*/
protected boolean roleNested = false;
-
+ /**
+ * When searching for user roles, should the search be performed as the user
+ * currently being authenticated? If false, {@link #connectionName} and
+ * {@link #connectionPassword} will be used if specified, else an anonymous
+ * connection will be used.
+ */
+ protected boolean roleSearchAsUser = false;
+
/**
* An alternate URL, to which, we should connect if connectionURL fails.
*/
controls.setReturningAttributes(new String[] {roleName});
// Perform the configured search and process the results
- NamingEnumeration<SearchResult> results =
- context.search(roleBase, filter, controls);
+ NamingEnumeration<SearchResult> results = null;
+ try {
+ if (roleSearchAsUser) {
+ userCredentialsAdd(context, dn, user.getPassword());
+ }
+ results = context.search(roleBase, filter, controls);
+ } finally {
+ if (roleSearchAsUser) {
+ userCredentialsRemove(context);
+ }
+ }
+
if (results == null)
return (list); // Should never happen, but just in case ...
<section name="Tomcat 7.0.9 (markt)">
<subsection name="Catalina">
<changelog>
+ <add>
+ <bug>19444</bug>: Add an option to the JNDI realm to allow role searches
+ to be performed by the authenticated user. (markt)
+ </add>
<fix>
<bug>48863</bug>: Better logging when specifying an invalid directory
for a class loader. Based on a patch by Ralf Hauser. (markt)
property.</p>
</attribute>
+ <attribute name="roleSearchAsUser" required="false">
+ <p> When searching for user roles, should the search be performed as the
+ user currently being authenticated? If false,
+ <code>connectionName</code>} and <code>connectionPassword</code> will be
+ used if specified, else an anonymous. If not specified, the default
+ value of <code>false</code> is used.</p>
+ </attribute>
+
<attribute name="roleSubtree" required="false">
<p>Set to <code>true</code> if you want to search the entire
subtree of the element specified by the <code>roleBase</code>
projects / tomcat7.0 / commitdiff