public class IsisLdapRealm extends org.apache.shiro.realm.ldap.DefaultLdapRealm
JndiLdapRealm that also
returns each user's groups.
Sample config for shiro.ini:
contextFactory = org.apache.isis.extensions.shirorealmldap.realm.impl.IsisLdapContextFactory
contextFactory.url = ldap://localhost:10389
contextFactory.authenticationMechanism = CRAM-MD5
contextFactory.systemAuthenticationMechanism = simple
contextFactory.systemUsername = uid=admin,ou=system
contextFactory.systemPassword = secret
ldapRealm = org.apache.isis.extensions.shirorealmldap.realm.impl.IsisLdapRealm
ldapRealm.contextFactory = $contextFactory
ldapRealm.searchBase = ou=groups,o=mojo
ldapRealm.groupObjectClass = groupOfUniqueNames
ldapRealm.uniqueMemberAttribute = uniqueMember
ldapRealm.uniqueMemberAttributeValueTemplate = uid={0}
ldapRealm.searchUserBase = ou=users,o=mojo
ldapRealm.userObjectClass=inetOrgPerson
ldapRealm.groupExtractedAttribute=street,country
ldapRealm.userExtractedAttribute=street,country
ldapRealm.permissionByGroupAttribute=attribute:Folder.{street}:Read,attribute:Portfolio.{country}
ldapRealm.permissionByUserAttribute=attribute:Folder.{street}:Read,attribute:Portfolio.{country}
# optional mapping from physical groups to logical application roles
ldapRealm.rolesByGroup = \
LDN_USERS: user_role,\
NYK_USERS: user_role,\
HKG_USERS: user_role,\
GLOBAL_ADMIN: admin_role,\
DEMOS: self-install_role
securityManager.realms = $ldapRealm
The permissions for each role can be specified using the
setResourcePath(String) to an 'ini' file with a [roles] section, eg:
ldapRealm.resourcePath=classpath:webapp/myroles.ini
where myroles.ini is in src/main/resources/webapp, and takes the form:
[roles]
user_role = *:ToDoItemsJdo:*:*,\
*:ToDoItem:*:*
self-install_role = *:ToDoItemsFixturesService:install:*
admin_role = *
This 'ini' file can then be referenced by other realms (if multiple realm are configured with the Shiro security manager).
Alternatively, permissions can be set directly using setPermissionsByRole(String),
where the string is the same information, formatted thus:
ldapRealm.permissionsByRole=\
user_role = *:ToDoItemsJdo:*:*,\
*:ToDoItem:*:*; \
self-install_role = *:ToDoItemsFixturesService:install:* ; \
admin_role = *
Alternatively, permissions can be extracted from the base itself with the parameter searchUserBase, the attribute list as userExtractedAttribute and the permission url as permissionByUserAttribute. The idea is to extract attribute from the user or the group of the user and map directly to permission rule in replacing the string {attribute} by the extracted attribute (can me multiple). See the sample for group and user attribute and mapping.
| Modifier and Type | Field and Description |
|---|---|
protected Set<String> |
groupExtractedAttribute
For Group Extracted attribute name with mapping name in parenthesis.
|
protected Set<String> |
permissionByGroupAttribute
For Group Mapping of attributes.
|
protected Set<String> |
permissionByUserAttribute
For User Mapping of attributes.
|
protected Set<String> |
userExtractedAttribute
For User Extracted attribute name with mapping name in parenthesis.
|
| Constructor and Description |
|---|
IsisLdapRealm() |
| Modifier and Type | Method and Description |
|---|---|
protected Set<String> |
groupFor(String userName,
LdapContext ldapCtx) |
protected boolean |
memberOf(SearchResult group,
Set<String> groups) |
protected org.apache.shiro.authz.AuthorizationInfo |
queryForAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection principals,
org.apache.shiro.realm.ldap.LdapContextFactory ldapContextFactory)
Get groups from LDAP.
|
void |
setCnAttribute(String cnAttribute) |
void |
setGroupExtractedAttribute(String groupExtractedAttribute) |
void |
setGroupObjectClass(String groupObjectClassAttribute) |
void |
setPermissionByGroupAttribute(String permissionByGroupAttribute) |
void |
setPermissionByUserAttribute(String permissionByUserAttr) |
void |
setPermissionsByRole(String permissionsByRoleStr)
Deprecated.
