From 4173954d3adc609166cc5881d22016343c94d630 Mon Sep 17 00:00:00 2001 From: markt Date: Tue, 22 Feb 2011 11:48:09 +0000 Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=21669 Add the ability to specify the roleBase for the JNDI Realm as relative to the users DN. Based on a patch by Art W. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1073301 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/catalina/realm/JNDIRealm.java | 24 +++++++++++++++++++++++- webapps/docs/changelog.xml | 4 ++++ webapps/docs/config/realm.xml | 9 ++++++--- 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index cc2974beb..430ad4811 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -330,6 +330,13 @@ public class JNDIRealm extends RealmBase { /** * The MessageFormat object associated with the current + * roleBase. + */ + protected MessageFormat roleBaseFormat = null; + + + /** + * The MessageFormat object associated with the current * roleSearch. */ protected MessageFormat roleFormat = null; @@ -697,6 +704,10 @@ public class JNDIRealm extends RealmBase { public void setRoleBase(String roleBase) { this.roleBase = roleBase; + if (roleBase == null) + roleBaseFormat = null; + else + roleBaseFormat = new MessageFormat(roleBase); } @@ -1698,13 +1709,24 @@ public class JNDIRealm extends RealmBase { controls.setSearchScope(SearchControls.ONELEVEL_SCOPE); controls.setReturningAttributes(new String[] {roleName}); + String base = null; + if (roleBaseFormat != null) { + NameParser np = context.getNameParser(""); + Name name = np.parse(dn); + String nameParts[] = new String[name.size()]; + for (int i = 0; i < name.size(); i++) { + nameParts[i] = name.get(i); + } + base = roleBaseFormat.format(nameParts); + } + // Perform the configured search and process the results NamingEnumeration results = null; try { if (roleSearchAsUser) { userCredentialsAdd(context, dn, user.getPassword()); } - results = context.search(roleBase, filter, controls); + results = context.search(base, filter, controls); } finally { if (roleSearchAsUser) { userCredentialsRemove(context); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 6a39b3154..bdb9ceb71 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -49,6 +49,10 @@ 19444: Add an option to the JNDI realm to allow role searches to be performed by the authenticated user. (markt) + + 21669: Add the ability to specify the roleBase for the JNDI + Realm as relative to the users DN. Based on a patch by Art W. (markt) + 48863: Better logging when specifying an invalid directory for a class loader. Based on a patch by Ralf Hauser. (markt) diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml index bd6d6a205..3c7f766e5 100644 --- a/webapps/docs/config/realm.xml +++ b/webapps/docs/config/realm.xml @@ -387,9 +387,12 @@ -

The base directory entry for performing role searches. If - not specified the top-level element in the directory context - will be used.

+

The base directory entry for performing role searches. If not + specified the top-level element in the directory context will be used. + If specified it may optionally include pattern replacements + "{0}".."{n}" corrosponding to the name parts of the + user's distinguished name (as returned by + javax.naming.Name.get()).

 -- 2.11.0