Coverage Report - org.apache.shiro.realm.ldap.JndiLdapRealm
 
Classes in this File Line Coverage Branch Coverage Complexity
JndiLdapRealm
86%
64/74
72%
16/22
2.786
 
 1  
 /*
 2  
  * Licensed to the Apache Software Foundation (ASF) under one
 3  
  * or more contributor license agreements.  See the NOTICE file
 4  
  * distributed with this work for additional information
 5  
  * regarding copyright ownership.  The ASF licenses this file
 6  
  * to you under the Apache License, Version 2.0 (the
 7  
  * "License"); you may not use this file except in compliance
 8  
  * with the License.  You may obtain a copy of the License at
 9  
  *
 10  
  *     http://www.apache.org/licenses/LICENSE-2.0
 11  
  *
 12  
  * Unless required by applicable law or agreed to in writing,
 13  
  * software distributed under the License is distributed on an
 14  
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 15  
  * KIND, either express or implied.  See the License for the
 16  
  * specific language governing permissions and limitations
 17  
  * under the License.
 18  
  */
 19  
 package org.apache.shiro.realm.ldap;
 20  
 
 21  
 import org.apache.shiro.authc.AuthenticationException;
 22  
 import org.apache.shiro.authc.AuthenticationInfo;
 23  
 import org.apache.shiro.authc.AuthenticationToken;
 24  
 import org.apache.shiro.authc.SimpleAuthenticationInfo;
 25  
 import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
 26  
 import org.apache.shiro.authz.AuthorizationException;
 27  
 import org.apache.shiro.authz.AuthorizationInfo;
 28  
 import org.apache.shiro.ldap.UnsupportedAuthenticationMechanismException;
 29  
 import org.apache.shiro.realm.AuthorizingRealm;
 30  
 import org.apache.shiro.subject.PrincipalCollection;
 31  
 import org.apache.shiro.util.StringUtils;
 32  
 import org.slf4j.Logger;
 33  
 import org.slf4j.LoggerFactory;
 34  
 
 35  
 import javax.naming.AuthenticationNotSupportedException;
 36  
 import javax.naming.NamingException;
 37  
 import javax.naming.ldap.LdapContext;
 38  
 
 39  
 /**
 40  
  * An LDAP {@link org.apache.shiro.realm.Realm Realm} implementation utilizing Sun's/Oracle's
 41  
  * <a href="http://download-llnw.oracle.com/javase/tutorial/jndi/ldap/jndi.html">JNDI API as an LDAP API</a>.  This is
 42  
  * Shiro's default implementation for supporting LDAP, as using the JNDI API has been a common approach for Java LDAP
 43  
  * support for many years.
 44  
  * <p/>
 45  
  * This realm implementation and its backing {@link JndiLdapContextFactory} should cover 99% of all Shiro-related LDAP
 46  
  * authentication and authorization needs.  However, if it does not suit your needs, you might want to look into
 47  
  * creating your own realm using an alternative, perhaps more robust, LDAP communication API, such as the
 48  
  * <a href="http://directory.apache.org/api/">Apache LDAP API</a>.
 49  
  * <h2>Authentication</h2>
 50  
  * During an authentication attempt, if the submitted {@code AuthenticationToken}'s
 51  
  * {@link org.apache.shiro.authc.AuthenticationToken#getPrincipal() principal} is a simple username, but the
 52  
  * LDAP directory expects a complete User Distinguished Name (User DN) to establish a connection, the
 53  
  * {@link #setUserDnTemplate(String) userDnTemplate} property must be configured.  If not configured,
 54  
  * the property will pass the simple username directly as the User DN, which is often incorrect in most LDAP
 55  
  * environments (maybe Microsoft ActiveDirectory being the exception).
 56  
  * <h2>Authorization</h2>
 57  
  * By default, authorization is effectively disabled due to the default
 58  
  * {@link #doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection)} implementation returning {@code null}.
 59  
  * If you wish to perform authorization based on an LDAP schema, you must subclass this one
 60  
  * and override that method to reflect your organization's data model.
 61  
  * <h2>Configuration</h2>
 62  
  * This class primarily provides the {@link #setUserDnTemplate(String) userDnTemplate} property to allow you to specify
 63  
  * the your LDAP server's User DN format.  Most other configuration is performed via the nested
 64  
  * {@link LdapContextFactory contextFactory} property.
 65  
  * <p/>
 66  
  * For example, defining this realm in Shiro .ini:
 67  
  * <pre>
 68  
  * [main]
 69  
  * ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 70  
  * ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com
 71  
  * ldapRealm.contextFactory.url = ldap://ldapHost:389
 72  
  * ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5
 73  
  * ldapRealm.contextFactory.environment[some.obscure.jndi.key] = some value
 74  
  * ...
 75  
  * </pre>
 76  
  * The default {@link #setContextFactory contextFactory} instance is a {@link JndiLdapContextFactory}.  See that
 77  
  * class's JavaDoc for more information on configuring the LDAP connection as well as specifying JNDI environment
 78  
  * properties as necessary.
 79  
  *
 80  
  * @see JndiLdapContextFactory
 81  
  *
 82  
  * @since 1.1
 83  
  */
 84  
 public class JndiLdapRealm extends AuthorizingRealm {
 85  
 
