2
im試圖通過shiro使用Java應用程序獲取LDAP對象的用戶權限(讀,寫,瀏覽...)。我沒有太多的LDAP經驗。爲了測試目的,我使用Apache Directory Studio設置了一臺服務器。然後,我創建了一個域(dc = testdomain),並添加了一個帶有「accessControlSubentry」對象類的子條目,並添加了「prescriptiveACI」屬性。如果我使用Apache DS瀏覽服務器,並且可以在我的Java應用程序中連接到服務器,Everthing的工作方式應該是這樣。Java-從shiro獲取LDAP的權限
爲了獲得我從shiro分類ActiveDirectoryRealm的權限。但我無法設法使查詢得到subentrys。
private Set<String> getPermissionsForUser(String username, LdapContext ldapContext) throws NamingException{
Set<String> permissions;
permissions = new LinkedHashSet<String>();
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchCtls.setReturningAttributes(new String[]{"prescriptiveACI"});
String searchFilter = "(objectClass=subentry)";
String searchBase = "dc=testdomain";
NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchCtls);
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();
if (log.isDebugEnabled()) {
log.debug("Retrieving permissions for user [" + sr.getName() + "]");
}
Attributes attrs = sr.getAttributes();
if (attrs != null) {
NamingEnumeration ae = attrs.getAll();
while (ae.hasMore()) {
Attribute attr = (Attribute) ae.next();
if (attr.getID().equals("prescriptiveACI")) {
if (log.isDebugEnabled()) {
log.debug("Permissions found");
}
}
}
}
}
return permissions;
}
當我將searchFilter更改爲「(objectClass = *)」時,我得到域中的所有OrganisationUnits。但我似乎無法找到我需要的prescriptiveACI屬性的子條目對象。
這裏是我的Shiro.ini的內容文件
activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealmPermissions
activeDirectoryRealm.systemUsername = uid=admin,ou=system
activeDirectoryRealm.systemPassword = secret
activeDirectoryRealm.url = ldap://localhost:10389
activeDirectoryRealm.searchBase = ""
我怎樣才能使搜索查詢子條目?或者有更好的/替代的方式從LDAP服務器獲得許可?