public class ActiveDirectoryRealm extends AbstractLdapRealm
Realm
that authenticates with an active directory LDAP
server to determine the roles for a particular user. This implementation
queries for the user's groups and then maps the group names to roles using the
groupRolesMap
.principalSuffix, searchBase, systemPassword, systemUsername, url
Constructor and Description |
---|
ActiveDirectoryRealm() |
Modifier and Type | Method and Description |
---|---|
protected AuthenticationInfo |
buildAuthenticationInfo(String username,
char[] password) |
protected AuthorizationInfo |
buildAuthorizationInfo(Set<String> roleNames) |
protected Collection<String> |
getRoleNamesForGroups(Collection<String> groupNames)
This method is called by the default implementation to translate Active Directory group names
to role names.
|
protected AuthenticationInfo |
queryForAuthenticationInfo(AuthenticationToken token,
LdapContextFactory ldapContextFactory)
Builds an
AuthenticationInfo object by querying the active directory LDAP context for the
specified username. |
protected AuthorizationInfo |
queryForAuthorizationInfo(PrincipalCollection principals,
LdapContextFactory ldapContextFactory)
Builds an
AuthorizationInfo object by querying the active directory LDAP context for the
groups that a user is a member of. |
void |
setGroupRolesMap(Map<String,String> groupRolesMap) |
doGetAuthenticationInfo, doGetAuthorizationInfo, onInit, setLdapContextFactory, setPrincipalSuffix, setSearchBase, setSystemPassword, setSystemUsername, setUrl
afterCacheManagerSet, checkPermission, checkPermission, checkPermission, checkPermissions, checkPermissions, checkPermissions, checkRole, checkRole, checkRoles, checkRoles, checkRoles, clearCachedAuthorizationInfo, doClearCache, getAuthorizationCache, getAuthorizationCacheKey, getAuthorizationCacheName, getAuthorizationInfo, getPermissionResolver, getPermissions, getRolePermissionResolver, hasAllRoles, hasRole, hasRole, hasRoles, hasRoles, isAuthorizationCachingEnabled, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, isPermittedAll, setAuthorizationCache, setAuthorizationCacheName, setAuthorizationCachingEnabled, setName, setPermissionResolver, setRolePermissionResolver
assertCredentialsMatch, clearCachedAuthenticationInfo, getAuthenticationCache, getAuthenticationCacheKey, getAuthenticationCacheKey, getAuthenticationCacheName, getAuthenticationInfo, getAuthenticationTokenClass, getCredentialsMatcher, init, isAuthenticationCachingEnabled, isAuthenticationCachingEnabled, setAuthenticationCache, setAuthenticationCacheName, setAuthenticationCachingEnabled, setAuthenticationTokenClass, setCredentialsMatcher, supports
clearCache, getAvailablePrincipal, getCacheManager, getName, isCachingEnabled, onLogout, setCacheManager, setCachingEnabled
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
init
public ActiveDirectoryRealm()
public void setGroupRolesMap(Map<String,String> groupRolesMap)
protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException
AuthenticationInfo
object by querying the active directory LDAP context for the
specified username. This method binds to the LDAP server using the provided username and password -
which if successful, indicates that the password is correct.
This method can be overridden by subclasses to query the LDAP server in a more complex way.queryForAuthenticationInfo
in class AbstractLdapRealm
token
- the authentication token provided by the user.ldapContextFactory
- the factory used to build connections to the LDAP server.AuthenticationInfo
instance containing information retrieved from LDAP.NamingException
- if any LDAP errors occur during the search.protected AuthenticationInfo buildAuthenticationInfo(String username, char[] password)
protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException
AuthorizationInfo
object by querying the active directory LDAP context for the
groups that a user is a member of. The groups are then translated to role names by using the
configured groupRolesMap
.
This implementation expects the principal argument to be a String username.
Subclasses can override this method to determine authorization data (roles, permissions, etc) in a more
complex way. Note that this default implementation does not support permissions, only roles.queryForAuthorizationInfo
in class AbstractLdapRealm
principals
- the principal of the Subject whose account is being retrieved.ldapContextFactory
- the factory used to create LDAP connections.NamingException
- if an error occurs when searching the LDAP server.protected AuthorizationInfo buildAuthorizationInfo(Set<String> roleNames)
protected Collection<String> getRoleNamesForGroups(Collection<String> groupNames)
groupRolesMap
to map group names to role names.groupNames
- the group names that apply to the current user.Copyright © 2004-2016 The Apache Software Foundation. All Rights Reserved.