1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
|
|
8 |
|
|
9 |
|
|
10 |
|
|
11 |
|
|
12 |
|
|
13 |
|
|
14 |
|
|
15 |
|
|
16 |
|
|
17 |
|
package org.apache.jetspeed.security.spi.impl.ldap; |
18 |
|
|
19 |
|
import javax.naming.Name; |
20 |
|
import javax.naming.NameParser; |
21 |
|
import javax.naming.NamingEnumeration; |
22 |
|
import javax.naming.NamingException; |
23 |
|
import javax.naming.directory.DirContext; |
24 |
|
import javax.naming.directory.SearchControls; |
25 |
|
import javax.naming.directory.SearchResult; |
26 |
|
import javax.naming.ldap.LdapContext; |
27 |
|
|
28 |
|
import org.apache.commons.lang.StringUtils; |
29 |
|
import org.apache.commons.logging.Log; |
30 |
|
import org.apache.commons.logging.LogFactory; |
31 |
|
import org.apache.jetspeed.security.InvalidDnException; |
32 |
|
import org.apache.jetspeed.security.InvalidPasswordException; |
33 |
|
import org.apache.jetspeed.security.InvalidUidException; |
34 |
|
import org.apache.jetspeed.security.SecurityException; |
35 |
|
|
36 |
|
|
37 |
|
|
38 |
|
|
39 |
|
|
40 |
|
|
41 |
|
|
42 |
|
|
43 |
|
|
44 |
|
public abstract class AbstractLdapDao |
45 |
|
{ |
46 |
|
|
47 |
0 |
private static final Log logger = LogFactory.getLog(AbstractLdapDao.class); |
48 |
|
|
49 |
|
|
50 |
0 |
private LdapBindingConfig ldapBindingConfig = null; |
51 |
|
|
52 |
|
|
53 |
|
protected LdapContext ctx; |
54 |
|
|
55 |
|
|
56 |
|
|
57 |
|
|
58 |
|
|
59 |
|
|
60 |
|
public AbstractLdapDao() |
61 |
0 |
{ |
62 |
0 |
throw new UnsupportedOperationException("Must be instantiated with LDAP binding configuration."); |
63 |
|
} |
64 |
|
|
65 |
|
|
66 |
|
|
67 |
|
|
68 |
|
|
69 |
|
|
70 |
|
|
71 |
|
|
72 |
|
|
73 |
|
public AbstractLdapDao(LdapBindingConfig ldapConfig) throws SecurityException |
74 |
0 |
{ |
75 |
0 |
this.ldapBindingConfig = ldapConfig; |
76 |
0 |
bindToServer(ldapConfig.getRootDn(), ldapConfig.getRootPassword()); |
77 |
0 |
} |
78 |
|
|
79 |
|
|
80 |
|
|
81 |
|
|
82 |
|
|
83 |
|
|
84 |
|
|
85 |
|
|
86 |
|
|
87 |
|
|
88 |
|
protected void bindToServer(String rootDn, String rootPassword) throws SecurityException |
89 |
|
{ |
90 |
0 |
if ( ctx == null ) |
91 |
|
{ |
92 |
0 |
validateDn(rootDn); |
93 |
0 |
validatePassword(rootPassword); |
94 |
|
|
95 |
0 |
ctx = LdapContextProxy.createProxy(ldapBindingConfig); |
96 |
|
} |
97 |
0 |
} |
98 |
|
|
99 |
|
|
100 |
|
|
101 |
|
|
102 |
|
|
103 |
|
|
104 |
|
|
105 |
|
|
106 |
|
|
107 |
|
|
108 |
|
protected String getSubcontextName(final String dn) throws NamingException |
109 |
|
{ |
110 |
0 |
NameParser parser = ctx.getNameParser(""); |
111 |
0 |
Name name = parser.parse(dn); |
112 |
0 |
String rootStr = ctx.getNameInNamespace(); |
113 |
0 |
Name root = parser.parse(rootStr); |
114 |
|
|
115 |
0 |
if (name.startsWith(root)) |
116 |
|
{ |
117 |
0 |
Name rname = name.getSuffix(root.size()); |
118 |
|
|
119 |
0 |
return rname.toString(); |
120 |
|
} |
121 |
|
