org.apache.knox.gateway.shirorealm

Class KnoxLdapRealm

java.lang.Object

org.apache.shiro.realm.CachingRealm

org.apache.shiro.realm.AuthenticatingRealm

org.apache.shiro.realm.AuthorizingRealm

org.apache.shiro.realm.ldap.DefaultLdapRealm

org.apache.knox.gateway.shirorealm.KnoxLdapRealm

All Implemented Interfaces:

org.apache.shiro.authc.LogoutAware, org.apache.shiro.authz.Authorizer, org.apache.shiro.authz.permission.PermissionResolverAware, org.apache.shiro.authz.permission.RolePermissionResolverAware, org.apache.shiro.cache.CacheManagerAware, org.apache.shiro.realm.Realm, org.apache.shiro.util.Initializable, org.apache.shiro.util.Nameable

public class KnoxLdapRealm
extends org.apache.shiro.realm.ldap.DefaultLdapRealm

Implementation of DefaultLdapRealm that also returns each user's groups. This implementation is heavily based on org.apache.isis.security.shiro.IsisLdapRealm. This implementation saves looked up ldap groups in Shiro Session to make them easy to be looked up outside of this object

Sample config for shiro.ini:

 [main]
 ldapRealm=KnoxLdapRealm
 ldapGroupContextFactory=KnoxLdapContextFactory
 ldapRealm.contextFactory=$ldapGroupContextFactory
 ldapRealm.contextFactory.authenticationMechanism=simple
 ldapRealm.contextFactory.url=ldap://localhost:33389
 ldapRealm.userDnTemplate=uid={0},ou=people,dc=hadoop,dc=apache,dc=org
 ldapRealm.authorizationEnabled=true
 ldapRealm.contextFactory.systemAuthenticationMechanism=simple
 ldapRealm.searchBase=ou=groups,dc=hadoop,dc=apache,dc=org
 ldapRealm.groupObjectClass=groupofnames
 ldapRealm.memberAttribute=member
 ldapRealm.memberAttributeValueTemplate=cn={0},ou=people,dc=hadoop,dc=apache,dc=org
 ldapRealm.contextFactory.systemUsername=uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
 ldapRealm.contextFactory.clusterName=sandbox
 ldapRealm.contextFactory.systemPassword=S{ALIAS=ldcSystemPassword}
 [urls]
 **=authcBasic

 # optional mapping from physical groups to logical application roles
 ldapRealm.rolesByGroup = \
    LDN_USERS: user_role,\
    NYK_USERS: user_role,\
    HKG_USERS: user_role,\
    GLOBAL_ADMIN: admin_role,\
    DEMOS: self-install_role

 ldapRealm.permissionsByRole=\
    user_role = *:ToDoItemsJdo:*:*,\
                *:ToDoItem:*:*; \
    self-install_role = *:ToDoItemsFixturesService:install:* ; \
    admin_role = *

 securityManager.realms = $ldapRealm

 

Constructor Summary

Constructors

Constructor and Description
KnoxLdapRealm()