 86  1
     private static final Logger log = LoggerFactory.getLogger(JndiLdapRealm.class);
 87  
 
 88  
     //The zero index currently means nothing, but could be utilized in the future for other substitution techniques.
 89  
     private static final String USERDN_SUBSTITUTION_TOKEN = "{0}";
 90  
 
 91  
     private String userDnPrefix;
 92  
     private String userDnSuffix;
 93  
 
 94  
     /*--------------------------------------------
 95  
     |    I N S T A N C E   V A R I A B L E S    |
 96  
     ============================================*/
 97  
     /**
 98  
      * The LdapContextFactory instance used to acquire {@link javax.naming.ldap.LdapContext LdapContext}'s at runtime
 99  
      * to acquire connections to the LDAP directory to perform authentication attempts and authorizatino queries.
 100  
      */
 101  
     private LdapContextFactory contextFactory;
 102  
 
 103  
     /*--------------------------------------------
 104  
     |         C O N S T R U C T O R S           |
 105  
     ============================================*/
 106  
 
 107  
     /**
 108  
      * Default no-argument constructor that defaults the internal {@link LdapContextFactory} instance to a
 109  
      * {@link JndiLdapContextFactory}.
 110  
      */
 111  13
     public JndiLdapRealm() {
 112  
         //Credentials Matching is not necessary - the LDAP directory will do it automatically:
 113  13
         setCredentialsMatcher(new AllowAllCredentialsMatcher());
 114  
         //Any Object principal and Object credentials may be passed to the LDAP provider, so accept any token:
 115  13
         setAuthenticationTokenClass(AuthenticationToken.class);
 116  13
         this.contextFactory = new JndiLdapContextFactory();
 117  13
     }
 118  
 
 119  
     /*--------------------------------------------
 120  
     |  A C C E S S O R S / M O D I F I E R S    |
 121  
     ============================================*/
 122  
 
 123  
     /**
 124  
      * Returns the User DN prefix to use when building a runtime User DN value or {@code null} if no
 125  
      * {@link #getUserDnTemplate() userDnTemplate} has been configured.  If configured, this value is the text that
 126  
      * occurs before the {@link #USERDN_SUBSTITUTION_TOKEN} in the {@link #getUserDnTemplate() userDnTemplate} value.
 127  
      *
 128  
      * @return the the User DN prefix to use when building a runtime User DN value or {@code null} if no
 129  
      *         {@link #getUserDnTemplate() userDnTemplate} has been configured.
 130  
      */
 131  
     protected String getUserDnPrefix() {
 132  4
         return userDnPrefix;
 133  
     }
 134  
 
