mirror of https://github.com/apache/activemq.git
AMQ-6148 re-using LDAP context for authentication
This commit is contained in:
parent
96a011d4b1
commit
610b87aed8
|
@ -70,10 +70,10 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
protected DirContext context;
|
protected DirContext context;
|
||||||
|
|
||||||
private Subject subject;
|
private Subject subject;
|
||||||
private CallbackHandler handler;
|
private CallbackHandler handler;
|
||||||
private LDAPLoginProperty [] config;
|
private LDAPLoginProperty [] config;
|
||||||
private Principal user;
|
private Principal user;
|
||||||
private Set<GroupPrincipal> groups = new HashSet<GroupPrincipal>();
|
private Set<GroupPrincipal> groups = new HashSet<>();
|
||||||
|
|
||||||
/** the authentication status*/
|
/** the authentication status*/
|
||||||
private boolean succeeded = false;
|
private boolean succeeded = false;
|
||||||
|
@ -83,7 +83,7 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
|
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
|
||||||
this.subject = subject;
|
this.subject = subject;
|
||||||
this.handler = callbackHandler;
|
this.handler = callbackHandler;
|
||||||
|
|
||||||
config = new LDAPLoginProperty [] {
|
config = new LDAPLoginProperty [] {
|
||||||
new LDAPLoginProperty (INITIAL_CONTEXT_FACTORY, (String)options.get(INITIAL_CONTEXT_FACTORY)),
|
new LDAPLoginProperty (INITIAL_CONTEXT_FACTORY, (String)options.get(INITIAL_CONTEXT_FACTORY)),
|
||||||
new LDAPLoginProperty (CONNECTION_URL, (String)options.get(CONNECTION_URL)),
|
new LDAPLoginProperty (CONNECTION_URL, (String)options.get(CONNECTION_URL)),
|
||||||
|
@ -114,18 +114,16 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
callbacks[1] = new PasswordCallback("Password", false);
|
callbacks[1] = new PasswordCallback("Password", false);
|
||||||
try {
|
try {
|
||||||
handler.handle(callbacks);
|
handler.handle(callbacks);
|
||||||
} catch (IOException ioe) {
|
} catch (IOException | UnsupportedCallbackException ioe) {
|
||||||
throw (LoginException)new LoginException().initCause(ioe);
|
throw (LoginException)new LoginException().initCause(ioe);
|
||||||
} catch (UnsupportedCallbackException uce) {
|
|
||||||
throw (LoginException)new LoginException().initCause(uce);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
String password;
|
String password;
|
||||||
|
|
||||||
String username = ((NameCallback)callbacks[0]).getName();
|
String username = ((NameCallback)callbacks[0]).getName();
|
||||||
if (username == null)
|
if (username == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (((PasswordCallback)callbacks[1]).getPassword() != null)
|
if (((PasswordCallback)callbacks[1]).getPassword() != null)
|
||||||
password = new String(((PasswordCallback)callbacks[1]).getPassword());
|
password = new String(((PasswordCallback)callbacks[1]).getPassword());
|
||||||
else
|
else
|
||||||
|
@ -163,9 +161,7 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
|
|
||||||
Set<Principal> principals = subject.getPrincipals();
|
Set<Principal> principals = subject.getPrincipals();
|
||||||
principals.add(user);
|
principals.add(user);
|
||||||
for (GroupPrincipal gp : groups) {
|
principals.addAll(groups);
|
||||||
principals.add(gp);
|
|
||||||
}
|
|
||||||
|
|
||||||
commitSucceeded = true;
|
commitSucceeded = true;
|
||||||
return true;
|
return true;
|
||||||
|
@ -175,7 +171,7 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
public boolean abort() throws LoginException {
|
public boolean abort() throws LoginException {
|
||||||
if (!succeeded) {
|
if (!succeeded) {
|
||||||
return false;
|
return false;
|
||||||
} else if (succeeded && commitSucceeded) {
|
} else if (commitSucceeded) {
|
||||||
// we succeeded, but another required module failed
|
// we succeeded, but another required module failed
|
||||||
logout();
|
logout();
|
||||||
} else {
|
} else {
|
||||||
|
@ -187,11 +183,16 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void close(DirContext context) {
|
protected void closeContext() {
|
||||||
|
if (context == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
try {
|
try {
|
||||||
context.close();
|
context.close();
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
log.error(e.toString());
|
log.error(e.toString());
|
||||||
|
} finally {
|
||||||
|
context = null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -199,25 +200,23 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
|
|
||||||
MessageFormat userSearchMatchingFormat;
