Class JNDIRealm
- All Implemented Interfaces:
- MBeanRegistration,- Contained,- JmxEnabled,- Lifecycle,- Realm
Implementation of Realm that works with a directory server accessed via the Java Naming and Directory Interface (JNDI) APIs. The following constraints are imposed on the data structure in the underlying directory server:
- Each user that can be authenticated is represented by an individual element in the top level
 DirContextthat is accessed via theconnectionURLproperty.
- If a socket connection cannot be made to the connectURLan attempt will be made to use thealternateURLif it exists.
- Each user element has a distinguished name that can be formed by substituting the presented username into a
 pattern configured by the userPatternproperty.
- Alternatively, if the userPatternproperty is not specified, a unique element can be located by searching the directory context. In this case:- The userSearchpattern specifies the search filter after substitution of the username.
- The userBaseproperty can be set to the element that is the base of the subtree containing users. If not specified, the search base is the top-level context.
- The userSubtreeproperty can be set totrueif you wish to search the entire subtree of the directory context. The default value offalserequests a search of only the current level.
 
- The 
- The user may be authenticated by binding to the directory with the username and password presented. This method
 is used when the userPasswordproperty is not specified.
- The user may be authenticated by retrieving the value of an attribute from the directory and comparing it
 explicitly with the value presented by the user. This method is used when the userPasswordproperty is specified, in which case:- The element for this user must contain an attribute named by the userPasswordproperty.
- The value of the user password attribute is either a cleartext String, or the result of passing a cleartext
 String through the RealmBase.digest()method (using the standard digest support included inRealmBase).
- The user is considered to be authenticated if the presented credentials (after being passed through
 RealmBase.digest()) are equal to the retrieved value for the user password attribute.
 
- The element for this user must contain an attribute named by the 
- Each group of users that has been assigned a particular role may be represented by an individual element in the
 top level DirContextthat is accessed via theconnectionURLproperty. This element has the following characteristics:- The set of all possible groups of interest can be selected by a search pattern configured by the
 roleSearchproperty.
- The roleSearchpattern optionally includes pattern replacements "{0}" for the distinguished name, and/or "{1}" for the username, and/or "{2}" the value of an attribute from the user's directory entry (the attribute is specified by theuserRoleAttributeproperty), of the authenticated user for which roles will be retrieved.
- The roleBaseproperty can be set to the element that is the base of the search for matching roles. If not specified, the entire context will be searched.
- The roleSubtreeproperty can be set totrueif you wish to search the entire subtree of the directory context. The default value offalserequests a search of only the current level.
- The element includes an attribute (whose name is configured by the roleNameproperty) containing the name of the role represented by this element.
 
- The set of all possible groups of interest can be selected by a search pattern configured by the
 