|
void |
setResourcePath(String resourcePath)
ldapRealm.resourcePath=classpath:webapp/myroles.ini
|
void |
setRolesByGroup(Map<String,String> rolesByGroup) |
void |
setSearchBase(String searchBase) |
void |
setSearchUserBase(String searchUserBase) |
void |
setUniqueMemberAttribute(String uniqueMemberAttribute) |
void |
setUniqueMemberAttributeValueTemplate(String template) |
void |
setUserExtractedAttribute(String userExtractedAttribute) |
void |
setUserObjectClass(String userObjectClass) |
createAuthenticationInfo, doGetAuthenticationInfo, doGetAuthorizationInfo, getContextFactory, getLdapPrincipal, getUserDn, getUserDnPrefix, getUserDnSuffix, getUserDnTemplate, queryForAuthenticationInfo, setContextFactory, setUserDnTemplateafterCacheManagerSet, checkPermission, checkPermission, checkPermission, checkPermissions, checkPermissions, checkPermissions, checkRole, checkRole, checkRoles, checkRoles, checkRoles, clearCachedAuthorizationInfo, doClearCache, getAuthorizationCache, getAuthorizationCacheKey, getAuthorizationCacheName, getAuthorizationInfo, getPermissionResolver, getPermissions, getRolePermissionResolver, hasAllRoles, hasRole, hasRole, hasRoles, hasRoles, isAuthorizationCachingEnabled, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, isPermittedAll, onInit, setAuthorizationCache, setAuthorizationCacheName, setAuthorizationCachingEnabled, setName, setPermissionResolver, setRolePermissionResolverassertCredentialsMatch, clearCachedAuthenticationInfo, getAuthenticationCache, getAuthenticationCacheKey, getAuthenticationCacheKey, getAuthenticationCacheName, getAuthenticationInfo, getAuthenticationTokenClass, getCredentialsMatcher, init, isAuthenticationCachingEnabled, isAuthenticationCachingEnabled, setAuthenticationCache, setAuthenticationCacheName, setAuthenticationCachingEnabled, setAuthenticationTokenClass, setCredentialsMatcher, supportsclearCache, getAvailablePrincipal, getCacheManager, getName, isCachingEnabled, onLogout, setCacheManager, setCachingEnabledprotected Set<String> groupExtractedAttribute
protected Set<String> userExtractedAttribute
protected Set<String> permissionByGroupAttribute
protected Set<String> permissionByUserAttribute
public IsisLdapRealm()
protected org.apache.shiro.authz.AuthorizationInfo queryForAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection principals, org.apache.shiro.realm.ldap.LdapContextFactory ldapContextFactory) throws NamingException
queryForAuthorizationInfo in class org.apache.shiro.realm.ldap.DefaultLdapRealmprincipals - the principals of the Subject whose AuthenticationInfo should
be queried from the LDAP server.ldapContextFactory - factory used to retrieve LDAP connections.AuthorizationInfo instance containing information
retrieved from the LDAP server.NamingException - if any LDAP errors occur during the search.protected Set<String> groupFor(String userName, LdapContext ldapCtx) throws NamingException
NamingExceptionprotected boolean memberOf(SearchResult group, Set<String> groups) throws NamingException
NamingExceptionpublic void setSearchBase(String searchBase)
public void setGroupObjectClass(String groupObjectClassAttribute)
public void setUniqueMemberAttribute(String uniqueMemberAttribute)
public void setUniqueMemberAttributeValueTemplate(String template)
public void setRolesByGroup(Map<String,String> rolesByGroup)
public void setResourcePath(String resourcePath)
ldapRealm.resourcePath=classpath:webapp/myroles.iniwhere myroles.ini is in src/main/resources/webapp, and takes the form:
[roles]
user_role = *:ToDoItemsJdo:*:*,\
*:ToDoItem:*:*
self-install_role = *:ToDoItemsFixturesService:install:*
admin_role = *
This 'ini' file can then be referenced by other realms (if multiple realm are configured
with the Shiro security manager).setResourcePath(String)@Deprecated public void setPermissionsByRole(String permissionsByRoleStr)
ldapRealm.permissionsByRole=\
user_role = *:ToDoItemsJdo:*:*,\
*:ToDoItem:*:*; \
self-install_role = *:ToDoItemsFixturesService:install:* ; \
admin_role = *
setResourcePath(String)public void setPermissionByUserAttribute(String permissionByUserAttr)
public void setPermissionByGroupAttribute(String permissionByGroupAttribute)
public void setUserExtractedAttribute(String userExtractedAttribute)
public void setGroupExtractedAttribute(String groupExtractedAttribute)
public void setSearchUserBase(String searchUserBase)
public void setUserObjectClass(String userObjectClass)
public void setCnAttribute(String cnAttribute)
Copyright © 2010–2020 The Apache Software Foundation. All rights reserved.