added possibility to disable role lookup for UserNameActiveDirectoryRealm

2017-06-16 07:55:44 +00:00
parent 2590070958
commit e391fe8791
1 changed files with 55 additions and 2 deletions
--- a/account/src/main/java/de/muehlencord/shared/account/util/UserNameActiveDirectoryRealm.java
+++ b/account/src/main/java/de/muehlencord/shared/account/util/UserNameActiveDirectoryRealm.java
@ -1,13 +1,17 @@
 package de.muehlencord.shared.account.util;

+import java.util.HashSet;
+import java.util.Set;
 import javax.naming.NamingException;
 import javax.naming.ldap.LdapContext;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm;
 import org.apache.shiro.realm.ldap.LdapContextFactory;
 import org.apache.shiro.realm.ldap.LdapUtils;
+import org.apache.shiro.subject.PrincipalCollection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@ -19,6 +23,8 @@ public class UserNameActiveDirectoryRealm extends ActiveDirectoryRealm {

    private static final Logger LOGGER = LoggerFactory.getLogger(UserNameActiveDirectoryRealm.class);

+    private boolean permissionsLookupEnabled = true;
+
    @Override
    protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {
        UsernamePasswordToken upToken = (UsernamePasswordToken) token;
@ -45,4 +51,51 @@ public class UserNameActiveDirectoryRealm extends ActiveDirectoryRealm {
        LOGGER.debug("authentifaction info created");
        return authInfo;
    }
+
+    /**
+     * Builds an {@link org.apache.shiro.authz.AuthorizationInfo} object by
+     * querying the active directory LDAP context for the groups that a user is
+     * a member of. The groups are then translated to role names by using the
+     * configured {@link #groupRolesMap}.
+     * <p/>
+     * This implementation expects the <tt>principal</tt> argument to be a
+     * String username.
+     * <p/>
+     * Subclasses can override this method to determine authorization data
+     * (roles, permissions, etc) in a more complex way. Note that this default
+     * implementation does not support permissions, only roles.
+     *
+     * @param principals the principal of the Subject whose account is being
+     * retrieved.
+     * @param ldapContextFactory the factory used to create LDAP connections.
+     * @return the AuthorizationInfo for the given Subject principal.
+     * @throws NamingException if an error occurs when searching the LDAP
+     * server.
+     */
+    @Override
+    protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException {
+        Set<String> roleNames;
+        if (this.permissionsLookupEnabled) {
+            String username = (String) getAvailablePrincipal(principals);
+            // Perform context search
+            LdapContext ldapContext = ldapContextFactory.getSystemLdapContext();
+            try {
+                roleNames = getRoleNamesForUser(username, ldapContext);
+            } finally {
+                LdapUtils.closeContext(ldapContext);
+            }
+        } else {
+            roleNames = new HashSet<>();
+        }
+        return buildAuthorizationInfo(roleNames);
+    }
+
+    public boolean isPermissionsLookupEnabled() {
+        return permissionsLookupEnabled;
+    }
+
+    public void setPermissionsLookupEnabled(boolean permissionsLookupEnabled) {
+        this.permissionsLookupEnabled = permissionsLookupEnabled;
+    }
+
 }