[jboss-cvs] JBossAS SVN: r76192 - in projects/security/security-negotiation/trunk: jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Jul 24 14:43:10 EDT 2008
Author: darran.lofthouse at jboss.com
Date: 2008-07-24 14:43:10 -0400 (Thu, 24 Jul 2008)
New Revision: 76192
Modified:
projects/security/security-negotiation/trunk/docs/userguide/en/modules/general_installation.xml
projects/security/security-negotiation/trunk/docs/userguide/en/modules/ldap_login_module.xml
projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java
Log:
[SECURITY-264] Allow roles filter to be skipped for AdvancedLDAPLoginModule where User DN is sufficient.
Modified: projects/security/security-negotiation/trunk/docs/userguide/en/modules/general_installation.xml
===================================================================
--- projects/security/security-negotiation/trunk/docs/userguide/en/modules/general_installation.xml 2008-07-24 18:10:38 UTC (rev 76191)
+++ projects/security/security-negotiation/trunk/docs/userguide/en/modules/general_installation.xml 2008-07-24 18:43:10 UTC (rev 76192)
@@ -502,7 +502,7 @@
<title>Negotiation Toolkit Front Page</title>
<mediaobject>
<imageobject>
- <imagedata align="center
+ <imagedata align="center"
fileref="images/negotiation-toolkit.png" />
</imageobject>
</mediaobject>
Modified: projects/security/security-negotiation/trunk/docs/userguide/en/modules/ldap_login_module.xml
===================================================================
--- projects/security/security-negotiation/trunk/docs/userguide/en/modules/ldap_login_module.xml 2008-07-24 18:10:38 UTC (rev 76191)
+++ projects/security/security-negotiation/trunk/docs/userguide/en/modules/ldap_login_module.xml 2008-07-24 18:43:10 UTC (rev 76192)
@@ -266,10 +266,29 @@
"(member={0})". An alternative that matches on the
authenticated userDN is: "(member={1})".
</para>
+
+ <note>
+ <para>
+ The roleFilter attribute can be ommitted and the role
+ search will then use the UserDN as the DN to obtain the
+ roleAttributeID value.
+ </para>
+ </note>
</listitem>
<listitem>
<para>
+ roleAttributeID - The name of the role attribute of the
+ context which corresponds to the name of the role. If the
+ roleAttributeIsDN property is set to true, this property is
+ the DN of the context to query for the roleNameAttributeID
+ attribute. If the roleAttributeIsDN property is set to
+ false, this property is the attribute name of the role name.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
roleAttributeIsDN - A flag indicating whether the user's
role attribute contains the fully distinguished name of a
role object, or the users's role attribute contains the role
@@ -288,17 +307,6 @@
<listitem>
<para>
- roleAttributeID - The name of the role attribute of the
- context which corresponds to the name of the role. If the
- roleAttributeIsDN property is set to true, this property is
- the DN of the context to query for the roleNameAttributeID
- attribute. If the roleAttributeIsDN property is set to
- false, this property is the attribute name of the role name.
- </para>
- </listitem>
-
- <listitem>
- <para>
roleNameAttributeID - The name of the role attribute of the
context which corresponds to the name of the role. If the
roleAttributeIsDN property is set to true, this property is
@@ -449,10 +457,7 @@
<module-option name="java.naming.provider.url">ldap://VM104:3268</module-option>
<module-option name="baseCtxDN">CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com</module-option>
- <module-option name="baseFilter">(sAMAccountName={0})</module-option>
-
- <module-option name="rolesCtxDN">CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com</module-option>
- <module-option name="roleFilter">(distinguishedName={1})</module-option>
+ <module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
@@ -478,22 +483,16 @@
</para>
<para>
- The 'rolesCtxDN' is the DN to search for the roles, in this
- example we are searching using the 'memberOf' attribute on the
- user so this DN matches the DN used previously.
+ As the 'memberOf' attribute is going to be read directly from
+ the user there is no need to specify a 'rolesCtxDN' or
+ 'roleFilter', instead the attribute named by the
+ 'roleAttributeID' option which in this case is 'memberOf' will
+ be read directly from the user.
</para>
<para>
- The roles filter re-locates the user using the distinguished
- name of the user, it is important that this search is DN base
- so that a recursive search can be enabled.
- </para>
-
- <para>
- The 'roleAttributeID' option specified that the 'memberOf'
- attributes should be read from the user object, the
- 'roleAttributeIsDN' option specified that this value is a DN
- so the group object is retrieved and finally the
+ The 'roleAttributeIsDN' option then specifies that this value
+ is a DN so the group object is retrieved and finally the
'roleNameAttributeID' option specifies that the attribute 'cn'
should be read from the group. This is the role that this
login module returns.
@@ -501,9 +500,9 @@
<para>
Finally the 'recurseRoles' attribute is set to true so the DN
- from the located group is used to repeat the roles search so
- if a group is configured with the 'memberOf' attribute then
- this will be recursively searched to locate all of the roles.