|
MessageFormat userSearchMatchingFormat;
|
||||||
boolean userSearchSubtreeBool;
|
boolean userSearchSubtreeBool;
|
||||||
|
|
||||||
DirContext context = null;
|
|
||||||
|
|
||||||
if (log.isDebugEnabled()) {
|
if (log.isDebugEnabled()) {
|
||||||
log.debug("Create the LDAP initial context.");
|
log.debug("Create the LDAP initial context.");
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
context = open();
|
openContext();
|
||||||
} catch (NamingException ne) {
|
} catch (NamingException ne) {
|
||||||
FailedLoginException ex = new FailedLoginException("Error opening LDAP connection");
|
FailedLoginException ex = new FailedLoginException("Error opening LDAP connection");
|
||||||
ex.initCause(ne);
|
ex.initCause(ne);
|
||||||
throw ex;
|
throw ex;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isLoginPropertySet(USER_SEARCH_MATCHING))
|
if (!isLoginPropertySet(USER_SEARCH_MATCHING))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
userSearchMatchingFormat = new MessageFormat(getLDAPPropertyValue(USER_SEARCH_MATCHING));
|
userSearchMatchingFormat = new MessageFormat(getLDAPPropertyValue(USER_SEARCH_MATCHING));
|
||||||
userSearchSubtreeBool = Boolean.valueOf(getLDAPPropertyValue(USER_SEARCH_SUBTREE)).booleanValue();
|
userSearchSubtreeBool = Boolean.valueOf(getLDAPPropertyValue(USER_SEARCH_SUBTREE));
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
||||||
|
@ -232,7 +231,7 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
}
|
}
|
||||||
|
|
||||||
// setup attributes
|
// setup attributes
|
||||||
List<String> list = new ArrayList<String>();
|
List<String> list = new ArrayList<>();
|
||||||
if (isLoginPropertySet(USER_ROLE_NAME)) {
|
if (isLoginPropertySet(USER_ROLE_NAME)) {
|
||||||
list.add(getLDAPPropertyValue(USER_ROLE_NAME));
|
list.add(getLDAPPropertyValue(USER_ROLE_NAME));
|
||||||
}
|
}
|
||||||
|
@ -284,9 +283,7 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
dn = path;
|
dn = path;
|
||||||
}
|
}
|
||||||
} catch (URISyntaxException e) {
|
} catch (URISyntaxException e) {
|
||||||
if (context != null) {
|
closeContext();
|
||||||
close(context);
|
|
||||||
}
|
|
||||||
FailedLoginException ex = new FailedLoginException("Error parsing absolute name as URI.");
|
FailedLoginException ex = new FailedLoginException("Error parsing absolute name as URI.");
|
||||||
ex.initCause(e);
|
ex.initCause(e);
|
||||||
throw ex;
|
throw ex;
|
||||||
|
@ -324,18 +321,12 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
ex.initCause(e);
|
ex.initCause(e);
|
||||||
throw ex;
|
throw ex;
|
||||||
} catch (NamingException e) {
|
} catch (NamingException e) {
|
||||||
if (context != null) {
|
|
||||||
close(context);
|
|
||||||
}
|
|
||||||
FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
|
FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
|
||||||
ex.initCause(e);
|
ex.initCause(e);
|
||||||
throw ex;
|
throw ex;
|
||||||
|
} finally {
|
||||||
|
closeContext();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (context != null) {
|
|
||||||
close(context);
|
|
||||||
}
|
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -345,11 +336,11 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
boolean roleSearchSubtreeBool;
|
boolean roleSearchSubtreeBool;
|
||||||
boolean expandRolesBool;
|
boolean expandRolesBool;
|
||||||
roleSearchMatchingFormat = new MessageFormat(getLDAPPropertyValue(ROLE_SEARCH_MATCHING));
|
roleSearchMatchingFormat = new MessageFormat(getLDAPPropertyValue(ROLE_SEARCH_MATCHING));
|
||||||
roleSearchSubtreeBool = Boolean.valueOf(getLDAPPropertyValue(ROLE_SEARCH_SUBTREE)).booleanValue();
|
roleSearchSubtreeBool = Boolean.parseBoolean(getLDAPPropertyValue(ROLE_SEARCH_SUBTREE));
|
||||||
expandRolesBool = Boolean.valueOf(getLDAPPropertyValue(EXPAND_ROLES)).booleanValue();
|
expandRolesBool = Boolean.parseBoolean(getLDAPPropertyValue(EXPAND_ROLES));
|
||||||
|
|
||||||
if (list == null) {
|
if (list == null) {
|
||||||
list = new ArrayList<String>();
|
list = new ArrayList<>();
|
||||||
}
|
}
|
||||||
if (!isLoginPropertySet(ROLE_NAME)) {
|
if (!isLoginPropertySet(ROLE_NAME)) {
|
||||||
return list;
|
return list;
|
||||||
|
@ -370,8 +361,8 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
log.debug(" base DN: " + getLDAPPropertyValue(ROLE_BASE));
|
log.debug(" base DN: " + getLDAPPropertyValue(ROLE_BASE));
|
||||||
log.debug(" filter: " + filter);
|
log.debug(" filter: " + filter);
|
||||||
}
|
}
|
||||||
