[jboss-cvs] JBossAS SVN: r98858 - projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Tue Dec 22 13:35:58 EST 2009 

Author: acoliver at jboss.org
Date: 2009-12-22 13:35:58 -0500 (Tue, 22 Dec 2009)
New Revision: 98858

Modified:
   projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
Log:
https://jira.jboss.org/jira/browse/JBAS-2681 - mainly support for Active
Directory used with Microsoft Certificate Server


Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java	2009-12-22 18:12:55 UTC (rev 98857)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java	2009-12-22 18:35:58 UTC (rev 98858)
@@ -134,6 +134,19 @@
  anonymous login by some ldap servers and this may not be a desirable feature.
  Set this to false to reject empty passwords, true to have the ldap server
  validate the empty password. The default is true.
+ * __authorizeOnly__ : Bind only as a well known user and don't check the 
+ username and password (just authorize not authenticate) for use with stacking
+ * __principalIsDN__ : The (usually from a stack) principal is actually an
+ LDAP DN rather than straight "username" like "jsmith"
+ * __principalIsDN__ : The (usually from a stack) principal is actually an
+ LDAP DN rather than straight "username" like "jsmith"
+ * __authorizeOnly__ : Used with stacking, DONT validate credentials and use
+ a common or anonymous connection to find the ROLES, requires principalIsDN
+ * __removePrincipalElements__ : if the principal is a DN (above) but you have
+ superfluous elements not in LDAP (such as Microsoft Certificate Server  
+ includes EMAILADDRESS) that you want to remove (to authenticate against say
+ Active Directory) then list them here as a comma delemeted list i.e
+ "phone,EMAILADDRESS,zip" 
  
  @author Andy Oliver
  @author Scott.Stark at jboss.org
@@ -167,6 +180,9 @@
    private static final String SEARCH_SCOPE_OPT = "searchScope";
 
    private static final String SECURITY_DOMAIN_OPT = "jaasSecurityDomain";
+   private static final String ROLES_ONLY = "authorizeOnly";
+   private static final String PRINCIPAL_IS_DN = "principalIsDN";
+   private static final String REMOVE_PRINCIPAL_ELEMENTS = "removePrincipalElements";
 
    protected String bindDN;
 
@@ -186,6 +202,10 @@
 
    protected boolean roleAttributeIsDN;
 
+    protected String removeElements;
+    protected boolean rolesOnly;
+    protected boolean principalIsDN;
+
    protected int recursion = 0;
 
    protected int searchTimeLimit = 10000;
@@ -204,6 +224,7 @@
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
    {
       super.initialize(subject, callbackHandler, sharedState, options);
+      removeElements = (String)options.get(REMOVE_PRINCIPAL_ELEMENTS);
       trace = log.isTraceEnabled();
    }
 
@@ -257,6 +278,8 @@
     */
    protected boolean validatePassword(String inputPassword, String expectedPassword)
    {
+      boolean doRemoveElements = removeElements != null 
+                                 && !removeElements.equals("");
       isPasswordValidated = true;
       boolean isValid = false;
       if (inputPassword != null)
@@ -281,6 +304,9 @@
          {
             // Validate the password by trying to create an initial context
             String username = getUsername();
+            username = doRemoveElements ? removeElements(removeElements,
+                                          username) : 
+                                          username; 
             isValid = createLdapInitContext(username, inputPassword);
             defaultRole();
             isValid = true;
@@ -326,6 +352,13 @@
     */
    private boolean createLdapInitContext(String username, Object credential) throws Exception
    {
+      rolesOnly = options.get(ROLES_ONLY) != null && 
+                  options.get(ROLES_ONLY).toString().trim().equals("true");
+      principalIsDN = options.get(PRINCIPAL_IS_DN) != null && 
+                  options.get(PRINCIPAL_IS_DN).toString().trim().equals("true");
+      removeElements = (String)options.get(REMOVE_PRINCIPAL_ELEMENTS);
+      boolean doRemoveElements = removeElements != null 
+                                && !removeElements.equals("");
       bindDN = (String) options.get(BIND_DN);
       bindCredential = (String) options.get(BIND_CREDENTIAL);
       if (bindCredential.startsWith("{EXT}"))
@@ -389,15 +422,16 @@
       try
       {
          ctx = constructInitialLdapContext(bindDN, bindCredential);
+         String parsedUser = doRemoveElements ? removeElements(removeElements,username) : username;
          // Validate the user by binding against the userDN
-         String userDN = bindDNAuthentication(ctx, username, credential, baseDN, baseFilter);
+         String userDN = rolesOnly && principalIsDN ? parsedUser : bindDNAuthentication(ctx, parsedUser, credential, baseDN, baseFilter);
 
          // Query for roles matching the role filter
          SearchControls constraints = new SearchControls();
          constraints.setSearchScope(searchScope);
          constraints.setReturningAttributes(new String[0]);
          constraints.setTimeLimit(searchTimeLimit);
-         rolesSearch(ctx, constraints, username, userDN, recursion, 0);
+         rolesSearch(ctx, constraints, parsedUser, userDN, recursion, 0);
       }
       finally
       {
@@ -633,4 +667,44 @@
          }
       }
    }
-}
\ No newline at end of file
+
+
+ 
+    /** assuming the principal is a DN then parse off the ignorable parts
+     * like EMAILADDRESS so we have pure LDAP DN 
+     */
+    private String removeElements(String elementList, String user) 
+    {
+      String newUser = "";
+      String[] userParts = user.split("\\,");
+      String[] ignored    = elementList.split("\\,");
+      for(int i = 0; i < userParts.length; i++)
+      {
+         String part = userParts[i];
+         if(!checkIgnoreMatches(part,ignored)) 
+         {
+                  newUser += part;
+                  newUser = i == userParts.length-1 ? newUser : newUser +",";
+         }
+      }
+      return newUser.endsWith(",") ? newUser.substring(0,newUser.length()-1) : 
+             newUser ; //if a final element was ignored we have to parse off an extra comma
+    }
+ 
+    /** return if the string begins with any of the elements in the array 
+     *  @return boolean
+     */
+     public boolean checkIgnoreMatches( String part, String[] ignored ) 
+     {
+        for( String ignore : ignored) 
+        {
+           if(part.startsWith(ignore)) 
+           {
+              return true;
+           }
+        }
+        return false;
+     }
+  
+ 
+}

More information about the jboss-cvs-commits mailing list