+ from the located group is used to repeat the process so if a
+ group is configured with the 'memberOf' attribute then this
+ will be recursively used to locate all of the roles.
</para>
</section>
@@ -536,10 +535,7 @@
<module-option name="java.naming.provider.url">ldap://VM104:3268</module-option>
<module-option name="baseCtxDN">CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com</module-option>
- <module-option name="baseFilter">(userPrincipalName={0})</module-option>
-
- <module-option name="rolesCtxDN">CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com</module-option>
- <module-option name="roleFilter">(distinguishedName={1})</module-option>
+ <module-option name="baseFilter">(userPrincipalName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
Modified: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java
===================================================================
--- projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java 2008-07-24 18:10:38 UTC (rev 76191)
+++ projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java 2008-07-24 18:43:10 UTC (rev 76192)
@@ -551,67 +551,23 @@
{
log.trace("rolesCtxDN=" + rolesCtxDN + " roleFilter=" + roleFilter + " filterArgs[0]=" + filterArgs[0]
+ " filterArgs[1]=" + filterArgs[1]);
- results = searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls);
- while (results.hasMore())
+
+ if (roleFilter != null && roleFilter.length() > 0)
{
- SearchResult sr = (SearchResult) results.next();
- String resultDN = canonicalize(sr.getName());
-
- log.trace("rolesSearch resultDN = " + resultDN);
-
- String[] attrNames =
- {roleAttributeID};
-
- Attributes result = searchContext.getAttributes(resultDN, attrNames);
- if (result != null && result.size() > 0)
+ results = searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls);
+ while (results.hasMore())
{
- Attribute roles = result.get(roleAttributeID);
- for (int n = 0; n < roles.size(); n++)
- {
- String roleName = (String) roles.get(n);
- if (roleAttributeIsDN)
- {
- // Query the roleDN location for the value of roleNameAttributeID
- String roleDN = roleName;
- String[] returnAttribute =
- {roleNameAttributeID};
- log.trace("Using roleDN: " + roleDN);
- try
- {
- Attributes result2 = searchContext.getAttributes(roleDN, returnAttribute);
- Attribute roles2 = result2.get(roleNameAttributeID);
- if (roles2 != null)
- {
- for (int m = 0; m < roles2.size(); m++)
- {
- roleName = (String) roles2.get(m);
- addRole(roleName);
- }
- }
- }
- catch (NamingException e)
- {
- log.trace("Failed to query roleNameAttrName", e);
- }
+ SearchResult sr = (SearchResult) results.next();
+ String resultDN = canonicalize(sr.getName());
- if (recurseRoles)
- {
- if (processedRoleDNs.contains(roleDN) == false)
- {
- processedRoleDNs.add(roleDN);
- rolesSearch(searchContext, roleDN);
- }
- }
- }
- else
- {
- // The role attribute value is the role name
- addRole(roleName);
- }
- }
-
+ obtainRole(searchContext, resultDN);
}
}
+ else
+ {
+ obtainRole(searchContext, dn);
+ }
+
}
catch (NamingException e)
{
@@ -636,6 +592,68 @@
}
+ protected void obtainRole(LdapContext searchContext, String dn) throws NamingException, LoginException
+ {
+ log.trace("rolesSearch resultDN = " + dn);
+
+ String[] attrNames =
+ {roleAttributeID};
+
+ Attributes result = searchContext.getAttributes(dn, attrNames);
+ if (result != null && result.size() > 0)
+ {
+ Attribute roles = result.get(roleAttributeID);
+ for (int n = 0; n < roles.size(); n++)
+ {
+ String roleName = (String) roles.get(n);
+ if (roleAttributeIsDN)
+ {
+ // Query the roleDN location for the value of roleNameAttributeID
+ String roleDN = roleName;
+ String[] returnAttribute =
+ {roleNameAttributeID};
+ log.trace("Using roleDN: " + roleDN);
+ try
+ {
+ Attributes result2 = searchContext.getAttributes(roleDN, returnAttribute);
+ Attribute roles2 = result2.get(roleNameAttributeID);
+ if (roles2 != null)
+ {
+ for (int m = 0; m < roles2.size(); m++)
+ {
+ roleName = (String) roles2.get(m);
+ addRole(roleName);
+ }
+ }
+ }
+ catch (NamingException e)
+ {
+ log.trace("Failed to query roleNameAttrName", e);
+ }
+
+ if (recurseRoles)
+ {
+ if (processedRoleDNs.contains(roleDN) == false)
+ {
+ processedRoleDNs.add(roleDN);
+ log.trace("Recursive search for '" + roleDN + "'");
+ rolesSearch(searchContext, roleDN);
+ }
+ else
+ {
+ log.trace("Already visited role '" + roleDN + "' ending recursion.");
+ }
+ }
+ }
+ else
+ {
+ // The role attribute value is the role name
+ addRole(roleName);
+ }
+ }
+ }
+ }
+
protected void traceLdapEnv(Properties env)
{
if (log.isTraceEnabled())
More information about the jboss-cvs-commits
mailing list