 135  
     /**
 136  
      * Returns the User DN suffix to use when building a runtime User DN value.  or {@code null} if no
 137  
      * {@link #getUserDnTemplate() userDnTemplate} has been configured.  If configured, this value is the text that
 138  
      * occurs after the {@link #USERDN_SUBSTITUTION_TOKEN} in the {@link #getUserDnTemplate() userDnTemplate} value.
 139  
      *
 140  
      * @return the User DN suffix to use when building a runtime User DN value or {@code null} if no
 141  
      *         {@link #getUserDnTemplate() userDnTemplate} has been configured.
 142  
      */
 143  
     protected String getUserDnSuffix() {
 144  4
         return userDnSuffix;
 145  
     }
 146  
 
 147  
     /*--------------------------------------------
 148  
     |               M E T H O D S               |
 149  
     ============================================*/
 150  
 
 151  
     /**
 152  
      * Sets the User Distinguished Name (DN) template to use when creating User DNs at runtime.  A User DN is an LDAP
 153  
      * fully-qualified unique user identifier which is required to establish a connection with the LDAP
 154  
      * directory to authenticate users and query for authorization information.
 155  
      * <h2>Usage</h2>
 156  
      * User DN formats are unique to the LDAP directory's schema, and each environment differs - you will need to
 157  
      * specify the format corresponding to your directory.  You do this by specifying the full User DN as normal, but
 158  
      * but you use a <b>{@code {0}}</b> placeholder token in the string representing the location where the
 159  
      * user's submitted principal (usually a username or uid) will be substituted at runtime.
 160  
      * <p/>
 161  
      * For example,  if your directory
 162  
      * uses an LDAP {@code uid} attribute to represent usernames, the User DN for the {@code jsmith} user may look like
 163  
      * this:
 164  
      * <p/>
 165  
      * <pre>uid=jsmith,ou=users,dc=mycompany,dc=com</pre>
 166  
      * <p/>
 167  
      * in which case you would set this property with the following template value:
 168  
      * <p/>
 169  
      * <pre>uid=<b>{0}</b>,ou=users,dc=mycompany,dc=com</pre>
 170  
      * <p/>
 171  
      * If no template is configured, the raw {@code AuthenticationToken}
 172  
      * {@link AuthenticationToken#getPrincipal() principal} will be used as the LDAP principal.  This is likely
 173  
      * incorrect as most LDAP directories expect a fully-qualified User DN as opposed to the raw uid or username.  So,
 174  
      * ensure you set this property to match your environment!
 175  
      *
 176  
      * @param template the User Distinguished Name template to use for runtime substitution
 177  
      * @throws IllegalArgumentException if the template is null, empty, or does not contain the
 178  
      *                                  {@code {0}} substitution token.
 179  
      * @see LdapContextFactory#getLdapContext(Object,Object)
 180  
      */
 181  
     public void setUserDnTemplate(String template) throws IllegalArgumentException {
 182  8
         if (!StringUtils.hasText(template)) {
 183  2
             String msg = "User DN template cannot be null or empty.";
 184  2
             throw new IllegalArgumentException(msg);
 185  
         }
 186  6
         int index = template.indexOf(USERDN_SUBSTITUTION_TOKEN);
 187  6
         if (index < 0) {
 188  1
             String msg = "User DN template must contain the '" +
 189  
                     USERDN_SUBSTITUTION_TOKEN + "' replacement token to understand where to " +
 190  
                     "insert the runtime authentication principal.";
 191  1
             throw new IllegalArgumentException(msg);
 192  
         }
 193  5
         String prefix = template.substring(0, index);
 194  5
         String suffix = template.substring(prefix.length() + USERDN_SUBSTITUTION_TOKEN.length());
 195  5
         if (log.isDebugEnabled()) {
 196  5
             log.debug("Determined user DN prefix [{}] and suffix [{}]", prefix, suffix);
 197  
         }
 198  5
         this.userDnPrefix = prefix;
 199  5
         this.userDnSuffix = suffix;
 200  5
     }
 201  
 
 202  
     /**
 203  
      * Returns the User Distinguished Name (DN) template to use when creating User DNs at runtime - see the
 204  
      * {@link #setUserDnTemplate(String) setUserDnTemplate} JavaDoc for a full explanation.
 205  
      *
 206  
      * @return the User Distinguished Name (DN) template to use when creating User DNs at runtime.
 207  
      */
 208  
     public String getUserDnTemplate() {
 209  1
         return getUserDn(USERDN_SUBSTITUTION_TOKEN);
 210  
     }
 211  
 