- In addition, roles may be represented by the values of an attribute in the user's element whose name is
 configured by the userRoleNameproperty.
- A default role can be assigned to each user that was successfully authenticated by setting the
 commonRoleproperty to the name of this role. The role doesn't have to exist in the directory.
- If the directory server contains nested roles, you can search for them by setting roleNestedtotrue. The default value isfalse, so role searches will not find nested roles.
- Note that the standard <security-role-ref>element in the web application deployment descriptor allows applications to refer to roles programmatically by names other than those used in the directory server itself.
WARNING - There is a reported bug against the Netscape provider code (com.netscape.jndi.ldap.LdapContextFactory) with respect to successfully authenticated a non-existing user. The report is here: https://bz.apache.org/bugzilla/show_bug.cgi?id=11210 . With luck, Netscape has updated their provider code and this is not an issue.
- Author:
- John Holman, Craig R. McClanahan
- 
Nested Class SummaryNested ClassesModifier and TypeClassDescriptionprotected static classClass holding the connection to the directory plus the associated non thread safe message formats.protected static classA protected class representing a UserNested classes/interfaces inherited from class org.apache.catalina.realm.RealmBaseRealmBase.AllRolesModeNested classes/interfaces inherited from interface org.apache.catalina.LifecycleLifecycle.SingleUse
- 
Field SummaryFieldsModifier and TypeFieldDescriptionprotected booleanShould we ignore PartialResultExceptions when iterating over NamingEnumerations?protected StringAn alternate URL, to which, we should connect if connectionURL fails.protected StringThe type of authentication to useprotected StringAdd this role to every authenticated userprotected intThe number of connection attempts.protected StringThe connection username for the server we will contact.protected StringThe connection password for the server we will contact.protected SynchronizedStack<JNDIRealm.JNDIConnection> Connection pool.protected intThe pool size limit.protected StringThe timeout, in milliseconds, to use when trying to create a connection to the directory.protected StringThe connection URL for the server we will contact.protected StringThe JNDI context factory used to acquire our InitialContext.static final StringConstant that holds the name of the environment property for specifying the manner in which aliases should be dereferenced.protected StringHow aliases should be dereferenced during search operations.protected StringThe protocol that will be used in the communication with the directory server.protected StringThe timeout, in milliseconds, to use when trying to read from a connection to the directory.protected StringHow should we handle referrals?protected StringThe base element for role searches.protected StringThe name of the attribute containing roles held elsewhereprotected booleanShould we look for nested group in order to determine roles?protected StringThe message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes.protected booleanWhen searching for user roles, should the search be performed as the user currently being authenticated?protected booleanShould we search the entire subtree for matching memberships?protected JNDIRealm.JNDIConnectionNon pooled connection to our directory server.protected final LockThe lock to ensure single connection thread safety.protected longThe sizeLimit (also known as the countLimit) to use when the realm is configured withuserSearch.protected StringThe QOP that should be used for the connection to the LDAP server after authentication.protected intThe timeLimit (in milliseconds) to use when the realm is configured withuserSearch.protected booleanWhether to use context ClassLoader or default ClassLoader.protected booleanShould delegated credentials from the SPNEGO authenticator be used if availableprotected StringThe base element for user searches.protected StringThe attribute name used to retrieve the user password.protected StringThe message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.protected String[]A string of LDAP user patterns or paths, ":"-separated These will be used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.protected StringThe name of the attribute inside the users directory entry where the value will be taken to search for roles This attribute is not used during a nested searchprotected StringThe name of an attribute in the user's entry containing roles for that userprotected StringThe message format used to search for a user, with "{0}" marking the spot where the username goes.protected booleanShould we search the entire subtree for matching users?Fields inherited from class org.apache.catalina.realm.RealmBaseallRolesMode, container, containerLog, realmPath, sm, stripRealmForGss, support, USER_ATTRIBUTES_DELIMITER, USER_ATTRIBUTES_WILDCARD, userAttributes, userAttributesList, validate, x509UsernameRetriever, x509UsernameRetrieverClassNameFields inherited from interface org.apache.catalina.LifecycleAFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
- 
Constructor SummaryConstructors
- 
Method SummaryModifier and TypeMethodDescriptionauthenticate(String username) Try to authenticate with the specified username.authenticate(String username, String credentials) Try to authenticate using the specified username and credentials.authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2, String algorithm) Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.authenticate(X509Certificate[] certs) Try to authenticate using a chain ofX509Certificates.authenticate(JNDIRealm.JNDIConnection connection, String username, String credentials) Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull.authenticate(GSSContext gssContext, boolean storeCred) Try to authenticate using aGSSContext.authenticate(GSSName gssName, GSSCredential gssCredential) Try to authenticate using aGSSName.protected booleanbindAsUser(DirContext context, JNDIRealm.User user, String credentials) Check credentials by binding to the directory as the userprotected booleancheckCredentials(DirContext context, JNDIRealm.User user, String credentials) Check whether the given User can be authenticated with the given credentials.protected voidclose(JNDIRealm.JNDIConnection connection) Close any open connection to the directory server for this Realm.protected voidClose all pooled connections.protected booleancompareCredentials(DirContext context, JNDIRealm.User info, String credentials) Check whether the credentials presented by the user match those retrieved from the directory.protected static StringconvertToHexEscape(String input) protected JNDIRealm.JNDIConnectioncreate()Create a new connection wrapper, along with the message formats.protected StringdoAttributeValueEscaping(String input) Implements the necessary escaping to represent an attribute value as a String as per RFC 4514.protected StringdoFilterEscaping(String inString) Given an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines.protected JNDIRealm.JNDIConnectionget()Open (if necessary) and