|
122 |
0 |
return dn; |
123 |
|
} |
124 |
|
|
125 |
|
|
126 |
|
|
127 |
|
|
128 |
|
|
129 |
|
|
130 |
|
|
131 |
|
|
132 |
|
protected void validateDn(final String dn) throws SecurityException |
133 |
|
{ |
134 |
0 |
if (StringUtils.isEmpty(dn)) |
135 |
|
{ |
136 |
0 |
throw new InvalidDnException(); |
137 |
|
} |
138 |
0 |
} |
139 |
|
|
140 |
|
|
141 |
|
|
142 |
|
|
143 |
|
|
144 |
|
|
145 |
|
|
146 |
|
|
147 |
|
protected void validatePassword(final String password) throws SecurityException |
148 |
|
{ |
149 |
0 |
if (StringUtils.isEmpty(password)) |
150 |
|
{ |
151 |
0 |
throw new InvalidPasswordException(); |
152 |
|
} |
153 |
0 |
} |
154 |
|
|
155 |
|
|
156 |
|
|
157 |
|
|
158 |
|
|
159 |
|
protected SearchControls setSearchControls() |
160 |
|
{ |
161 |
0 |
SearchControls controls = new SearchControls(); |
162 |
0 |
controls.setReturningAttributes(getKnownAttributes()); |
163 |
0 |
controls.setSearchScope(SearchControls.SUBTREE_SCOPE); |
164 |
0 |
controls.setReturningObjFlag(true); |
165 |
|
|
166 |
0 |
return controls; |
167 |
|
} |
168 |
|
|
169 |
|
|
170 |
|
|
171 |
|
|
172 |
|
|
173 |
|
|
174 |
|
|
175 |
|
|
176 |
|
public String lookupByUid(final String uid) throws SecurityException |
177 |
|
{ |
178 |
0 |
validateUid(uid); |
179 |
|
|
180 |
|
try |
181 |
|
{ |
182 |
0 |
SearchControls cons = setSearchControls(); |
183 |
0 |
NamingEnumeration searchResults = searchByWildcardedUid(uid, cons); |
184 |
|
|
185 |
0 |
return getFirstDnForUid(searchResults); |
186 |
|
} |
187 |
0 |
catch (NamingException e) |
188 |
|
{ |
189 |
0 |
throw new SecurityException(e); |
190 |
|
} |
191 |
|
} |
192 |
|
|
193 |
|
|
194 |
|
|
195 |
|
|
196 |
|
|
197 |
|
|
198 |
|
|
199 |
|
|
200 |
|
|
201 |
|
|
202 |
|
|
203 |
|
private String getFirstDnForUid(NamingEnumeration searchResults) throws NamingException |
204 |
|
{ |
205 |
0 |
String userDn = null; |
206 |
0 |
while ((null != searchResults) && searchResults.hasMore()) |
207 |
|
{ |
208 |
0 |
SearchResult searchResult = (SearchResult) searchResults.next(); |
209 |
0 |
userDn = searchResult.getName(); |
210 |
0 |
String searchDomain = getSearchDomain(); |
211 |
0 |
if (searchDomain.length() > 0) |
212 |
|
{ |
213 |
0 |
userDn += "," + StringUtils.replace(searchDomain, "," + getRootContext(), ""); |
214 |
|
} |
215 |
0 |
} |
216 |
0 |
return userDn; |
217 |
|
} |
218 |
|
|
219 |
|
|
220 |
|
|
221 |
|
|
222 |
|
|
223 |
|
|
224 |
|
|
225 |
|
|
226 |
|
protected void validateUid(String uid) throws SecurityException |
227 |
|
{ |
228 |
0 |
String pattern = ".*\\(.*|.*\\[.*|.*\\{.*|.*\\\\.*|.*\\^.*|.*\\$.*|.*\\|.*|.*\\).*|.*\\?.*|.*\\*.*|.*\\+.*|.*\\..*"; |
229 |
0 |
if (StringUtils.isEmpty(uid) || uid.matches(pattern)) |
230 |
|
{ |
231 |
0 |
throw new InvalidUidException(); |
232 |
|
} |
233 |
0 |
} |
234 |
|
|
235 |
|
|
236 |
|
|
237 |
|
|
238 |
|
|
239 |
|
|
240 |
|
|
241 |
|
|
242 |
|
|
243 |
|
|
244 |
|
|
245 |
|