 212  
     /**
 213  
      * Returns the LDAP User Distinguished Name (DN) to use when acquiring an
 214  
      * {@link javax.naming.ldap.LdapContext LdapContext} from the {@link LdapContextFactory}.
 215  
      * <p/>
 216  
      * If the the {@link #getUserDnTemplate() userDnTemplate} property has been set, this implementation will construct
 217  
      * the User DN by substituting the specified {@code principal} into the configured template.  If the
 218  
      * {@link #getUserDnTemplate() userDnTemplate} has not been set, the method argument will be returned directly
 219  
      * (indicating that the submitted authentication token principal <em>is</em> the User DN).
 220  
      *
 221  
      * @param principal the principal to substitute into the configured {@link #getUserDnTemplate() userDnTemplate}.
 222  
      * @return the constructed User DN to use at runtime when acquiring an {@link javax.naming.ldap.LdapContext}.
 223  
      * @throws IllegalArgumentException if the method argument is null or empty
 224  
      * @throws IllegalStateException    if the {@link #getUserDnTemplate userDnTemplate} has not been set.
 225  
      * @see LdapContextFactory#getLdapContext(Object, Object)
 226  
      */
 227  
     protected String getUserDn(String principal) throws IllegalArgumentException, IllegalStateException {
 228  6
         if (!StringUtils.hasText(principal)) {
 229  1
             throw new IllegalArgumentException("User principal cannot be null or empty for User DN construction.");
 230  
         }
 231  5
         String prefix = getUserDnPrefix();
 232  5
         String suffix = getUserDnSuffix();
 233  5
         if (prefix == null && suffix == null) {
 234  1
             log.debug("userDnTemplate property has not been configured, indicating the submitted " +
 235  
                     "AuthenticationToken's principal is the same as the User DN.  Returning the method argument " +
 236  
                     "as is.");
 237  1
             return principal;
 238  
         }
 239  
 
 240  4
         int prefixLength = prefix != null ? prefix.length() : 0;
 241  4
         int suffixLength = suffix != null ? suffix.length() : 0;
 242  4
         StringBuilder sb = new StringBuilder(prefixLength + principal.length() + suffixLength);
 243  4
         if (prefixLength > 0) {
 244  4
             sb.append(prefix);
 245  
         }
 246  4
         sb.append(principal);
 247  4
         if (suffixLength > 0) {
 248  4
             sb.append(suffix);
 249  
         }
 250  4
         return sb.toString();
 251  
     }
 252  
 
 253  
     /**
 254  
      * Sets the LdapContextFactory instance used to acquire connections to the LDAP directory during authentication
 255  
      * attempts and authorization queries.  Unless specified otherwise, the default is a {@link JndiLdapContextFactory}
 256  
      * instance.
 257  
      *
 258  
      * @param contextFactory the LdapContextFactory instance used to acquire connections to the LDAP directory during
 259  
      *                       authentication attempts and authorization queries
 260  
      */
 261  
     @SuppressWarnings({"UnusedDeclaration"})
 262  
     public void setContextFactory(LdapContextFactory contextFactory) {
 263  4
         this.contextFactory = contextFactory;
 264  4
     }
 265  
 
 266  
     /**
 267  
      * Returns the LdapContextFactory instance used to acquire connections to the LDAP directory during authentication
 268  
      * attempts and authorization queries.  Unless specified otherwise, the default is a {@link JndiLdapContextFactory}
 269  
      * instance.
 270  
      *
 271  
      * @return the LdapContextFactory instance used to acquire connections to the LDAP directory during
 272  
      *         authentication attempts and authorization queries
 273  
      */
 274  
     public LdapContextFactory getContextFactory() {
 275  14
         return this.contextFactory;
 276  
     }
 277  
 
 278  
     /*--------------------------------------------
 279  
     |               M E T H O D S                |
 280  
     ============================================*/
 281  
 