return a connection to the configured directory server for this Realm.booleanGetter for property alternateURL.intCreate our directory context configuration.protected StringgetDistinguishedName(DirContext context, String base, SearchResult result) Returns the distinguished name of a search result.booleanprotected StringgetPassword(String username) Get the password for the specified user.protected PrincipalgetPrincipal(String username) Get the principal associated with the specified user.protected PrincipalgetPrincipal(String username, GSSCredential gssCredential) protected PrincipalgetPrincipal(JNDIRealm.JNDIConnection connection, String username, GSSCredential gssCredential) Get the principal associated with the specified user name.protected PrincipalgetPrincipal(GSSName gssName, GSSCredential gssCredential) Get the principal associated with the specifiedGSSName.booleangetRoles(JNDIRealm.JNDIConnection connection, JNDIRealm.User user) Return a List of roles associated with the given User.booleanlongintprotected JNDIRealm.UsergetUser(JNDIRealm.JNDIConnection connection, String username) Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.protected JNDIRealm.UsergetUser(JNDIRealm.JNDIConnection connection, String username, String credentials) Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.protected JNDIRealm.UsergetUser(JNDIRealm.JNDIConnection connection, String username, String credentials, int curUserPattern) Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.protected JNDIRealm.UsergetUserByPattern(DirContext context, String username, String[] attrIds, String dn) Use the distinguished name to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull.protected JNDIRealm.UsergetUserByPattern(JNDIRealm.JNDIConnection connection, String username, String credentials, String[] attrIds, int curUserPattern) Use theUserPatternconfiguration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull.protected JNDIRealm.UsergetUserBySearch(JNDIRealm.JNDIConnection connection, String username, String[] attrIds) Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.booleanbooleanbooleanReturn the availability of the realm for authentication.booleanbooleanReturns whether to use the context or default ClassLoader.booleanbooleanprotected voidopen(JNDIRealm.JNDIConnection connection) Create a new connection to the directory server.protected String[]parseUserPatternString(String userPatternString) Given a string containing LDAP patterns for user locations (separated by parentheses in a pseudo-LDAP search string format - "(location1)(location2)", returns an array of those paths.protected voidrelease(JNDIRealm.JNDIConnection connection) Release our use of this connection so that it can be recycled.voidsetAdCompat(boolean adCompat) How do we handle PartialResultExceptions?voidsetAlternateURL(String alternateURL) Setter for property alternateURL.voidsetAuthentication(String authentication) Set the type of authentication to use.voidsetCipherSuites(String suites) Set the allowed cipher suites when opening a connection using StartTLS.voidsetCommonRole(String commonRole) Set the common rolevoidsetConnectionName(String connectionName) Set the connection username for this Realm.voidsetConnectionPassword(String connectionPassword) Set the connection password for this Realm.voidsetConnectionPoolSize(int connectionPoolSize) Set the connection pool sizevoidsetConnectionTimeout(String timeout) Set the connection timeout.voidsetConnectionURL(String connectionURL) Set the connection URL for this Realm.voidsetContextFactory(String contextFactory) Set the JNDI context factory for this Realm.voidsetDerefAliases(String derefAliases) Set the value for derefAliases to be used when searching the directory.voidsetForceDnHexEscape(boolean forceDnHexEscape) voidsetHostnameVerifierClassName(String verifierClassName) Set theHostnameVerifierto be used when opening connections using StartTLS.voidsetProtocol(String protocol) Set the protocol for this Realm.voidsetReadTimeout(String timeout) Set the read timeout.voidsetReferrals(String referrals) How do we handle JNDI referrals?voidsetRoleBase(String roleBase) Set the base element for role searches.voidsetRoleName(String roleName) Set the role name attribute name for this Realm.voidsetRoleNested(boolean roleNested) Set the "search subtree for roles" flag.voidsetRoleSearch(String roleSearch) Set the message format pattern for selecting roles in this Realm.voidsetRoleSearchAsUser(boolean roleSearchAsUser) voidsetRoleSubtree(boolean roleSubtree) Set the "search subtree for roles" flag.voidsetSizeLimit(long sizeLimit) voidsetSpnegoDelegationQop(String spnegoDelegationQop) voidsetSslProtocol(String protocol) Set the ssl protocol to be used for connections using StartTLS.voidsetSslSocketFactoryClassName(String factoryClassName) Set theSSLSocketFactoryto be used when opening connections using StartTLS.voidsetTimeLimit(int timeLimit) voidsetUseContextClassLoader(boolean useContext) Sets whether to use the context or default ClassLoader.voidsetUseDelegatedCredential(boolean useDelegatedCredential) voidsetUserBase(String userBase) Set the base element for user searches.voidsetUserPassword(String userPassword) Set the password attribute used to retrieve the user password.voidsetUserPattern(String userPattern) Set the message format pattern for selecting users in this Realm.voidsetUserRoleAttribute(String userRoleAttribute) voidsetUserRoleName(String userRoleName) Set the user role name attribute name for this Realm.voidsetUserSearch(String userSearch) Set the message format pattern for selecting users in this Realm.voidsetUserSearchAsUser(boolean userSearchAsUser) voidsetUserSubtree(boolean userSubtree) Set the "search subtree for users" flag.voidsetUseStartTls(boolean useStartTls) Flag whether StartTLS should be used when connecting to the ldap serverprotected voidPrepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal().protected voidGracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal().Methods inherited from class org.apache.catalina.realm.RealmBaseaddPropertyChangeListener, authenticate, backgroundProcess, findSecurityConstraints, getAllRolesMode, getContainer, getCredentialHandler, getDigest, getDigest, getDomainInternal, getObjectNameKeyProperties, getPrincipal, getPrincipal, getRealmPath, getRealmSuffix, getServer, getTransportGuaranteeRedirectStatus, getUserAttributes, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasRoleInternal, hasUserDataPermission, initInternal, isStripRealmForGss, main, parseUserAttributes, removePropertyChangeListener, setAllRolesMode, setContainer, setCredentialHandler, setRealmPath, setStripRealmForGss, setTransportGuaranteeRedirectStatus, setUserAttributes, setValidate, setX509UsernameRetrieverClassName, toStringMethods inherited from class org.apache.catalina.util.LifecycleMBeanBasedestroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregisterMethods inherited from class org.apache.catalina.util.LifecycleBaseaddLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
- 
Field Details- 
DEREF_ALIASESConstant that holds the name of the environment property for specifying the manner in which aliases should be dereferenced.- See Also:
 
