我在LDAP服务器仅用于身份验证,不包含任何角色,并授权对其中包含的用户角色映射数据库,但没有密码做一个传统的环境中工作。
我的计划是通过扩展JNDIRealm,并覆盖角色的方法来调用封装JDBCRealm实施新的Tomcat境界。
我的境界是在server.xml中宣称:
<Realm className="com.example.LdapJdbcRealm"
connectionURL="ldap://ldaphost:389"
resourceName="LDAP Auth"
userPattern="uid={0}, ou=Portal, dc=example, dc=com"
dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname"
userTable="db_user" userNameCol="user_id"
userRoleTable="db_user_role_xref" roleNameCol="role_id" />
这是JNDIRealm&JDBCRealm的标准属性名称的组合,用少许变化,因为它们都使用的ConnectionURL。
package com.example;
import org.apache.catalina.Realm;
import org.apache.catalina.Context;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.realm.JNDIRealm;
import org.apache.catalina.realm.JDBCRealm;
import java.security.Principal;
import java.io.IOException;
public class LdapJdbcRealm extends JNDIRealm implements Realm
{
private JDBCRealm jdbcRealm = new JDBCRealm();
protected static final String info = "com.example.LdapJdbcRealm/1.0";
protected static final String name = "LdapJdbcRealm";
public String getDbConnectionURL() {
return jdbcRealm.getConnectionURL();
}
public void setDbConnectionURL(String dbConnectionURL) {
jdbcRealm.setConnectionURL(dbConnectionURL);
}
public String getUserTable() {
return jdbcRealm.getUserTable();
}
public void setUserTable(String userTable) {
jdbcRealm.setUserTable(userTable);
}
public String getUserNameCol() {
return jdbcRealm.getUserNameCol();
}
public void setUserNameCol(String userNameCol) {
jdbcRealm.setUserNameCol(userNameCol);
}
public String getUserRoleTable() {
return jdbcRealm.getUserRoleTable();
}
public void setUserRoleTable(String userRoleTable) {
jdbcRealm.setUserRoleTable(userRoleTable);
}
public String getRoleNameCol() {
return jdbcRealm.getRoleNameCol();
}
public void setRoleNameCol(String roleNameCol) {
jdbcRealm.setRoleNameCol(roleNameCol);
}
public boolean hasResourcePermission(Request request,
Response response,
SecurityConstraint[]constraints,
Context context) throws IOException
{
return jdbcRealm.hasResourcePermission(request, response, constraints, context);
}
public boolean hasRole(Principal principal, String role) {
return jdbcRealm.hasRole(principal, role);
}
}
这主要似乎工作,授权返回从LDAP,预期它没有角色的负责人。 就在同主要进入hasResourcePermission()因为它没有在它需要的角色失败。 显然我错过了一些重要的代码。
我在寻找解决方案。 我可以尝试扩大JDBCRealm和添加LDAP身份验证,但似乎更多的工作。
我也相信,这LDAP身份验证/授权DB是不是一种罕见的模式。 是否有其他的解决方案已经上市?
这不是我的控制范围之内将角色添加到LDAP或密码的数据库,所以这些都是不适合我的解决方案。
您还没有指定您所使用的Tomcat版本,所以我与6.x的怎么回事。
它看起来像你委托hasResourcePermission到JDBC同时留下两个findSecurityConstraints和hasUserDataPermission在JNDI的手中。 你应该委托所有的人或没有。
更新 : JNDIRealm呼吁protected getRoles(DirContext, User)作为其组成部分authenticate()方法。 你需要重写并转发给JDBCRealm的getRoles()
我仍然获取有关规则的频率这个问题的电子邮件,所以这里是所有使用的最终产品。
LdapJdbcRealm.java
package org.apache.catalina.realm;
import org.apache.catalina.Realm;
import org.apache.catalina.Context;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;
import javax.naming.directory.DirContext;
import java.io.IOException;
import java.security.Principal;
import java.util.List;
/**
* LdapJdbcRealm is a minimal implementation of a <b>Realm</b> to connect to LDAP
* for authentication and a database for authorization.<br>
* <br>
* Example server.xml configuration fragment:<br>
* <pre>
<Realm className="org.apache.catalina.realm.LdapJdbcRealm"
connectionURL="ldap://ldaphost:389"
resourceName="LDAP Auth" driverName="oracle.jdbc.driver.OracleDriver"
userPattern="uid={0}, ou=Portal, dc=example, dc=com"
dbConnectionName="dbuser" dbConnectionPassword="dbpassword"
dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname"
userTable="users" userNameCol="user_id"
userRoleTable="user_role_xref" roleNameCol="role_id" />
* </pre>
*
* @author Greg Chabala
*
* Created by IntelliJ IDEA.
* User: gchabala
* Date: Jul 14, 2009
* Time: 4:56:37 PM
*/
public class LdapJdbcRealm extends JNDIRealm implements Realm
{
/**
* Encapsulated <b>JDBCRealm</b> to do role lookups
*/
private JDBCRealm jdbcRealm = new JDBCRealm();
/**
* Descriptive information about this <b>Realm</b> implementation.
*/
protected static final String info = "org.apache.catalina.realm.LdapJdbcRealm/1.0";
/**
* Descriptive information about this <b>Realm</b> implementation.