 282  
     /**
 283  
      * Delegates to {@link #queryForAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken, LdapContextFactory)},
 284  
      * wrapping any {@link NamingException}s in a Shiro {@link AuthenticationException} to satisfy the parent method
 285  
      * signature.
 286  
      *
 287  
      * @param token the authentication token containing the user's principal and credentials.
 288  
      * @return the {@link AuthenticationInfo} acquired after a successful authentication attempt
 289  
      * @throws AuthenticationException if the authentication attempt fails or if a
 290  
      *                                 {@link NamingException} occurs.
 291  
      */
 292  
     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
 293  
         AuthenticationInfo info;
 294  
         try {
 295  4
             info = queryForAuthenticationInfo(token, getContextFactory());
 296  0
         } catch (AuthenticationNotSupportedException e) {
 297  0
             String msg = "Unsupported configured authentication mechanism";
 298  0
             throw new UnsupportedAuthenticationMechanismException(msg, e);
 299  1
         } catch (javax.naming.AuthenticationException e) {
 300  1
             throw new AuthenticationException("LDAP authentication failed.", e);
 301  1
         } catch (NamingException e) {
 302  1
             String msg = "LDAP naming error while attempting to authenticate user.";
 303  1
             throw new AuthenticationException(msg, e);
 304  2
         }
 305  
 
 306  2
         return info;
 307  
     }
 308  
 
 309  
 
 310  
     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
 311  
         AuthorizationInfo info;
 312  
         try {
 313  0
             info = queryForAuthorizationInfo(principals, getContextFactory());
 314  0
         } catch (NamingException e) {
 315  0
             String msg = "LDAP naming error while attempting to retrieve authorization for user [" + principals + "].";
 316  0
             throw new AuthorizationException(msg, e);
 317  0
         }
 318  
 
 319  0
         return info;
 320  
     }
 321  
 
 322  
     /**
 323  
      * Returns the principal to use when creating the LDAP connection for an authentication attempt.
 324  
      * <p/>
 325  
      * This implementation uses a heuristic: it checks to see if the specified token's
 326  
      * {@link AuthenticationToken#getPrincipal() principal} is a {@code String}, and if so,
 327  
      * {@link #getUserDn(String) converts it} from what is
 328  
      * assumed to be a raw uid or username {@code String} into a User DN {@code String}.  Almost all LDAP directories
 329  
      * expect the authentication connection to present a User DN and not an unqualified username or uid.
 330  
      * <p/>
 331  
      * If the token's {@code principal} is not a String, it is assumed to already be in the format supported by the
 332  
      * underlying {@link LdapContextFactory} implementation and the raw principal is returned directly.
 333  
      *
 334  
      * @param token the {@link AuthenticationToken} submitted during the authentication process
 335  
      * @return the User DN or raw principal to use to acquire the LdapContext.
 336  
      * @see LdapContextFactory#getLdapContext(Object, Object)
 337  
      */
 338  
     protected Object getLdapPrincipal(AuthenticationToken token) {
 339  4
         Object principal = token.getPrincipal();
 340  4
         if (principal instanceof String) {
 341  3
             String sPrincipal = (String) principal;
 342  3
             return getUserDn(sPrincipal);
 343  
         }
 344  1
         return principal;
 345  
     }
 346  
 
 347  
     /**
 348  
      * This implementation opens an LDAP connection using the token's
 349  
      * {@link #getLdapPrincipal(org.apache.shiro.authc.AuthenticationToken) discovered principal} and provided
 350  
      * {@link AuthenticationToken#getCredentials() credentials}.  If the connection opens successfully, the
 351  
      * authentication attempt is immediately considered successful and a new
 352  
      * {@link AuthenticationInfo} instance is
 353  
      * {@link #createAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken, Object, Object, javax.naming.ldap.LdapContext) created}
 354  
      * and returned.  If the connection cannot be opened, either because LDAP authentication failed or some other
 355  
      * JNDI problem, an {@link NamingException} will be thrown.
 356  
      *
 357  
      * @param token              the submitted authentication token that triggered the authentication attempt.
 358  
      * @param ldapContextFactory factory used to retrieve LDAP connections.
 359  
      * @return an {@link AuthenticationInfo} instance representing the authenticated user's information.
 360  
      * @throws NamingException if any LDAP errors occur.
 361  
      */
 362  
     protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token,
 363  
                                                             LdapContextFactory ldapContextFactory)
 364  
             throws NamingException {
 365  
 