- 
authenticationThe type of authentication to use
- 
connectionNameThe connection username for the server we will contact.
- 
connectionPasswordThe connection password for the server we will contact.
- 
connectionURLThe connection URL for the server we will contact.
- 
contextFactoryThe JNDI context factory used to acquire our InitialContext. By default, assumes use of an LDAP server using the standard JNDI LDAP provider.
- 
derefAliasesHow aliases should be dereferenced during search operations.
- 
protocolThe protocol that will be used in the communication with the directory server.
- 
adCompatprotected boolean adCompatShould we ignore PartialResultExceptions when iterating over NamingEnumerations? Microsoft Active Directory often returns referrals, which lead to PartialResultExceptions. Unfortunately there's no stable way to detect, if the Exceptions really come from an AD referral. Set to true to ignore PartialResultExceptions.
- 
referralsHow should we handle referrals? Microsoft Active Directory often returns referrals. If you need to follow them set referrals to "follow". Caution: if your DNS is not part of AD, the LDAP client lib might try to resolve your domain name in DNS to find another LDAP server.
- 
userBaseThe base element for user searches.
- 
userSearchThe message format used to search for a user, with "{0}" marking the spot where the username goes.
- 
userSubtreeprotected boolean userSubtreeShould we search the entire subtree for matching users?
- 
userPasswordThe attribute name used to retrieve the user password.
- 
userRoleAttributeThe name of the attribute inside the users directory entry where the value will be taken to search for roles This attribute is not used during a nested search
- 
userPatternArrayA string of LDAP user patterns or paths, ":"-separated These will be used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes. This is similar to userPattern, but allows for multiple searches for a user.
- 
userPatternThe message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.
- 
roleBaseThe base element for role searches.
- 
userRoleNameThe name of an attribute in the user's entry containing roles for that user
- 
roleNameThe name of the attribute containing roles held elsewhere
- 
roleSearchThe message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes. The "{1}" and "{2}" are described in the Configuration Reference.
- 
roleSubtreeprotected boolean roleSubtreeShould we search the entire subtree for matching memberships?
- 
roleNestedprotected boolean roleNestedShould we look for nested group in order to determine roles?
- 
roleSearchAsUserprotected boolean roleSearchAsUserWhen searching for user roles, should the search be performed as the user currently being authenticated? If false,connectionNameandconnectionPasswordwill be used if specified, else an anonymous connection will be used.
- 
alternateURLAn alternate URL, to which, we should connect if connectionURL fails.
- 
connectionAttemptprotected int connectionAttemptThe number of connection attempts. If greater than zero we use the alternate url.
- 
commonRoleAdd this role to every authenticated user
- 
connectionTimeoutThe timeout, in milliseconds, to use when trying to create a connection to the directory. The default is 5000 (5 seconds).
- 
readTimeoutThe timeout, in milliseconds, to use when trying to read from a connection to the directory. The default is 5000 (5 seconds).
- 
sizeLimitprotected long sizeLimitThe sizeLimit (also known as the countLimit) to use when the realm is configured withuserSearch. Zero for no limit.
- 
timeLimitprotected int timeLimitThe timeLimit (in milliseconds) to use when the realm is configured withuserSearch. Zero for no limit.
- 
useDelegatedCredentialprotected boolean useDelegatedCredentialShould delegated credentials from the SPNEGO authenticator be used if available
- 
spnegoDelegationQopThe QOP that should be used for the connection to the LDAP server after authentication. This value is used to set thejavax.security.sasl.qopenvironment property for the LDAP connection.
- 
singleConnectionNon pooled connection to our directory server.
- 
singleConnectionLockThe lock to ensure single connection thread safety.
- 
connectionPoolConnection pool.
- 
connectionPoolSizeprotected int connectionPoolSizeThe pool size limit. If 1, pooling is not used.
- 
useContextClassLoaderprotected boolean useContextClassLoaderWhether to use context ClassLoader or default ClassLoader. True means use context ClassLoader, and True is the default value.
 
