针对LDAP的Shiro JndiLdapRealm授权 [英] Shiro JndiLdapRealm authorization against LDAP

问题描述

用于Shiro类JndiLdapRealm的JavaDoc 明确表示默认情况下禁用授权，而对LDAP服务器的授权应由用户通过继承并覆盖 JndiLdapRealm#doGetAuthorizationInfo 方法. 是否有示例代码来说明如何做到这一点，包括处理与LDAP服务器在任何地方都可用的通信/协议?

The JavaDoc for Shiro class JndiLdapRealm explicitly says that authorization is by default disabled and that authorization against an LDAP server should be implemented by the user by subclassing and overriding the JndiLdapRealm#doGetAuthorizationInfo method. Is there sample code on how to do that including handling the communication / protocol with the LDAP server available anywhere?

推荐答案

您应该实现扩展JndiLdapRealm的自己的LdapRealm. 在此实现中，您将重写queryForAuthorizationInfo();这是一个简单的例子:

you should implement your own LdapRealm extending JndiLdapRealm. In this implementation, you would override queryForAuthorizationInfo() ; here is a simple example :

protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException {

String username = (String) getAvailablePrincipal(principals);

// Perform context search
LdapContext ldapContext = ldapContextFactory.getSystemLdapContext();

Set<String> roleNames;

try {
  roleNames = getRoleNamesForUser(username, ldapContext);
} finally {
  LdapUtils.closeContext(ldapContext);
}

return buildAuthorizationInfo(roleNames);
}

protected AuthorizationInfo buildAuthorizationInfo(Set<String> roleNames) {
return new SimpleAuthorizationInfo(roleNames);
}

protected Set<String> getRoleNamesForUser(String username, LdapContext ldapContext) throws NamingException {
Set<String> roleNames;
roleNames = new LinkedHashSet<String>();

SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

//SHIRO-115 - prevent potential code injection:
String searchFilter = "(&(objectClass=*)(CN={0}))";
Object[] searchArguments = new Object[]{ username };

NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchArguments, searchCtls);

while (answer.hasMoreElements()) {
  SearchResult sr = (SearchResult) answer.next();

  if (log.isDebugEnabled()) {
    log.debug("Retrieving group names for user [" + sr.getName() + "]");
  }

  Attributes attrs = sr.getAttributes();

  if (attrs != null) {
    NamingEnumeration ae = attrs.getAll();
    while (ae.hasMore()) {
      Attribute attr = (Attribute) ae.next();

      if (attr.getID().equals("memberOf")) {

        Collection<String> groupNames = LdapUtils.getAllAttributeValues(attr);

        if (log.isDebugEnabled()) {
          log.debug("Groups found for user [" + username + "]: " + groupNames);
        }

        Collection<String> rolesForGroups = getRoleNamesForGroups(groupNames);
        roleNames.addAll(rolesForGroups);
      }
    }
  }
}

这篇关于针对LDAP的Shiro JndiLdapRealm授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！