blob: 1645410a1782365f1075789573af97a993e2e175 [file] [log] [blame]
/*
* Copyright 2005-2008 Tim Veil, Jeremy Haile
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jsecurity.realm.activedirectory;
import org.jsecurity.authc.Account;
import org.jsecurity.authc.AuthenticationToken;
import org.jsecurity.authc.UsernamePasswordToken;
import org.jsecurity.authz.AuthorizingAccount;
import org.jsecurity.authz.SimpleAuthorizingAccount;
import org.jsecurity.realm.Realm;
import org.jsecurity.realm.ldap.AbstractLdapRealm;
import org.jsecurity.realm.ldap.LdapContextFactory;
import org.jsecurity.realm.ldap.LdapUtils;
import org.jsecurity.subject.PrincipalCollection;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import java.util.*;
/**
* <p>An {@link Realm} that authenticates with an active directory LDAP
* server to determine the roles for a particular user. This implementation
* queries for the user's groups and then maps the group names to roles using the
* {@link #groupRolesMap}.</p>
*
*
* @since 0.1
* @author Tim Veil
* @author Jeremy Haile
*/
public class ActiveDirectoryRealm extends AbstractLdapRealm {
/*--------------------------------------------
| C O N S T A N T S |
============================================*/
private static final String ROLE_NAMES_DELIMETER = ",";
/*--------------------------------------------
| I N S T A N C E V A R I A B L E S |
============================================*/
/**
* Mapping from fully qualified active directory
* group names (e.g. CN=Group,OU=Company,DC=MyDomain,DC=local)
* as returned by the active directory LDAP server to role names.
*/
private Map<String, String> groupRolesMap;
/*--------------------------------------------
| C O N S T R U C T O R S |
============================================*/
public void setGroupRolesMap(Map<String, String> groupRolesMap) {
this.groupRolesMap = groupRolesMap;
}
/*--------------------------------------------
| M E T H O D S |
============================================*/
/**
* <p>Builds an {@link org.jsecurity.authc.Account} object by querying the active directory LDAP context for the
* specified username. This method binds to the LDAP server using the provided username and password -
* which if successful, indicates that the password is correct.</p>
*
* <p>This method can be overridden by subclasses to query the LDAP server in a more complex way.</p>
*
* @param token the authentication token provided by the user.
* @param ldapContextFactory the factory used to build connections to the LDAP server.
* @return an {@link org.jsecurity.authc.Account} instance containing information retrieved from LDAP
* that can be used to build an {@link org.jsecurity.authc.Account} instance to return.
*
* @throws NamingException if any LDAP errors occur during the search.
*/
protected Account queryForLdapAccount(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
// Binds using the username and password provided by the user.
LdapContext ctx = null;
try {
ctx = ldapContextFactory.getLdapContext( upToken.getUsername(), String.valueOf( upToken.getPassword() ) );
} finally {
LdapUtils.closeContext( ctx );
}
return createAccount( upToken.getUsername(), upToken.getPassword() );
}
protected Account createAccount( String username, char[] password ) {
return new SimpleAuthorizingAccount( username, password, getName() );
}
/**
* <p>Builds an {@link org.jsecurity.authz.AuthorizingAccount} object by querying the active directory LDAP context for the
* groups that a user is a member of. The groups are then translated to role names by using the
* configured {@link #groupRolesMap}.</p>
*
* <p>This implementation expects the <tt>principal</tt> argument to be a String username.
*
* <p>Subclasses can override this method to determine authorization data (roles, permissions, etc) in a more
* complex way. Note that this default implementation does not support permissions, only roles.</p>
*
* @param principals the principal of the Subject whose Account is being retrieved.
* @param ldapContextFactory the factory used to create LDAP connections.
* @return the Account for the given Subject principal.
* @throws NamingException if an error occurs when searching the LDAP server.
*/
protected AuthorizingAccount queryForLdapAccount( PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException {
String username;
username = (String)principals.fromRealm( getName() ).iterator().next();
// Perform context search
LdapContext ldapContext = ldapContextFactory.getSystemLdapContext();
Set<String> roleNames;
try {
roleNames = getRoleNamesForUser(username, ldapContext);
} finally {
LdapUtils.closeContext( ldapContext );
}
return new SimpleAuthorizingAccount(username, null, getName(), roleNames, null);
}
private Set<String> getRoleNamesForUser( String username, LdapContext ldapContext) throws NamingException {
Set<String> roleNames;
roleNames = new LinkedHashSet<String>();
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = "(&(objectClass=*)(userPrincipalName=" + username + "))";
NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchCtls);
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();
if( log.isDebugEnabled() ) {
log.debug("Retrieving group names for user [" + sr.getName() + "]");
}
Attributes attrs = sr.getAttributes();
if (attrs != null) {
NamingEnumeration ae = attrs.getAll();
while( ae.hasMore() ) {
Attribute attr = (Attribute) ae.next();
if( attr.getID().equals( "memberOf" ) ) {
Collection<String> groupNames = LdapUtils.getAllAttributeValues( attr );
if (log.isDebugEnabled()) {
log.debug("Groups found for user [" + username + "]: " + groupNames );
}
Collection<String> rolesForGroups = getRoleNamesForGroups(groupNames);
roleNames.addAll(rolesForGroups);
}
}
}
}
return roleNames;
}
/**
* This method is called by the default implementation to translate Active Directory group names
* to role names. This implementation uses the {@link #groupRolesMap} to map group names to role names.
* @param groupNames the group names that apply to the current user.
* @return a collection of roles that are implied by the given role names.
*/
protected Collection<String> getRoleNamesForGroups(Collection<String> groupNames) {
Set<String> roleNames = new HashSet<String>( groupNames.size() );
if( groupRolesMap != null ) {
for( String groupName : groupNames ) {
String strRoleNames = groupRolesMap.get( groupName );
if( strRoleNames != null ) {
for( String roleName : strRoleNames.split( ROLE_NAMES_DELIMETER ) ) {
if( log.isDebugEnabled() ) {
log.debug( "User is member of group [" + groupName + "] so adding role [" + roleName + "]" );
}
roleNames.add( roleName );
}
}
}
}
return roleNames;
}
}