- 
- 
Constructor Details- 
JNDIRealmpublic JNDIRealm()
 
- 
- 
Method Details- 
getForceDnHexEscapepublic boolean getForceDnHexEscape()
- 
setForceDnHexEscapepublic void setForceDnHexEscape(boolean forceDnHexEscape) 
- 
getAuthentication- Returns:
- the type of authentication to use.
 
- 
setAuthenticationSet the type of authentication to use.- Parameters:
- authentication- The authentication
 
- 
getConnectionName- Returns:
- the connection username for this Realm.
 
- 
setConnectionNameSet the connection username for this Realm.- Parameters:
- connectionName- The new connection username
 
- 
getConnectionPassword- Returns:
- the connection password for this Realm.
 
- 
setConnectionPasswordSet the connection password for this Realm.- Parameters:
- connectionPassword- The new connection password
 
- 
getConnectionURL- Returns:
- the connection URL for this Realm.
 
- 
setConnectionURLSet the connection URL for this Realm.- Parameters:
- connectionURL- The new connection URL
 
- 
getContextFactory- Returns:
- the JNDI context factory for this Realm.
 
- 
setContextFactorySet the JNDI context factory for this Realm.- Parameters:
- contextFactory- The new context factory
 
- 
getDerefAliases- Returns:
- the derefAliases setting to be used.
 
- 
setDerefAliasesSet the value for derefAliases to be used when searching the directory.- Parameters:
- derefAliases- New value of property derefAliases.
 
- 
getProtocol- Returns:
- the protocol to be used.
 
- 
setProtocolSet the protocol for this Realm.- Parameters:
- protocol- The new protocol.
 
- 
getAdCompatpublic boolean getAdCompat()- Returns:
- the current settings for handling PartialResultExceptions
 
- 
setAdCompatpublic void setAdCompat(boolean adCompat) How do we handle PartialResultExceptions? True: ignore all PartialResultExceptions.- Parameters:
- adCompat-- trueto ignore partial results
 
- 
getReferrals- Returns:
- the current settings for handling JNDI referrals.
 
- 
setReferralsHow do we handle JNDI referrals? ignore, follow, or throw (see javax.naming.Context.REFERRAL for more information).- Parameters:
- referrals- The referral handling
 
- 
getUserBase- Returns:
- the base element for user searches.
 
- 
setUserBaseSet the base element for user searches.- Parameters:
- userBase- The new base element
 
- 
getUserSearch- Returns:
- the message format pattern for selecting users in this Realm.
 
- 
setUserSearchSet the message format pattern for selecting users in this Realm.- Parameters:
- userSearch- The new user search pattern
 
- 
isUserSearchAsUserpublic boolean isUserSearchAsUser()
- 
setUserSearchAsUserpublic void setUserSearchAsUser(boolean userSearchAsUser) 
- 
getUserSubtreepublic boolean getUserSubtree()- Returns:
- the "search subtree for users" flag.
 
- 
setUserSubtreepublic void setUserSubtree(boolean userSubtree) Set the "search subtree for users" flag.- Parameters:
- userSubtree- The new search flag
 
- 
getUserRoleName- Returns:
- the user role name attribute name for this Realm.
 
- 
setUserRoleNameSet the user role name attribute name for this Realm.- Parameters:
- userRoleName- The new userRole name attribute name
 
- 
getRoleBase- Returns:
- the base element for role searches.
 
- 
setRoleBaseSet the base element for role searches.- Parameters:
- roleBase- The new base element
 
- 
getRoleName- Returns:
- the role name attribute name for this Realm.
 
- 
setRoleNameSet the role name attribute name for this Realm.- Parameters:
- roleName- The new role name attribute name
 
- 
getRoleSearch- Returns:
- the message format pattern for selecting roles in this Realm.
 
- 
setRoleSearchSet the message format pattern for selecting roles in this Realm.- Parameters:
- roleSearch- The new role search pattern
 
- 
isRoleSearchAsUserpublic boolean isRoleSearchAsUser()
- 
setRoleSearchAsUserpublic void setRoleSearchAsUser(boolean roleSearchAsUser) 
- 
getRoleSubtreepublic boolean getRoleSubtree()- Returns:
- the "search subtree for roles" flag.
 
- 
setRoleSubtreepublic void setRoleSubtree(boolean roleSubtree) Set the "search subtree for roles" flag.- Parameters:
- roleSubtree- The new search flag
 
- 
getRoleNestedpublic boolean getRoleNested()- Returns:
- the "The nested group search flag" flag.
 
- 
setRoleNestedpublic void setRoleNested(boolean roleNested) Set the "search subtree for roles" flag.- Parameters:
- roleNested- The nested group search flag
 
- 
getUserPassword- Returns:
- the password attribute used to retrieve the user password.
 
- 
setUserPasswordSet the password attribute used to retrieve the user password.- Parameters:
- userPassword- The new password attribute
 
- 
getUserRoleAttribute
- 
setUserRoleAttribute
- 
getUserPattern- Returns:
- the message format pattern for selecting users in this Realm.
 