*/
protected static final String name = "LdapJdbcRealm";
/**
* Set the all roles mode.
*
* @param allRolesMode authentication mode
*/
public void setAllRolesMode(String allRolesMode) {
super.setAllRolesMode(allRolesMode);
jdbcRealm.setAllRolesMode(allRolesMode);
}
/**
* Return the username to use to connect to the database.
*
* @return username
* @see JDBCRealm#getConnectionName()
*/
public String getDbConnectionName() {
return jdbcRealm.getConnectionName();
}
/**
* Set the username to use to connect to the database.
*
* @param dbConnectionName username
* @see JDBCRealm#setConnectionName(String)
*/
public void setDbConnectionName(String dbConnectionName) {
jdbcRealm.setConnectionName(dbConnectionName);
}
/**
* Return the password to use to connect to the database.
*
* @return password
* @see JDBCRealm#getConnectionPassword()
*/
public String getDbConnectionPassword() {
return jdbcRealm.getConnectionPassword();
}
/**
* Set the password to use to connect to the database.
*
* @param dbConnectionPassword password
* @see JDBCRealm#setConnectionPassword(String)
*/
public void setDbConnectionPassword(String dbConnectionPassword) {
jdbcRealm.setConnectionPassword(dbConnectionPassword);
}
/**
* Return the URL to use to connect to the database.
*
* @return database connection URL
* @see JDBCRealm#getConnectionURL()
*/
public String getDbConnectionURL() {
return jdbcRealm.getConnectionURL();
}
/**
* Set the URL to use to connect to the database.
*
* @param dbConnectionURL The new connection URL
* @see JDBCRealm#setConnectionURL(String)
*/
public void setDbConnectionURL(String dbConnectionURL) {
jdbcRealm.setConnectionURL(dbConnectionURL);
}
/**
* Return the JDBC driver that will be used.
*
* @return driver classname
* @see JDBCRealm#getDriverName()
*/
public String getDriverName() {
return jdbcRealm.getDriverName();
}
/**
* Set the JDBC driver that will be used.
*
* @param driverName The driver name
* @see JDBCRealm#setDriverName(String)
*/
public void setDriverName(String driverName) {
jdbcRealm.setDriverName(driverName);
}
/**
* Return the table that holds user data..
*
* @return table name
* @see JDBCRealm#getUserTable()
*/
public String getUserTable() {
return jdbcRealm.getUserTable();
}
/**
* Set the table that holds user data.
*
* @param userTable The table name
* @see JDBCRealm#setUserTable(String)
*/
public void setUserTable(String userTable) {
jdbcRealm.setUserTable(userTable);
}
/**
* Return the column in the user table that holds the user's name.
*
* @return username database column name
* @see JDBCRealm#getUserNameCol()
*/
public String getUserNameCol() {
return jdbcRealm.getUserNameCol();
}
/**
* Set the column in the user table that holds the user's name.
*
* @param userNameCol The column name
* @see JDBCRealm#setUserNameCol(String)
*/
public void setUserNameCol(String userNameCol) {
jdbcRealm.setUserNameCol(userNameCol);
}
/**
* Return the table that holds the relation between user's and roles.
*
* @return user role database table name
* @see JDBCRealm#getUserRoleTable()
*/
public String getUserRoleTable() {
return jdbcRealm.getUserRoleTable();
}
/**
* Set the table that holds the relation between user's and roles.
*
* @param userRoleTable The table name
* @see JDBCRealm#setUserRoleTable(String)
*/
public void setUserRoleTable(String userRoleTable) {
jdbcRealm.setUserRoleTable(userRoleTable);
}
/**
* Return the column in the user role table that names a role.
*
* @return role column name
* @see JDBCRealm#getRoleNameCol()
*/
public String getRoleNameCol() {
return jdbcRealm.getRoleNameCol();
}
/**
* Set the column in the user role table that names a role.
*
* @param roleNameCol The column name
* @see JDBCRealm#setRoleNameCol(String)
*/
public void setRoleNameCol(String roleNameCol) {
jdbcRealm.setRoleNameCol(roleNameCol);
}
@Override
public SecurityConstraint[] findSecurityConstraints(Request request, Context context)
{
return jdbcRealm.findSecurityConstraints(request, context);
}
@Override
public boolean hasUserDataPermission(Request request, Response response,
SecurityConstraint []constraints) throws IOException
{
return jdbcRealm.hasUserDataPermission(request, response, constraints);
}
@Override
public boolean hasResourcePermission(Request request, Response response,
SecurityConstraint[]constraints,
Context context) throws IOException
{
return jdbcRealm.hasResourcePermission(request, response, constraints, context);
}
@Override
public boolean hasRole(Principal principal, String role) {
return jdbcRealm.hasRole(principal, role);
}
/**
* Return a List of roles associated with the given User. If no roles
* are associated with this user, a zero-length List is returned.
*
* @param context unused. JDBC does not need this field.
* @param user The User to be checked
* @return list of role names
*
* @see JNDIRealm#getRoles(DirContext, User)
* @see JDBCRealm#getRoles(String)
*/
@Override
protected List<String> getRoles(DirContext context, User user)
{
return jdbcRealm.getRoles(user.username);
}
}