HashSet<String> haveSeenNames = new HashSet<String>();
|
HashSet<String> haveSeenNames = new HashSet<>();
|
||||||
Queue<String> pendingNameExpansion = new LinkedList<String>();
|
Queue<String> pendingNameExpansion = new LinkedList<>();
|
||||||
NamingEnumeration<SearchResult> results = context.search(getLDAPPropertyValue(ROLE_BASE), filter, constraints);
|
NamingEnumeration<SearchResult> results = context.search(getLDAPPropertyValue(ROLE_BASE), filter, constraints);
|
||||||
while (results.hasMore()) {
|
while (results.hasMore()) {
|
||||||
SearchResult result = results.next();
|
SearchResult result = results.next();
|
||||||
|
@ -436,7 +427,6 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
|
|
||||||
protected boolean bindUser(DirContext context, String dn, String password) throws NamingException {
|
protected boolean bindUser(DirContext context, String dn, String password) throws NamingException {
|
||||||
boolean isValid = false;
|
boolean isValid = false;
|
||||||
|
|
||||||
if (log.isDebugEnabled()) {
|
if (log.isDebugEnabled()) {
|
||||||
log.debug("Binding the user.");
|
log.debug("Binding the user.");
|
||||||
}
|
}
|
||||||
|
@ -450,7 +440,6 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
log.debug("User " + dn + " successfully bound.");
|
log.debug("User " + dn + " successfully bound.");
|
||||||
}
|
}
|
||||||
} catch (AuthenticationException e) {
|
} catch (AuthenticationException e) {
|
||||||
isValid = false;
|
|
||||||
if (log.isDebugEnabled()) {
|
if (log.isDebugEnabled()) {
|
||||||
log.debug("Authentication failed for dn=" + dn);
|
log.debug("Authentication failed for dn=" + dn);
|
||||||
}
|
}
|
||||||
|
@ -476,7 +465,7 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
return values;
|
return values;
|
||||||
}
|
}
|
||||||
if (values == null) {
|
if (values == null) {
|
||||||
values = new ArrayList<String>();
|
values = new ArrayList<>();
|
||||||
}
|
}
|
||||||
Attribute attr = attrs.get(attrId);
|
Attribute attr = attrs.get(attrId);
|
||||||
if (attr == null) {
|
if (attr == null) {
|
||||||
|
@ -490,9 +479,12 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
return values;
|
return values;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected DirContext open() throws NamingException {
|
protected void openContext() throws NamingException {
|
||||||
|
if (context != null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
try {
|
try {
|
||||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
Hashtable<String, String> env = new Hashtable<>();
|
||||||
env.put(Context.INITIAL_CONTEXT_FACTORY, getLDAPPropertyValue(INITIAL_CONTEXT_FACTORY));
|
env.put(Context.INITIAL_CONTEXT_FACTORY, getLDAPPropertyValue(INITIAL_CONTEXT_FACTORY));
|
||||||
if (isLoginPropertySet(CONNECTION_USERNAME)) {
|
if (isLoginPropertySet(CONNECTION_USERNAME)) {
|
||||||
env.put(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME));
|
env.put(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME));
|
||||||
|
@ -511,24 +503,24 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
context = new InitialDirContext(env);
|
context = new InitialDirContext(env);
|
||||||
|
|
||||||
} catch (NamingException e) {
|
} catch (NamingException e) {
|
||||||
|
closeContext();
|
||||||
log.error(e.toString());
|
log.error(e.toString());
|
||||||
throw e;
|
throw e;
|
||||||
}
|
}
|
||||||
return context;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private String getLDAPPropertyValue (String propertyName){
|
private String getLDAPPropertyValue (String propertyName){
|
||||||
for (int i=0; i < config.length; i++ )
|
for (LDAPLoginProperty ldapLoginProperty : config)
|
||||||
if (config[i].getPropertyName() == propertyName)
|
if (ldapLoginProperty.getPropertyName().equals(propertyName))
|
||||||
return config[i].getPropertyValue();
|
return ldapLoginProperty.getPropertyValue();
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean isLoginPropertySet(String propertyName) {
|
private boolean isLoginPropertySet(String propertyName) {
|
||||||
for (int i=0; i < config.length; i++ ) {
|
for (LDAPLoginProperty ldapLoginProperty : config) {
|
||||||
if (config[i].getPropertyName() == propertyName && (config[i].getPropertyValue() != null && !"".equals(config[i].getPropertyValue())))
|
if (ldapLoginProperty.getPropertyName().equals(propertyName) && (ldapLoginProperty.getPropertyValue() != null && !"".equals(ldapLoginProperty.getPropertyValue())))
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue