使用LDAP身份驗證和JDBC授權實現Tomcat領域

我正在使用LDAP服務器僅用於身份驗證並且不包含任何角色的遺留環境，並且針對包含用戶角色映射的數據庫執行授權，但沒有密碼。使用LDAP身份驗證和JDBC授權實現Tomcat領域

我的計劃是通過擴展JNDIRealm並重寫角色方法來調用封裝的JDBCRealm來實現新的Tomcat領域。

我的境界是在server.xml中宣稱：

<Realm className="com.example.LdapJdbcRealm" 
    connectionURL="ldap://ldaphost:389" 
    resourceName="LDAP Auth" 
    userPattern="uid={0}, ou=Portal, dc=example, dc=com" 
    dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname" 
    userTable="db_user" userNameCol="user_id" 
    userRoleTable="db_user_role_xref" roleNameCol="role_id" />

這是JNDIRealm & JDBCRealm的標準屬性名稱的組合，用少許變化，因爲它們都使用的ConnectionURL。

package com.example; 

import org.apache.catalina.Realm; 
import org.apache.catalina.Context; 
import org.apache.catalina.deploy.SecurityConstraint; 
import org.apache.catalina.connector.Request; 
import org.apache.catalina.connector.Response; 
import org.apache.catalina.realm.JNDIRealm; 
import org.apache.catalina.realm.JDBCRealm; 

import java.security.Principal; 
import java.io.IOException; 

public class LdapJdbcRealm extends JNDIRealm implements Realm 
{ 
    private JDBCRealm jdbcRealm = new JDBCRealm(); 

    protected static final String info = "com.example.LdapJdbcRealm/1.0"; 
    protected static final String name = "LdapJdbcRealm"; 

    public String getDbConnectionURL() { 
     return jdbcRealm.getConnectionURL(); 
    } 

    public void setDbConnectionURL(String dbConnectionURL) { 
     jdbcRealm.setConnectionURL(dbConnectionURL); 
    } 

    public String getUserTable() { 
     return jdbcRealm.getUserTable(); 
    } 

    public void setUserTable(String userTable) { 
     jdbcRealm.setUserTable(userTable); 
    } 

    public String getUserNameCol() { 
     return jdbcRealm.getUserNameCol(); 
    } 

    public void setUserNameCol(String userNameCol) { 
     jdbcRealm.setUserNameCol(userNameCol); 
    } 

    public String getUserRoleTable() { 
     return jdbcRealm.getUserRoleTable(); 
    } 

    public void setUserRoleTable(String userRoleTable) { 
     jdbcRealm.setUserRoleTable(userRoleTable); 
    } 

    public String getRoleNameCol() { 
     return jdbcRealm.getRoleNameCol(); 
    } 

    public void setRoleNameCol(String roleNameCol) { 
     jdbcRealm.setRoleNameCol(roleNameCol); 
    } 

    public boolean hasResourcePermission(Request request, 
             Response response, 
             SecurityConstraint[]constraints, 
             Context context) throws IOException 
    { 
     return jdbcRealm.hasResourcePermission(request, response, constraints, context); 
    } 

    public boolean hasRole(Principal principal, String role) { 
     return jdbcRealm.hasRole(principal, role); 
    } 
}

這似乎工作，授權從LDAP返回一個委託人，它沒有預期的角色。同一個委託人輸入hasResourcePermission()並失敗，因爲它沒有要求的角色。很明顯，我錯過了一些關鍵的代碼。

我正在尋找解決方案。我可以嘗試擴展JDBCRealm並添加LDAP身份驗證，但是這看起來像更多的工作。

我也相信這個LDAP認證/ DB授權並不罕見。是否有可用的替代解決方案？

這是而不是在我的控制範圍內添加角色到數據庫的LDAP或密碼，所以這些都不是我的解決方案。

來源

2009-07-16 Greg Chabala

是的，我在Tomcat 6.0.18 – 2009-07-16 16:18:20

你還沒有指定你正在使用的Tomcat版本，所以我在這裏使用6.x。

它看起來像你正在委託hasResourcePermission JDBC，同時把findSecurityConstraints和hasUserDataPermission留在JNDI的手中。您應該委派他們全部或全部都沒有。

更新：JNDIRealm調用protected getRoles(DirContext, User)爲authenticate()方法的一部分。你需要覆蓋它並將其轉發給JDBCRealm的getRoles()。

來源

2009-07-16 16:03:26 ChssPly76

我已經覆蓋findSecurityConstraints（）hasUserDataPermission（）工作雖然JDBCRealm打電話。但是，JDBCRealm的getRoles（）受到保護。你如何建議我打電話？ – 2009-07-16 18:47:21

你有3個選擇：使用反射（'Method.setAccessible（）'將有助於'protected'），將你的領域實現移動到'org.apache.catalina.realm'包中，或者完全放棄JDBCRealm並將你自己的代碼寫入從數據庫中檢索角色）。 – ChssPly76 2009-07-16 19:13:49

轉到包org.apache.catalina.realm工作得很好。我也忽略了指定驅動程序，所以我添加了getter和setter以及DB用戶和密碼。現在一切正常，謝謝。 – 2009-07-17 14:42:55

我仍然收到有關這個問題的電子郵件定期的頻率，所以這裏是所有人使用的最終產品。

LdapJdbcRealm.java

package org.apache.catalina.realm; 

import org.apache.catalina.Realm; 
import org.apache.catalina.Context; 
import org.apache.catalina.connector.Request; 
import org.apache.catalina.connector.Response; 
import org.apache.catalina.deploy.SecurityConstraint; 

import javax.naming.directory.DirContext; 
import java.io.IOException; 
import java.security.Principal; 
import java.util.List; 

/** 
* LdapJdbcRealm is a minimal implementation of a <b>Realm</b> to connect to LDAP 
* for authentication and a database for authorization.<br> 
* <br> 
* Example server.xml configuration fragment:<br> 
* <pre> 
    &lt;Realm className="org.apache.catalina.realm.LdapJdbcRealm" 
     connectionURL="ldap://ldaphost:389" 
     resourceName="LDAP Auth" driverName="oracle.jdbc.driver.OracleDriver" 
     userPattern="uid={0}, ou=Portal, dc=example, dc=com" 
     dbConnectionName="dbuser" dbConnectionPassword="dbpassword" 
     dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname" 
     userTable="users" userNameCol="user_id" 
     userRoleTable="user_role_xref" roleNameCol="role_id" /&gt; 
* </pre> 
* 
* @author Greg Chabala 
* 
* Created by IntelliJ IDEA. 
* User: gchabala 
* Date: Jul 14, 2009 
* Time: 4:56:37 PM 
*/ 
public class LdapJdbcRealm extends JNDIRealm implements Realm 
{ 
    /** 
    * Encapsulated <b>JDBCRealm</b> to do role lookups 
    */ 
    private JDBCRealm jdbcRealm = new JDBCRealm(); 

    /** 
    * Descriptive information about this <b>Realm</b> implementation. 
    */ 
    protected static final String info = "org.apache.catalina.realm.LdapJdbcRealm/1.0"; 

    /** 
    * Descriptive information about this <b>Realm</b> implementation. 
    */ 
    protected static final String name = "LdapJdbcRealm"; 

    /** 
    * Set the all roles mode. 
    * 
    * @param allRolesMode authentication mode 
    */ 
    public void setAllRolesMode(String allRolesMode) { 
     super.setAllRolesMode(allRolesMode); 
     jdbcRealm.setAllRolesMode(allRolesMode); 
    } 

    /** 
    * Return the username to use to connect to the database. 
    * 
    * @return username 
    * @see JDBCRealm#getConnectionName() 
    */ 
    public String getDbConnectionName() { 
     return jdbcRealm.getConnectionName(); 
    } 

    /** 
    * Set the username to use to connect to the database. 
    * 
    * @param dbConnectionName username 
    * @see JDBCRealm#setConnectionName(String) 
    */ 
    public void setDbConnectionName(String dbConnectionName) { 
     jdbcRealm.setConnectionName(dbConnectionName); 
    } 

    /** 
    * Return the password to use to connect to the database. 
    * 
    * @return password 
    * @see JDBCRealm#getConnectionPassword() 
    */ 
    public String getDbConnectionPassword() { 
     return jdbcRealm.getConnectionPassword(); 
    } 

    /** 
    * Set the password to use to connect to the database. 
    * 
    * @param dbConnectionPassword password 
    * @see JDBCRealm#setConnectionPassword(String) 
    */ 
    public void setDbConnectionPassword(String dbConnectionPassword) { 
     jdbcRealm.setConnectionPassword(dbConnectionPassword); 
    } 

    /** 
    * Return the URL to use to connect to the database. 
    * 
    * @return database connection URL 
    * @see JDBCRealm#getConnectionURL() 
    */ 
    public String getDbConnectionURL() { 
     return jdbcRealm.getConnectionURL(); 
    } 