protected NamingEnumeration searchByWildcardedUid(final String filter, SearchControls cons) throws NamingException |
246 |
|
{ |
247 |
|
|
248 |
0 |
String query = ""; |
249 |
0 |
if (StringUtils.isEmpty(getSearchSuffix())) { |
250 |
0 |
query = "(" + getEntryPrefix() + "=" + (StringUtils.isEmpty(filter) ? "*" : filter) + ")"; |
251 |
|
} else { |
252 |
0 |
query = "(&(" + getEntryPrefix() + "=" + (StringUtils.isEmpty(filter) ? "*" : filter) + ")" + getSearchSuffix() + ")"; |
253 |
|
} |
254 |
0 |
logger.debug("searchByWildCardedUid = " + query); |
255 |
|
|
256 |
0 |
cons.setSearchScope(getSearchScope()); |
257 |
|
|
258 |
0 |
String searchBase = StringUtils.replace(getSearchDomain(), "," + getRootContext(), ""); |
259 |
0 |
NamingEnumeration results = ((DirContext) ctx).search(searchBase,query , cons); |
260 |
|
|
261 |
0 |
return results; |
262 |
|
} |
263 |
|
|
264 |
|
|
265 |
|
|
266 |
|
|
267 |
|
|
268 |
|
|
269 |
|
|
270 |
|
|
271 |
|
|
272 |
|
|
273 |
|
|
274 |
|
protected NamingEnumeration searchGroupByWildcardedUid(final String filter, SearchControls cons) throws NamingException |
275 |
|
{ |
276 |
|
|
277 |
0 |
String query = ""; |
278 |
0 |
if (StringUtils.isEmpty(getGroupFilter())) { |
279 |
0 |
query = "(" + getGroupIdAttribute() + "=" + (StringUtils.isEmpty(filter) ? "*" : filter) + ")"; |
280 |
|
} else { |
281 |
0 |
query = "(&(" + getGroupIdAttribute() + "=" + (StringUtils.isEmpty(filter) ? "*" : filter) + ")" + getGroupFilter() + ")"; |
282 |
|
} |
283 |
|
|
284 |
0 |
String searchBase = ""; |
285 |
0 |
if (!StringUtils.isEmpty(getGroupFilterBase())) |
286 |
0 |
searchBase+=getGroupFilterBase(); |
287 |
0 |
cons.setSearchScope(getSearchScope()); |
288 |
0 |
NamingEnumeration results = ((DirContext) ctx).search(searchBase,query , cons); |
289 |
|
|
290 |
0 |
return results; |
291 |
|
} |
292 |
|
|
293 |
|
|
294 |
|
|
295 |
|
|
296 |
|
|
297 |
|
|
298 |
|
|
299 |
|
|
300 |
|
|
301 |
|
|
302 |
|
|
303 |
|
protected NamingEnumeration searchRoleByWildcardedUid(final String filter, SearchControls cons) throws NamingException |
304 |
|
{ |
305 |
0 |
String query = ""; |
306 |
0 |
if (StringUtils.isEmpty(getRoleFilter())) { |
307 |
0 |
query = "(" + getRoleIdAttribute() + "=" + (StringUtils.isEmpty(filter) ? "*" : filter) + ")"; |
308 |
|
} else { |
309 |
0 |
query = "(&(" + getRoleIdAttribute() + "=" + (StringUtils.isEmpty(filter) ? "*" : filter) + ")" + getRoleFilter() + ")"; |
310 |
|
} |
311 |
|
|
312 |
0 |
String searchBase = ""; |
313 |
0 |
if (!StringUtils.isEmpty(getRoleFilterBase())) |
314 |
0 |
searchBase+=getRoleFilterBase(); |
315 |
0 |
cons.setSearchScope(getSearchScope()); |
316 |
0 |
NamingEnumeration results = ((DirContext) ctx).search(searchBase,query , cons); |
317 |
|
|
318 |
0 |
return results; |
319 |
|
} |
320 |
|
|
321 |
|
|
322 |
|
|
323 |
|
|
324 |
|
|
325 |
|
|
326 |
|
|
327 |
|
|
328 |
|
protected String getGroupFilterBase() |
329 |
|
{ |