Method Summary

Modifier and Type	Method and Description
protected org.apache.shiro.authc.AuthenticationInfo	createAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken token, Object ldapPrincipal, Object ldapCredentials, LdapContext ldapContext)
protected org.apache.shiro.authc.AuthenticationInfo	doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken token)
String	getGroupIdAttribute()
String	getGroupObjectClass()
String	getGroupSearchBase()
String	getMemberAttribute()
String	getPrincipalRegex()
String	getSearchBase()
protected String	getUserDn(String principal) Returns the LDAP User Distinguished Name (DN) to use when acquiring an LdapContext from the LdapContextFactory.
String	getUserObjectClass()
String	getUserSearchAttributeName()
String	getUserSearchAttributeTemplate()
String	getUserSearchBase()
String	getUserSearchFilter()
String	getUserSearchScope()
boolean	isAuthorizationEnabled()
protected org.apache.shiro.authz.AuthorizationInfo	queryForAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection principals, org.apache.shiro.realm.ldap.LdapContextFactory ldapContextFactory) Get groups from LDAP.
void	setAuthorizationEnabled(boolean authorizationEnabled)
void	setGroupIdAttribute(String groupIdAttribute)
void	setGroupObjectClass(String groupObjectClassAttribute)
void	setGroupSearchBase(String groupSearchBase)
void	setMemberAttribute(String memberAttribute)
void	setMemberAttributeValueTemplate(String template)
void	setPermissionsByRole(String permissionsByRoleStr)
void	setPrincipalRegex(String regex)
void	setRolesByGroup(Map<String,String> rolesByGroup)
void	setSearchBase(String searchBase)
void	setUserDnTemplate(String template)
void	setUserObjectClass(String userObjectClass)
void	setUserSearchAttributeName(String userSearchAttributeName)
void	setUserSearchAttributeTemplate(String template)
void	setUserSearchBase(String userSearchBase)
void	setUserSearchFilter(String filter)
void	setUserSearchScope(String scope)

Methods inherited from class org.apache.shiro.realm.ldap.DefaultLdapRealm

doGetAuthorizationInfo, getContextFactory, getLdapPrincipal, getUserDnPrefix, getUserDnSuffix, getUserDnTemplate, queryForAuthenticationInfo, setContextFactory

Methods inherited from class org.apache.shiro.realm.AuthorizingRealm

afterCacheManagerSet, checkPermission, checkPermission, checkPermission, checkPermissions, checkPermissions, checkPermissions, checkRole, checkRole, checkRoles, checkRoles, checkRoles, clearCachedAuthorizationInfo, doClearCache, getAuthorizationCache, getAuthorizationCacheKey, getAuthorizationCacheName, getAuthorizationInfo, getPermissionResolver, getPermissions, getRolePermissionResolver, hasAllRoles, hasRole, hasRole, hasRoles, hasRoles, isAuthorizationCachingEnabled, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, isPermittedAll, onInit, setAuthorizationCache, setAuthorizationCacheName, setAuthorizationCachingEnabled, setName, setPermissionResolver, setRolePermissionResolver

Methods inherited from class org.apache.shiro.realm.AuthenticatingRealm

assertCredentialsMatch, clearCachedAuthenticationInfo, getAuthenticationCache, getAuthenticationCacheKey, getAuthenticationCacheKey, getAuthenticationCacheName, getAuthenticationInfo, getAuthenticationTokenClass, getCredentialsMatcher, init, isAuthenticationCachingEnabled, isAuthenticationCachingEnabled, setAuthenticationCache, setAuthenticationCacheName, setAuthenticationCachingEnabled, setAuthenticationTokenClass, setCredentialsMatcher, supports

Methods inherited from class org.apache.shiro.realm.CachingRealm

clearCache, getAvailablePrincipal, getCacheManager, getName, isCachingEnabled, onLogout, setCacheManager, setCachingEnabled

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.shiro.util.Initializable

init

Constructor Detail

KnoxLdapRealm

public KnoxLdapRealm()

Method Detail

doGetAuthenticationInfo

protected org.apache.shiro.authc.AuthenticationInfo doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken token)
                                                                     throws org.apache.shiro.authc.AuthenticationException

Overrides:

doGetAuthenticationInfo in class org.apache.shiro.realm.ldap.DefaultLdapRealm

Throws:

org.apache.shiro.authc.AuthenticationException

queryForAuthorizationInfo

protected org.apache.shiro.authz.AuthorizationInfo queryForAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection principals,
                                                                             org.apache.shiro.realm.ldap.LdapContextFactory ldapContextFactory)
                                                                      throws NamingException

Get groups from LDAP.