    /** 
    * Set the URL to use to connect to the database. 
    * 
    * @param dbConnectionURL The new connection URL 
    * @see JDBCRealm#setConnectionURL(String) 
    */ 
    public void setDbConnectionURL(String dbConnectionURL) { 
     jdbcRealm.setConnectionURL(dbConnectionURL); 
    } 

    /** 
    * Return the JDBC driver that will be used. 
    * 
    * @return driver classname 
    * @see JDBCRealm#getDriverName() 
    */ 
    public String getDriverName() { 
     return jdbcRealm.getDriverName(); 
    } 

    /** 
    * Set the JDBC driver that will be used. 
    * 
    * @param driverName The driver name 
    * @see JDBCRealm#setDriverName(String) 
    */ 
    public void setDriverName(String driverName) { 
     jdbcRealm.setDriverName(driverName); 
    } 

    /** 
    * Return the table that holds user data.. 
    * 
    * @return table name 
    * @see JDBCRealm#getUserTable() 
    */ 
    public String getUserTable() { 
     return jdbcRealm.getUserTable(); 
    } 

    /** 
    * Set the table that holds user data. 
    * 
    * @param userTable The table name 
    * @see JDBCRealm#setUserTable(String) 
    */ 
    public void setUserTable(String userTable) { 
     jdbcRealm.setUserTable(userTable); 
    } 

    /** 
    * Return the column in the user table that holds the user's name. 
    * 
    * @return username database column name 
    * @see JDBCRealm#getUserNameCol() 
    */ 
    public String getUserNameCol() { 
     return jdbcRealm.getUserNameCol(); 
    } 

    /** 
    * Set the column in the user table that holds the user's name. 
    * 
    * @param userNameCol The column name 
    * @see JDBCRealm#setUserNameCol(String) 
    */ 
    public void setUserNameCol(String userNameCol) { 
     jdbcRealm.setUserNameCol(userNameCol); 
    } 

    /** 
    * Return the table that holds the relation between user's and roles. 
    * 
    * @return user role database table name 
    * @see JDBCRealm#getUserRoleTable() 
    */ 
    public String getUserRoleTable() { 
     return jdbcRealm.getUserRoleTable(); 
    } 

    /** 
    * Set the table that holds the relation between user's and roles. 
    * 
    * @param userRoleTable The table name 
    * @see JDBCRealm#setUserRoleTable(String) 
    */ 
    public void setUserRoleTable(String userRoleTable) { 
     jdbcRealm.setUserRoleTable(userRoleTable); 
    } 

    /** 
    * Return the column in the user role table that names a role. 
    * 
    * @return role column name 
    * @see JDBCRealm#getRoleNameCol() 
    */ 
    public String getRoleNameCol() { 
     return jdbcRealm.getRoleNameCol(); 
    } 

    /** 
    * Set the column in the user role table that names a role. 
    * 
    * @param roleNameCol The column name 
    * @see JDBCRealm#setRoleNameCol(String) 
    */ 
    public void setRoleNameCol(String roleNameCol) { 
     jdbcRealm.setRoleNameCol(roleNameCol); 
    } 

    @Override 
    public SecurityConstraint[] findSecurityConstraints(Request request, Context context) 
    { 
     return jdbcRealm.findSecurityConstraints(request, context); 
    } 

    @Override 
    public boolean hasUserDataPermission(Request request, Response response, 
             SecurityConstraint []constraints) throws IOException 
    { 
     return jdbcRealm.hasUserDataPermission(request, response, constraints); 
    } 

    @Override 
    public boolean hasResourcePermission(Request request, Response response, 
             SecurityConstraint[]constraints, 
             Context context) throws IOException 
    { 
     return jdbcRealm.hasResourcePermission(request, response, constraints, context); 
    } 

    @Override 
    public boolean hasRole(Principal principal, String role) { 
     return jdbcRealm.hasRole(principal, role); 
    } 

    /** 
    * Return a List of roles associated with the given User. If no roles 
    * are associated with this user, a zero-length List is returned. 
    * 
    * @param context unused. JDBC does not need this field. 
    * @param user The User to be checked 
    * @return list of role names 
    * 
    * @see JNDIRealm#getRoles(DirContext, User) 
    * @see JDBCRealm#getRoles(String) 
    */ 
    @Override 
    protected List<String> getRoles(DirContext context, User user) 
    { 
     return jdbcRealm.getRoles(user.username); 
    } 
}

來源

2010-02-23 15:51:30

嗨，我把這個在github上：https://github.com/rasenderhase/nest-tomcat-realms/我很高興爲拉請求。 – andy 2017-06-14 10:55:34

使用LDAP身份驗證和JDBC授權實現Tomcat領域

回答

相關問題