Shiro JndiLdapRealm 针对 LDAP 的授权 [英] Shiro JndiLdapRealm authorization against LDAP

问题描述

Shiro 类 JndiLdapRealm 的 JavaDoc 明确表示默认情况下禁用授权，并且用户应通过子类化和覆盖 JndiLdapRealm#doGetAuthorizationInfo 方法.是否有关于如何做到这一点的示例代码，包括处理与任何地方可用的 LDAP 服务器的通信/协议?

The JavaDoc for Shiro class JndiLdapRealm explicitly says that authorization is by default disabled and that authorization against an LDAP server should be implemented by the user by subclassing and overriding the JndiLdapRealm#doGetAuthorizationInfo method. Is there sample code on how to do that including handling the communication / protocol with the LDAP server available anywhere?

推荐答案

你应该实现你自己的 LdapRealm 扩展 JndiLdapRealm.在此实现中，您将覆盖 queryForAuthorizationInfo() ；这是一个简单的例子:

you should implement your own LdapRealm extending JndiLdapRealm. In this implementation, you would override queryForAuthorizationInfo() ; here is a simple example :

protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException {

String username = (String) getAvailablePrincipal(principals);

// Perform context search
LdapContext ldapContext = ldapContextFactory.getSystemLdapContext();

Set<String> roleNames;

try {
  roleNames = getRoleNamesForUser(username, ldapContext);
} finally {
  LdapUtils.closeContext(ldapContext);
}

return buildAuthorizationInfo(roleNames);
}

protected AuthorizationInfo buildAuthorizationInfo(Set<String> roleNames) {
return new SimpleAuthorizationInfo(roleNames);
}

protected Set<String> getRoleNamesForUser(String username, LdapContext ldapContext) throws NamingException {
Set<String> roleNames;
roleNames = new LinkedHashSet<String>();

SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

//SHIRO-115 - prevent potential code injection:
String searchFilter = "(&(objectClass=*)(CN={0}))";
Object[] searchArguments = new Object[]{ username };

NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchArguments, searchCtls);

while (answer.hasMoreElements()) {
  SearchResult sr = (SearchResult) answer.next();

  if (log.isDebugEnabled()) {
    log.debug("Retrieving group names for user [" + sr.getName() + "]");
  }

  Attributes attrs = sr.getAttributes();

  if (attrs != null) {
    NamingEnumeration ae = attrs.getAll();
    while (ae.hasMore()) {
      Attribute attr = (Attribute) ae.next();

      if (attr.getID().equals("memberOf")) {

        Collection<String> groupNames = LdapUtils.getAllAttributeValues(attr);

        if (log.isDebugEnabled()) {
          log.debug("Groups found for user [" + username + "]: " + groupNames);
        }

        Collection<String> rolesForGroups = getRoleNamesForGroups(groupNames);
        roleNames.addAll(rolesForGroups);
      }
    }
  }
}

这篇关于Shiro JndiLdapRealm 针对 LDAP 的授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！