- 
setUserPatternSet the message format pattern for selecting users in this Realm. This may be one simple pattern, or multiple patterns to be tried, separated by parentheses. (for example, either "cn={0}", or "(cn={0})(cn={0},o=myorg)" Full LDAP search strings are also supported, but only the "OR", "|" syntax, so "(|(cn={0})(cn={0},o=myorg))" is also valid. Complex search strings with &, etc are NOT supported.- Parameters:
- userPattern- The new user pattern
 
- 
getAlternateURLGetter for property alternateURL.- Returns:
- Value of property alternateURL.
 
- 
setAlternateURLSetter for property alternateURL.- Parameters:
- alternateURL- New value of property alternateURL.
 
- 
getCommonRole- Returns:
- the common role
 
- 
setCommonRoleSet the common role- Parameters:
- commonRole- The common role
 
- 
getConnectionTimeout- Returns:
- the connection timeout.
 
- 
setConnectionTimeoutSet the connection timeout.- Parameters:
- timeout- The new connection timeout
 
- 
getReadTimeout- Returns:
- the read timeout.
 
- 
setReadTimeoutSet the read timeout.- Parameters:
- timeout- The new read timeout
 
- 
getSizeLimitpublic long getSizeLimit()
- 
setSizeLimitpublic void setSizeLimit(long sizeLimit) 
- 
getTimeLimitpublic int getTimeLimit()
- 
setTimeLimitpublic void setTimeLimit(int timeLimit) 
- 
isUseDelegatedCredentialpublic boolean isUseDelegatedCredential()
- 
setUseDelegatedCredentialpublic void setUseDelegatedCredential(boolean useDelegatedCredential) 
- 
getSpnegoDelegationQop
- 
setSpnegoDelegationQop
- 
getUseStartTlspublic boolean getUseStartTls()- Returns:
- flag whether to use StartTLS for connections to the ldap server
 
- 
setUseStartTlspublic void setUseStartTls(boolean useStartTls) Flag whether StartTLS should be used when connecting to the ldap server- Parameters:
- useStartTls-- truewhen StartTLS should be used. Default is- false.
 
- 
setCipherSuitesSet the allowed cipher suites when opening a connection using StartTLS. The cipher suites are expected as a comma separated list.- Parameters:
- suites- comma separated list of allowed cipher suites
 
- 
getConnectionPoolSizepublic int getConnectionPoolSize()- Returns:
- the connection pool size, or the default value 1 if pooling is disabled
 
- 
setConnectionPoolSizepublic void setConnectionPoolSize(int connectionPoolSize) Set the connection pool size- Parameters:
- connectionPoolSize- the new pool size
 
- 
getHostnameVerifierClassName- Returns:
- name of the HostnameVerifierclass used for connections using StartTLS, or the empty string, if the default verifier should be used.
 
- 
setHostnameVerifierClassNameSet theHostnameVerifierto be used when opening connections using StartTLS. An instance of the given class name will be constructed using the default constructor.- Parameters:
- verifierClassName- class name of the- HostnameVerifierto be constructed
 
- 
getHostnameVerifier- Returns:
- the HostnameVerifierto use for peer certificate verification when opening connections using StartTLS.
 
- 
setSslSocketFactoryClassNameSet theSSLSocketFactoryto be used when opening connections using StartTLS. An instance of the factory with the given name will be created using the default constructor. The SSLSocketFactory can also be set usingsetSslProtocol(String).- Parameters:
- factoryClassName- class name of the factory to be constructed
 
- 
setSslProtocolSet the ssl protocol to be used for connections using StartTLS.- Parameters:
- protocol- one of the allowed ssl protocol names
 
- 
setUseContextClassLoaderpublic void setUseContextClassLoader(boolean useContext) Sets whether to use the context or default ClassLoader. True means use context ClassLoader.- Parameters:
- useContext- True means use context ClassLoader
 
- 
isUseContextClassLoaderpublic boolean isUseContextClassLoader()Returns whether to use the context or default ClassLoader. True means to use the context ClassLoader.- Returns:
- The value of useContextClassLoader
 
- 
authenticateTry to authenticate using the specified username and credentials.If there are any errors with the JNDI connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it. - Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- username- Username of the Principal to look up
- credentials- Password or other credentials to use in authenticating this username
- Returns:
- the associated principal, or nullif there is none
 
- 
authenticatepublic Principal authenticate(JNDIRealm.JNDIConnection connection, String username, String credentials) throws NamingException Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull.- Parameters:
- connection- The directory context
- username- Username of the Principal to look up
- credentials- Password or other credentials to use in authenticating this username
- Returns:
- the associated principal, or nullif there is none.
- Throws:
- NamingException- if a directory server error occurs
 
- 
authenticateDescription copied from interface:RealmTry to authenticate with the specified username.- Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- username- Username of the Principal to look up
- Returns:
- the associated principal, or nullif none is associated.
 