330 |
0 |
return this.ldapBindingConfig.getGroupFilterBase(); |
331 |
|
} |
332 |
|
|
333 |
|
|
334 |
|
|
335 |
|
|
336 |
|
|
337 |
|
|
338 |
|
|
339 |
|
|
340 |
|
protected String[] getGroupObjectClasses() |
341 |
|
{ |
342 |
0 |
return this.ldapBindingConfig.getGroupObjectClasses(); |
343 |
|
} |
344 |
|
|
345 |
|
|
346 |
|
|
347 |
|
|
348 |
|
|
349 |
|
|
350 |
|
|
351 |
|
|
352 |
|
|
353 |
|
protected String getRoleFilterBase() |
354 |
|
{ |
355 |
0 |
return this.ldapBindingConfig.getRoleFilterBase(); |
356 |
|
} |
357 |
|
|
358 |
|
|
359 |
|
|
360 |
|
|
361 |
|
|
362 |
|
|
363 |
|
|
364 |
|
|
365 |
|
protected String[] getRoleObjectClasses() |
366 |
|
{ |
367 |
0 |
return this.ldapBindingConfig.getRoleObjectClasses(); |
368 |
|
} |
369 |
|
|
370 |
|
|
371 |
|
|
372 |
|
|
373 |
|
|
374 |
|
|
375 |
|
|
376 |
|
|
377 |
|
protected String getUserFilterBase() |
378 |
|
{ |
379 |
0 |
return this.ldapBindingConfig.getUserFilterBase(); |
380 |
|
} |
381 |
|
|
382 |
|
|
383 |
|
|
384 |
|
|
385 |
|
|
386 |
|
|
387 |
|
|
388 |
|
|
389 |
|
protected String getGroupFilter() |
390 |
|
{ |
391 |
0 |
return this.ldapBindingConfig.getGroupFilter(); |
392 |
|
} |
393 |
|
|
394 |
|
|
395 |
|
|
396 |
|
|
397 |
|
|
398 |
|
|
399 |
|
|
400 |
|
|
401 |
|
|
402 |
|
protected String getRoleFilter() |
403 |
|
{ |
404 |
0 |
return this.ldapBindingConfig.getRoleFilter(); |
405 |
|
} |
406 |
|
|
407 |
|
|
408 |
|
|
409 |
|
|
410 |
|
|
411 |
|
|
412 |
|
|
413 |
|
|
414 |
|
|
415 |
|
|
416 |
|
protected String getRootContext() |
417 |
|
{ |
418 |
0 |
return this.ldapBindingConfig.getRootContext(); |
419 |
|
} |
420 |
|
|
421 |
|
|
422 |
|
|
423 |
|
|
424 |
|
|
425 |
|
|
426 |
|
|
427 |
|
|
428 |
|
|
429 |
|
|
430 |
|
protected abstract String getEntryPrefix(); |
431 |
|
|
432 |
|
|
433 |
|
|
434 |
|
|
435 |
|
|
436 |
|
|
437 |
|
|
438 |
|
|
439 |
|
|
440 |
|
|
441 |
|
protected abstract String getSearchSuffix(); |
442 |
|
|
443 |
|
|
444 |
|
|
445 |
|
|
446 |
|
|
447 |
|
|
448 |
|
|
449 |
|
|
450 |
|
|
451 |
|
|
452 |
|
protected abstract String getSearchDomain(); |
453 |
|
|
454 |
|
protected String getUserFilter() |
455 |
|
{ |
456 |
0 |
return this.ldapBindingConfig.getUserFilter(); |
457 |
|
} |
458 |
|
|
459 |
|
protected String[] getUserObjectClasses() |
460 |
|
{ |
461 |
0 |
return this.ldapBindingConfig.getUserObjectClasses(); |
462 |
|
} |
463 |
|
|
464 |
|
protected String getGroupMembershipAttribute() |
465 |
|
{ |
466 |
0 |
return this.ldapBindingConfig.getGroupMembershipAttributes(); |
467 |
|
} |
468 |
|
|
469 |
|
protected String getUserGroupMembershipAttribute() |
470 |
|
{ |
471 |
0 |
return this.ldapBindingConfig.getUserGroupMembershipAttributes(); |
472 |
|
} |
473 |
|
|
474 |
|
|
475 |
|
protected String getGroupMembershipForRoleAttribute() |
476 |
|
{ |
477 |
0 |
return this.ldapBindingConfig.getGroupMembershipForRoleAttributes(); |
478 |
|
} |
479 |
|
|
480 |
|
