added possibility to disable role lookup for UserNameActiveDirectoryRealm
This commit is contained in:
jomu
@ -1,13 +1,17 @@
|
||||
package de.muehlencord.shared.account.util;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import javax.naming.NamingException;
|
||||
import javax.naming.ldap.LdapContext;
|
||||
import org.apache.shiro.authc.AuthenticationInfo;
|
||||
import org.apache.shiro.authc.AuthenticationToken;
|
||||
import org.apache.shiro.authc.UsernamePasswordToken;
|
||||
import org.apache.shiro.authz.AuthorizationInfo;
|
||||
import org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm;
|
||||
import org.apache.shiro.realm.ldap.LdapContextFactory;
|
||||
import org.apache.shiro.realm.ldap.LdapUtils;
|
||||
import org.apache.shiro.subject.PrincipalCollection;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
@ -18,11 +22,13 @@ import org.slf4j.LoggerFactory;
|
||||
public class UserNameActiveDirectoryRealm extends ActiveDirectoryRealm {
|
||||
|
||||
private static final Logger LOGGER = LoggerFactory.getLogger(UserNameActiveDirectoryRealm.class);
|
||||
|
||||
|
||||
private boolean permissionsLookupEnabled = true;
|
||||
|
||||
@Override
|
||||
protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {
|
||||
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
|
||||
|
||||
|
||||
LdapContext ctx = null;
|
||||
String userName = upToken.getUsername();
|
||||
try {
|
||||
@ -45,4 +51,51 @@ public class UserNameActiveDirectoryRealm extends ActiveDirectoryRealm {
|
||||
LOGGER.debug("authentifaction info created");
|
||||
return authInfo;
|
||||
}
|
||||
|
||||
/**
|
||||
* Builds an {@link org.apache.shiro.authz.AuthorizationInfo} object by
|
||||
* querying the active directory LDAP context for the groups that a user is
|
||||
* a member of. The groups are then translated to role names by using the
|
||||
* configured {@link #groupRolesMap}.
|
||||
* <p/>
|
||||
* This implementation expects the <tt>principal</tt> argument to be a
|
||||
* String username.
|
||||
* <p/>
|
||||
* Subclasses can override this method to determine authorization data
|
||||
* (roles, permissions, etc) in a more complex way. Note that this default
|
||||
* implementation does not support permissions, only roles.
|
||||
*
|
||||
* @param principals the principal of the Subject whose account is being
|
||||
* retrieved.
|
||||
* @param ldapContextFactory the factory used to create LDAP connections.
|
||||
* @return the AuthorizationInfo for the given Subject principal.
|
||||
* @throws NamingException if an error occurs when searching the LDAP
|
||||
* server.
|
||||
*/
|
||||
@Override
|
||||
protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException {
|
||||
Set<String> roleNames;
|
||||
if (this.permissionsLookupEnabled) {
|
||||
String username = (String) getAvailablePrincipal(principals);
|
||||
// Perform context search
|
||||
LdapContext ldapContext = ldapContextFactory.getSystemLdapContext();
|
||||
try {
|
||||
roleNames = getRoleNamesForUser(username, ldapContext);
|
||||
} finally {
|
||||
LdapUtils.closeContext(ldapContext);
|
||||
}
|
||||
} else {
|
||||
roleNames = new HashSet<>();
|
||||
}
|
||||
return buildAuthorizationInfo(roleNames);
|
||||
}
|
||||
|
||||
public boolean isPermissionsLookupEnabled() {
|
||||
return permissionsLookupEnabled;
|
||||
}
|
||||
|
||||
public void setPermissionsLookupEnabled(boolean permissionsLookupEnabled) {
|
||||
this.permissionsLookupEnabled = permissionsLookupEnabled;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user