Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=21669

Add the ability to specify the roleBase for the JNDI Realm as relative to the users DN. Based on a patch by Art W.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1073301 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java
index cc2974b..430ad48 100644 (file)
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -330,6 +330,13 @@ public class JNDIRealm extends RealmBase {
 
     /**
      * The MessageFormat object associated with the current
+     * <code>roleBase</code>.
+     */
+    protected MessageFormat roleBaseFormat = null;
+
+
+    /**
+     * The MessageFormat object associated with the current
      * <code>roleSearch</code>.
      */
     protected MessageFormat roleFormat = null;
@@ -697,6 +704,10 @@ public class JNDIRealm extends RealmBase {
     public void setRoleBase(String roleBase) {
 
         this.roleBase = roleBase;
+        if (roleBase == null)
+            roleBaseFormat = null;
+        else
+            roleBaseFormat = new MessageFormat(roleBase);
 
     }
 
@@ -1698,13 +1709,24 @@ public class JNDIRealm extends RealmBase {
             controls.setSearchScope(SearchControls.ONELEVEL_SCOPE);
         controls.setReturningAttributes(new String[] {roleName});
 
+        String base = null;
+        if (roleBaseFormat != null) {
+            NameParser np = context.getNameParser("");
+            Name name = np.parse(dn);
+            String nameParts[] = new String[name.size()];
+            for (int i = 0; i < name.size(); i++) {
+                nameParts[i] = name.get(i);
+            }
+            base = roleBaseFormat.format(nameParts);
+        }
+
         // Perform the configured search and process the results
         NamingEnumeration<SearchResult> results = null;
         try {
             if (roleSearchAsUser) {
                 userCredentialsAdd(context, dn, user.getPassword());
             }
-            results = context.search(roleBase, filter, controls);
+            results = context.search(base, filter, controls);
         } finally {
             if (roleSearchAsUser) {
                 userCredentialsRemove(context);

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6a39b31..bdb9ceb 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -49,6 +49,10 @@
         <bug>19444</bug>: Add an option to the JNDI realm to allow role searches
         to be performed by the authenticated user. (markt)
       </add>
+      <add>
+        <bug>21669</bug>: Add the ability to specify the roleBase for the JNDI
+        Realm as relative to the users DN. Based on a patch by Art W. (markt)
+      </add>
       <fix>
         <bug>48863</bug>: Better logging when specifying an invalid directory
         for a class loader. Based on a patch by Ralf Hauser. (markt)

diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index bd6d6a2..3c7f766 100644 (file)
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -387,9 +387,12 @@
       </attribute>
 
       <attribute name="roleBase" required="false">
-        <p>The base directory entry for performing role searches. If
-        not specified the top-level element in the directory context
-        will be used.</p>
+        <p>The base directory entry for performing role searches. If not
+        specified the top-level element in the directory context will be used.
+        If specified it may optionally include pattern replacements
+        &quot;{0}&quot;..&quot;{n}&quot; corrosponding to the name parts of the
+        user's distinguished name (as returned by
+        <code>javax.naming.Name.get()</code>).</p>
       </attribute>
 
       <attribute name="roleName" required="false">