protected String getRoleGroupMembershipForRoleAttribute() |
481 |
|
{ |
482 |
0 |
return this.ldapBindingConfig.getRoleGroupMembershipForRoleAttributes(); |
483 |
|
} |
484 |
|
|
485 |
|
protected String getRoleMembershipAttribute() |
486 |
|
{ |
487 |
0 |
return this.ldapBindingConfig.getRoleMembershipAttributes(); |
488 |
|
} |
489 |
|
|
490 |
|
protected String getUserRoleMembershipAttribute() |
491 |
|
{ |
492 |
0 |
return this.ldapBindingConfig.getUserRoleMembershipAttributes(); |
493 |
|
} |
494 |
|
|
495 |
|
protected String getRoleIdAttribute() |
496 |
|
{ |
497 |
0 |
return this.ldapBindingConfig.getRoleIdAttribute(); |
498 |
|
} |
499 |
|
|
500 |
|
protected String getGroupIdAttribute() |
501 |
|
{ |
502 |
0 |
return this.ldapBindingConfig.getGroupIdAttribute(); |
503 |
|
} |
504 |
|
|
505 |
|
protected String getUserIdAttribute() |
506 |
|
{ |
507 |
0 |
return this.ldapBindingConfig.getUserIdAttribute(); |
508 |
|
} |
509 |
|
|
510 |
|
protected String getUidAttribute() |
511 |
|
{ |
512 |
0 |
return this.ldapBindingConfig.getUidAttribute(); |
513 |
|
} |
514 |
|
|
515 |
|
protected int getSearchScope() |
516 |
|
{ |
517 |
0 |
return Integer.parseInt(this.ldapBindingConfig.getMemberShipSearchScope()); |
518 |
|
} |
519 |
|
|
520 |
|
protected String getRoleUidAttribute() |
521 |
|
{ |
522 |
0 |
return this.ldapBindingConfig.getRoleUidAttribute(); |
523 |
|
} |
524 |
|
|
525 |
|
protected String getGroupUidAttribute() |
526 |
|
{ |
527 |
0 |
return this.ldapBindingConfig.getGroupUidAttribute(); |
528 |
|
} |
529 |
|
|
530 |
|
protected String getUserUidAttribute() |
531 |
|
{ |
532 |
0 |
return this.ldapBindingConfig.getUserUidAttribute(); |
533 |
|
} |
534 |
|
|
535 |
|
protected String getGroupObjectRequiredAttributeClasses() |
536 |
|
{ |
537 |
0 |
return this.ldapBindingConfig.getGroupObjectRequiredAttributeClasses(); |
538 |
|
} |
539 |
|
|
540 |
|
protected String getRoleObjectRequiredAttributeClasses() |
541 |
|
{ |
542 |
0 |
return this.ldapBindingConfig.getRoleObjectRequiredAttributeClasses(); |
543 |
|
} |
544 |
|
|
545 |
|
protected String[] getUserAttributes() |
546 |
|
{ |
547 |
0 |
return this.ldapBindingConfig.getUserAttributes(); |
548 |
|
} |
549 |
|
|
550 |
|
protected String[] getGroupAttributes() |
551 |
|
{ |
552 |
0 |
return this.ldapBindingConfig.getGroupAttributes(); |
553 |
|
} |
554 |
|
|
555 |
|
protected String[] getRoleAttributes() |
556 |
|
{ |
557 |
0 |
return this.ldapBindingConfig.getRoleAttributes(); |
558 |
|
} |
559 |
|
|
560 |
|
protected String getUserPasswordAttribute() { |
561 |
0 |
return this.ldapBindingConfig.getUserPasswordAttribute(); |
562 |
|
} |
563 |
|
|
564 |
|
protected String[] getKnownAttributes() { |
565 |
0 |
return this.ldapBindingConfig.getKnownAttributes(); |
566 |
|
} |
567 |
|
|
568 |
|
protected abstract String[] getObjectClasses(); |
569 |
|
protected abstract String[] getAttributes(); |
570 |
|
} |