Overrides:

queryForAuthorizationInfo in class org.apache.shiro.realm.ldap.DefaultLdapRealm

Parameters:

principals - the principals of the Subject whose AuthenticationInfo should be queried from the LDAP server.

ldapContextFactory - factory used to retrieve LDAP connections.

Returns:

an AuthorizationInfo instance containing information retrieved from the LDAP server.

Throws:

NamingException - if any LDAP errors occur during the search.

getSearchBase

public String getSearchBase()

setSearchBase

public void setSearchBase(String searchBase)

getUserSearchBase

public String getUserSearchBase()

setUserSearchBase

public void setUserSearchBase(String userSearchBase)

getGroupSearchBase

public String getGroupSearchBase()

setGroupSearchBase

public void setGroupSearchBase(String groupSearchBase)

getGroupObjectClass

public String getGroupObjectClass()

setGroupObjectClass

public void setGroupObjectClass(String groupObjectClassAttribute)

getMemberAttribute

public String getMemberAttribute()

setMemberAttribute

public void setMemberAttribute(String memberAttribute)

getGroupIdAttribute

public String getGroupIdAttribute()

setGroupIdAttribute

public void setGroupIdAttribute(String groupIdAttribute)

setMemberAttributeValueTemplate

public void setMemberAttributeValueTemplate(String template)

setRolesByGroup

public void setRolesByGroup(Map<String,String> rolesByGroup)

setPermissionsByRole

public void setPermissionsByRole(String permissionsByRoleStr)

isAuthorizationEnabled

public boolean isAuthorizationEnabled()

setAuthorizationEnabled

public void setAuthorizationEnabled(boolean authorizationEnabled)

getUserSearchAttributeName

public String getUserSearchAttributeName()

setUserSearchAttributeName

public void setUserSearchAttributeName(String userSearchAttributeName)

getUserObjectClass

public String getUserObjectClass()

setUserObjectClass

public void setUserObjectClass(String userObjectClass)

getPrincipalRegex

public String getPrincipalRegex()

setPrincipalRegex

public void setPrincipalRegex(String regex)

getUserSearchAttributeTemplate

public String getUserSearchAttributeTemplate()

setUserSearchAttributeTemplate

public void setUserSearchAttributeTemplate(String template)

getUserSearchFilter

public String getUserSearchFilter()

setUserSearchFilter

public void setUserSearchFilter(String filter)

getUserSearchScope

public String getUserSearchScope()

setUserSearchScope

public void setUserSearchScope(String scope)

setUserDnTemplate

public void setUserDnTemplate(String template)
                       throws IllegalArgumentException

Overrides:

setUserDnTemplate in class org.apache.shiro.realm.ldap.DefaultLdapRealm

Throws:

IllegalArgumentException

getUserDn

protected String getUserDn(String principal)
                    throws IllegalArgumentException,
                           IllegalStateException

Returns the LDAP User Distinguished Name (DN) to use when acquiring an LdapContext from the LdapContextFactory. If the the userDnTemplate property has been set, this implementation will construct the User DN by substituting the specified principal into the configured template. If the userDnTemplate has not been set, the method argument will be returned directly (indicating that the submitted authentication token principal is the User DN).

Overrides:

getUserDn in class org.apache.shiro.realm.ldap.DefaultLdapRealm

Parameters:

principal - the principal to substitute into the configured userDnTemplate.

Returns:

the constructed User DN to use at runtime when acquiring an LdapContext.

Throws:

IllegalArgumentException - if the method argument is null or empty

IllegalStateException - if the userDnTemplate has not been set.

See Also:

LdapContextFactory.getLdapContext(Object, Object)

createAuthenticationInfo

protected org.apache.shiro.authc.AuthenticationInfo createAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken token,
                                                                             Object ldapPrincipal,
                                                                             Object ldapCredentials,
                                                                             LdapContext ldapContext)
                                                                      throws NamingException

Overrides:

createAuthenticationInfo in class org.apache.shiro.realm.ldap.DefaultLdapRealm

Throws:

NamingException