restful/">/restful/</a></td>
+ <td><a href="restful/">restful/</a></td>
<td>Provides a RESTful API conformant with the <a href="http://restfulobjects.org">Restful Objects</a> spec</td>
<td><a href="http://isis.apache.org/components/viewers/restfulobjects/about.html">restfulobjects viewer</a></td>
</tr>