 366  4
         Object principal = token.getPrincipal();
 367  4
         Object credentials = token.getCredentials();
 368  
 
 369  4
         log.debug("Authenticating user '{}' through LDAP", principal);
 370  
 
 371  4
         principal = getLdapPrincipal(token);
 372  
 
 373  4
         LdapContext ctx = null;
 374  
         try {
 375  4
             ctx = ldapContextFactory.getLdapContext(principal, credentials);
 376  
             //context was opened successfully, which means their credentials were valid.  Return the AuthenticationInfo:
 377  2
             return createAuthenticationInfo(token, principal, credentials, ctx);
 378  
         } finally {
 379  2
             LdapUtils.closeContext(ctx);
 380  
         }
 381  
     }
 382  
 
 383  
     /**
 384  
      * Returns the {@link AuthenticationInfo} resulting from a Subject's successful LDAP authentication attempt.
 385  
      * <p/>
 386  
      * This implementation ignores the {@code ldapPrincipal}, {@code ldapCredentials}, and the opened
 387  
      * {@code ldapContext} arguments and merely returns an {@code AuthenticationInfo} instance mirroring the
 388  
      * submitted token's principal and credentials.  This is acceptable because this method is only ever invoked after
 389  
      * a successful authentication attempt, which means the provided principal and credentials were correct, and can
 390  
      * be used directly to populate the (now verified) {@code AuthenticationInfo}.
 391  
      * <p/>
 392  
      * Subclasses however are free to override this method for more advanced construction logic.
 393  
      *
 394  
      * @param token           the submitted {@code AuthenticationToken} that resulted in a successful authentication
 395  
      * @param ldapPrincipal   the LDAP principal used when creating the LDAP connection.  Unlike the token's
 396  
      *                        {@link AuthenticationToken#getPrincipal() principal}, this value is usually a constructed
 397  
      *                        User DN and not a simple username or uid.  The exact value is depending on the
 398  
      *                        configured
 399  
      *                        <a href="http://download-llnw.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html">
 400  
      *                        LDAP authentication mechanism</a> in use.
 401  
      * @param ldapCredentials the LDAP credentials used when creating the LDAP connection.
 402  
      * @param ldapContext     the LdapContext created that resulted in a successful authentication.  It can be used
 403  
      *                        further by subclasses for more complex operations.  It does not need to be closed -
 404  
      *                        it will be closed automatically after this method returns.
 405  
      * @return the {@link AuthenticationInfo} resulting from a Subject's successful LDAP authentication attempt.
 406  
      * @throws NamingException if there was any problem using the {@code LdapContext}
 407  
      */
 408  
     @SuppressWarnings({"UnusedDeclaration"})
 409  
     protected AuthenticationInfo createAuthenticationInfo(AuthenticationToken token, Object ldapPrincipal,
 410  
                                                           Object ldapCredentials, LdapContext ldapContext)
 411  
             throws NamingException {
 412  2
         return new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), getName());
 413  
     }
 414  
 
 415  
 
 416  
     /**
 417  
      * Method that should be implemented by subclasses to build an
 418  
      * {@link AuthorizationInfo} object by querying the LDAP context for the
 419  
      * specified principal.</p>
 420  
      *
 421  
      * @param principals          the principals of the Subject whose AuthenticationInfo should be queried from the LDAP server.
 422  
      * @param ldapContextFactory factory used to retrieve LDAP connections.
 423  
      * @return an {@link AuthorizationInfo} instance containing information retrieved from the LDAP server.
 424  
      * @throws NamingException if any LDAP errors occur during the search.
 425  
      */
 426  
     protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals,
 427  
                                                           LdapContextFactory ldapContextFactory) throws NamingException {
 428  0
         return null;
 429  
     }
 430  
 }