- 
authenticatepublic Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2, String algorithm) Description copied from interface:RealmTry to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.The default implementation calls Realm.authenticate(String, String, String, String, String, String, String, String)for backwards compatibility which effectively forces the use of MD5 regardless of the algorithm specified in the call to this method.Implementations are expected to override the default implementation and take account of the algorithm parameter. - Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- username- Username of the Principal to look up
- clientDigest- Digest which has been submitted by the client
- nonce- Unique (or supposedly unique) token which has been used for this request
- nc- the nonce counter
- cnonce- the client chosen nonce
- qop- the "quality of protection" (- ncand- cnoncewill only be used, if- qopis not- null).
- realm- Realm name
- digestA2- Second digest calculated as digest(Method + ":" + uri)
- algorithm- The message digest algorithm to use
- Returns:
- the associated principal, or nullif there is none.
 
- 
authenticateDescription copied from interface:RealmTry to authenticate using a chain ofX509Certificates.- Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- certs- Array of client certificates, with the first one in the array being the certificate of the client itself.
- Returns:
- the associated principal, or nullif there is none
 
- 
authenticateDescription copied from interface:RealmTry to authenticate using aGSSContext.- Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- gssContext- The gssContext processed by the- Authenticator.
- storeCred- Should the realm attempt to store the delegated credentials in the returned Principal?
- Returns:
- the associated principal, or nullif there is none
 
- 
authenticateDescription copied from interface:RealmTry to authenticate using aGSSName.- Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- gssName- The- GSSNameof the principal to look up
- gssCredential- The- GSSCredentialof the principal, may be- null
- Returns:
- the associated principal, or nullif there is none
 
- 
getUserprotected JNDIRealm.User getUser(JNDIRealm.JNDIConnection connection, String username) throws NamingException Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.- Parameters:
- connection- The directory context
- username- Username to be looked up
- Returns:
- the User object
- Throws:
- NamingException- if a directory server error occurs
- See Also:
 
- 
getUserprotected JNDIRealm.User getUser(JNDIRealm.JNDIConnection connection, String username, String credentials) throws NamingException Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.- Parameters:
- connection- The directory context
- username- Username to be looked up
- credentials- User credentials (optional)
- Returns:
- the User object
- Throws:
- NamingException- if a directory server error occurs
- See Also:
 
- 
getUserprotected JNDIRealm.User getUser(JNDIRealm.JNDIConnection connection, String username, String credentials, int curUserPattern) throws NamingException Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull. If theuserPasswordconfiguration attribute is specified, the value of that attribute is retrieved from the user's directory entry. If theuserRoleNameconfiguration attribute is specified, all values of that attribute are retrieved from the directory entry.- Parameters:
- connection- The directory context
- username- Username to be looked up
- credentials- User credentials (optional)
- curUserPattern- Index into userPatternFormatArray
- Returns:
- the User object
- Throws:
- NamingException- if a directory server error occurs
 
- 
getUserByPatternprotected JNDIRealm.User getUserByPattern(DirContext context, String username, String[] attrIds, String dn) throws NamingException Use the distinguished name to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull.- Parameters:
- context- The directory context
- username- The username
- attrIds- String[]containing names of attributes to
- dn- Distinguished name of the user retrieve.
- Returns:
- the User object
- Throws:
- NamingException- if a directory server error occurs
 
- 
getUserByPatternprotected JNDIRealm.User getUserByPattern(JNDIRealm.JNDIConnection connection, String username, String credentials, String[] attrIds, int curUserPattern) throws NamingException Use theUserPatternconfiguration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull.- Parameters:
- connection- The directory context
- username- The username
- credentials- User credentials (optional)
- attrIds- String[]containing names of attributes to
- curUserPattern- Index into userPatternFormatArray
- Returns:
- the User object
- Throws:
- NamingException- if a directory server error occurs
- See Also:
 
- 
getUserBySearchprotected JNDIRealm.User getUserBySearch(JNDIRealm.JNDIConnection connection, String username, String[] attrIds) throws NamingException Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.- Parameters:
- connection- The directory context
- username- The username
- attrIds- String[]containing names of attributes to retrieve.
- Returns:
- the User object
- Throws:
- NamingException- if a directory server error occurs
 
- 
checkCredentialsprotected boolean checkCredentials(DirContext context, JNDIRealm.User user, String credentials) throws NamingException Check whether the given User can be authenticated with the given credentials. If theuserPasswordconfiguration attribute is specified, the credentials previously retrieved from the directory are compared explicitly with those presented by the user. Otherwise the presented credentials are checked by binding to the directory as the user.- Parameters:
- context- The directory context
- user- The User to be authenticated
- credentials- The credentials presented by the user
- Returns:
- trueif the credentials are validated
- Throws:
- NamingException- if a directory server error occurs
 
