实现一个Tomcat境界与LDAP身份验证和授权JDBC [英] Implement a Tomcat Realm with LDAP authentication and JDBC authorization

问题描述

我在LDAP服务器仅用于身份验证，不包含任何角色，并授权对其中包含的用户角色映射数据库做了原有的环境中工作，但没有密码。

I'm working in a legacy environment where an LDAP server is used only for authentication and contains no roles, and authorization is done against a database which contains the user-role mapping, but no passwords.

我的计划是通过扩展JNDIRealm，并覆盖角色的方法来调用封装JDBCRealm实施新的Tomcat境界。

My plan is to implement a new Tomcat Realm by extending JNDIRealm, and overriding the role methods to call an encapsulated JDBCRealm.

我的境界是在server.xml中宣称：

My realm is declared in server.xml:

<Realm className="com.example.LdapJdbcRealm"
   connectionURL="ldap://ldaphost:389"
   resourceName="LDAP Auth"
   userPattern="uid={0}, ou=Portal, dc=example, dc=com"
   dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname"
   userTable="db_user" userNameCol="user_id"
   userRoleTable="db_user_role_xref" roleNameCol="role_id" />

这是JNDIRealm和放大器的标准属性名称的组合; JDBCRealm，用少许变化，他们都使用的ConnectionURL。

This is a combination of the standard property names for JNDIRealm & JDBCRealm, with a little change as they both use connectionURL.

package com.example;

import org.apache.catalina.Realm;
import org.apache.catalina.Context;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.realm.JNDIRealm;
import org.apache.catalina.realm.JDBCRealm;

import java.security.Principal;
import java.io.IOException;

public class LdapJdbcRealm extends JNDIRealm implements Realm
{
    private JDBCRealm jdbcRealm = new JDBCRealm();

    protected static final String info = "com.example.LdapJdbcRealm/1.0";
    protected static final String name = "LdapJdbcRealm";

    public String getDbConnectionURL() {
        return jdbcRealm.getConnectionURL();
    }

    public void setDbConnectionURL(String dbConnectionURL) {
        jdbcRealm.setConnectionURL(dbConnectionURL);
    }

    public String getUserTable() {
        return jdbcRealm.getUserTable();
    }

    public void setUserTable(String userTable) {
        jdbcRealm.setUserTable(userTable);
    }

    public String getUserNameCol() {
        return jdbcRealm.getUserNameCol();
    }

    public void setUserNameCol(String userNameCol) {
        jdbcRealm.setUserNameCol(userNameCol);
    }

    public String getUserRoleTable() {
        return jdbcRealm.getUserRoleTable();
    }

    public void setUserRoleTable(String userRoleTable) {
        jdbcRealm.setUserRoleTable(userRoleTable);
    }

    public String getRoleNameCol() {
        return jdbcRealm.getRoleNameCol();
    }

    public void setRoleNameCol(String roleNameCol) {
        jdbcRealm.setRoleNameCol(roleNameCol);
    }

    public boolean hasResourcePermission(Request request,
                                         Response response,
                                         SecurityConstraint[]constraints,
                                         Context context) throws IOException
    {
        return jdbcRealm.hasResourcePermission(request, response, constraints, context);
    }

    public boolean hasRole(Principal principal, String role) {
        return jdbcRealm.hasRole(principal, role);
    }
}

这主要是似乎工作，授权返回从LDAP，预期它没有角色的负责人。同样主要进入 hasResourcePermission（）键，因为它没有在它需要的角色失败。显然，我失去了一些重要的code。

This mostly seems to work, the authorization returns a Principal from LDAP, which has no roles as expected. That same Principal enters hasResourcePermission() and fails because it doesn't have the require roles in it. Clearly I'm missing some crucial code.

我在寻找解决方案。我可以尝试扩大JDBCRealm并添加LDAP身份验证，但似乎更多的工作。

I'm looking for solutions. I could try extending JDBCRealm and adding LDAP authentication, but that seems like more work.

我也相信，这LDAP身份验证/授权DB是不是一种罕见的模式。是否有替代的解决方案已经上市？

I also believe that this LDAP authentication/DB authorization is not an uncommon pattern. Is there an alternative solution already available?

是不会我的控件添加角色LDAP或密码到数据库中，所以这些都是不适合我的解决方案。

It is not within my control to add roles to LDAP or passwords to the DB, so those are not solutions for me.

感谢您提前对该你的帮助。

Thank you in advance for your help in this.

推荐答案

您还没有指定您正在使用的Tomcat版本，所以我与6.x的怎么回事。

You haven't specified the version of Tomcat you're using, so I'm going with 6.x here.

它看起来像你委派 hasResourcePermission 来JDBC，同时使双方 findSecurityConstraints 和 hasUserDataPermission 在JNDI的手中。你应该委托所有这些人或无。

It looks like you're delegating hasResourcePermission to JDBC while leaving both findSecurityConstraints and hasUserDataPermission in hands of JNDI. You should delegate all of them or none of them.

更新： JNDIRealm 通话保护getRoles（DirContext，则用户）作为其一部分其进行身份验证（）方法。你需要重写并转发给JDBCRealm的 getRoles（）。

Update: JNDIRealm calls protected getRoles(DirContext, User) as part of its authenticate() method. You need to override that and forward it to JDBCRealm's getRoles().

这篇关于实现一个Tomcat境界与LDAP身份验证和授权JDBC的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！