- 
compareCredentialsprotected boolean compareCredentials(DirContext context, JNDIRealm.User info, String credentials) throws NamingException Check whether the credentials presented by the user match those retrieved from the directory.- Parameters:
- context- The directory context
- info- The User to be authenticated
- credentials- Authentication credentials
- Returns:
- trueif the credentials are validated
- Throws:
- NamingException- if a directory server error occurs
 
- 
bindAsUserprotected boolean bindAsUser(DirContext context, JNDIRealm.User user, String credentials) throws NamingException Check credentials by binding to the directory as the user- Parameters:
- context- The directory context
- user- The User to be authenticated
- credentials- Authentication credentials
- Returns:
- trueif the credentials are validated
- Throws:
- NamingException- if a directory server error occurs
 
- 
getRolesprotected List<String> getRoles(JNDIRealm.JNDIConnection connection, JNDIRealm.User user) throws NamingException Return a List of roles associated with the given User. Any roles present in the user's directory entry are supplemented by a directory search. If no roles are associated with this user, a zero-length List is returned.- Parameters:
- connection- The directory context we are searching
- user- The User to be checked
- Returns:
- the list of role names
- Throws:
- NamingException- if a directory server error occurs
 
- 
closeClose any open connection to the directory server for this Realm.- Parameters:
- connection- The directory context to be closed
 
- 
closePooledConnectionsprotected void closePooledConnections()Close all pooled connections.
- 
getPasswordDescription copied from class:RealmBaseGet the password for the specified user.- Specified by:
- getPasswordin class- RealmBase
- Parameters:
- username- The user name
- Returns:
- the password associated with the given principal's user name.
 
- 
getPrincipalDescription copied from class:RealmBaseGet the principal associated with the specified user.- Specified by:
- getPrincipalin class- RealmBase
- Parameters:
- username- The user name
- Returns:
- the Principal associated with the given user name.
 
- 
getPrincipalDescription copied from class:RealmBaseGet the principal associated with the specifiedGSSName.- Overrides:
- getPrincipalin class- RealmBase
- Parameters:
- gssName- The GSS name
- gssCredential- the GSS credential of the principal
- Returns:
- the principal associated with the given user name.
 
- 
getPrincipal
- 
getPrincipalprotected Principal getPrincipal(JNDIRealm.JNDIConnection connection, String username, GSSCredential gssCredential) throws NamingException Get the principal associated with the specified user name.- Parameters:
- connection- The directory context
- username- The user name
- gssCredential- The credentials
- Returns:
- the Principal associated with the given certificate.
- Throws:
- NamingException- if a directory server error occurs
 
- 
getOpen (if necessary) and return a connection to the configured directory server for this Realm.- Returns:
- the connection
- Throws:
- NamingException- if a directory server error occurs
 
- 
releaseRelease our use of this connection so that it can be recycled.- Parameters:
- connection- The directory context to release
 
- 
createCreate a new connection wrapper, along with the message formats.- Returns:
- the new connection
 
- 
openCreate a new connection to the directory server.- Parameters:
- connection- The directory server connection wrapper
- Throws:
- NamingException- if a directory server error occurs
 
- 
isAvailablepublic boolean isAvailable()Description copied from interface:RealmReturn the availability of the realm for authentication.- Returns:
- trueif the realm is able to perform authentication
 
- 
getDirectoryContextEnvironment
- 
startInternalPrepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal().- Overrides:
- startInternalin class- RealmBase
- Throws:
- LifecycleException- if this component detects a fatal error that prevents this component from being used
 
- 
stopInternalGracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal().- Overrides:
- stopInternalin class- RealmBase
- Throws:
- LifecycleException- if this component detects a fatal error that needs to be reported
 
- 
parseUserPatternStringGiven a string containing LDAP patterns for user locations (separated by parentheses in a pseudo-LDAP search string format - "(location1)(location2)", returns an array of those paths. Real LDAP search strings are supported as well (though only the "|" "OR" type).- Parameters:
- userPatternString- - a string LDAP search paths surrounded by parentheses
- Returns:
- a parsed string array
 
- 
doFilterEscapingGiven an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines. The character mapping is as follows: char -> Replacement --------------------------- * -> \2a ( -> \28 ) -> \29 \ -> \5c \0 -> \00- Parameters:
- inString- string to escape according to RFC 2254 guidelines
- Returns:
- String the escaped/encoded result
 
- 
getDistinguishedNameprotected String getDistinguishedName(DirContext context, String base, SearchResult result) throws NamingException Returns the distinguished name of a search result.- Parameters:
- context- Our DirContext
- base- The base DN
- result- The search result
- Returns:
- String containing the distinguished name
- Throws:
- NamingException- if a directory server error occurs
 
- 
doAttributeValueEscaping
- 
convertToHexEscape
 
-