Example 86 with LdapName
use of javax.naming.ldap.LdapName in project Payara by payara.
the class LDAPRealm method getGroups.
private List<String> getGroups(String userDN) {
// no authentication has happened through the realm.
DirContext ctx = null;
String srcFilter = null;
String dynFilter = null;
String dynMember = getProperty(PARAM_DYNAMIC_GRP_TARGET);
try {
ctx = new InitialDirContext(getLdapBindProps());
String _username = userDN;
// Ignoring the exception to suppot simple group names as userDN
LdapName name = new LdapName(userDN);
// Issue GLASSFISH-19595
for (Rdn rdn : name.getRdns()) {
if (rdn.getType().equalsIgnoreCase(OID.CN.getName())) {
_username = rdn.getValue().toString();
break;
}
}
if (_username == null && userDN != null && userDN.startsWith("uid")) {
// handle uid=XXX here where cn is not present
// TODO :maybe there is a better way to handle this??
int first = userDN.indexOf("uid=");
int last = userDN.indexOf(",");
if (first != -1 && last != -1) {
_username = userDN.substring(first + 4, last);
}
}
StringBuilder sb = new StringBuilder(getProperty(PARAM_GRP_SEARCH_FILTER));
StringBuilder dynSb = new StringBuilder(getProperty(PARAM_DYNAMIC_GRP_FILTER));
substitute(sb, SUBST_SUBJECT_NAME, _username);
substitute(sb, SUBST_SUBJECT_DN, userDN);
substitute(dynSb, SUBST_SUBJECT_NAME, _username);
substitute(dynSb, SUBST_SUBJECT_DN, userDN);
srcFilter = sb.toString();
dynFilter = dynSb.toString();
List<String> groupsList = new ArrayList<>();
groupsList.addAll(groupSearch(ctx, getProperty(PARAM_GRPDN), srcFilter, getProperty(PARAM_GRP_TARGET)));
// search filter is constructed internally as
// as a groupofURLS
groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), dynMember, dynFilter, getProperty(PARAM_GRP_TARGET)));
return groupsList;
} catch (Exception e) {
groupSearchLogger.log(WARNING, "ldaprealm.groupsearcherror", e);
} finally {
if (ctx != null) {
try {
ctx.close();
} catch (NamingException e) {
_logger.log(WARNING, "ldaprealm.exception", e);
}
}
}
return null;
}
Also used :
ArrayList(java.util.ArrayList)
NamingException(javax.naming.NamingException)
InitialDirContext(javax.naming.directory.InitialDirContext)
DirContext(javax.naming.directory.DirContext)
InitialDirContext(javax.naming.directory.InitialDirContext)
Rdn(javax.naming.ldap.Rdn)
LoginException(javax.security.auth.login.LoginException)
BadRealmException(com.sun.enterprise.security.auth.realm.BadRealmException)
NamingException(javax.naming.NamingException)
NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException)
InvalidOperationException(com.sun.enterprise.security.auth.realm.InvalidOperationException)
NoSuchUserException(com.sun.enterprise.security.auth.realm.NoSuchUserException)
LdapName(javax.naming.ldap.LdapName)
Example 87 with LdapName
use of javax.naming.ldap.LdapName in project Payara by payara.
the class LDAPRealm method dynamicGroupSearch.
/**
* Search for group membership using the given connection.
*/
private List<String> dynamicGroupSearch(DirContext ctx, String baseDN, String memberOfAttr, String filter, String target) {
List<String> groupList = new ArrayList<>();
String[] targets = new String[] { memberOfAttr };
try {
SearchControls searchControls = new SearchControls();
searchControls.setReturningAttributes(targets);
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
// Set this to false to avoid objects and hence exposing ldap object
// injection.
searchControls.setReturningObjFlag(false);
NamingEnumeration e = ctx.search(baseDN, filter, searchControls);
while (e.hasMore()) {
SearchResult res = (SearchResult) e.next();
Attribute isMemberOf = res.getAttributes().get(memberOfAttr);
if (isMemberOf != null) {
for (Enumeration values = isMemberOf.getAll(); values.hasMoreElements(); ) {
String groupDN = (String) values.nextElement();
LdapName dn = new LdapName(groupDN);
for (Rdn rdn : dn.getRdns()) {
if (rdn.getType().equalsIgnoreCase(target)) {
groupList.add(rdn.getValue().toString());
break;
}
}
}
}
}
} catch (Exception e) {
_logger.log(WARNING, "ldaprealm.searcherror", filter);
_logger.log(WARNING, "security.exception", e);
}
return groupList;
}
Also used :
Enumeration(java.util.Enumeration)
NamingEnumeration(javax.naming.NamingEnumeration)
Attribute(javax.naming.directory.Attribute)
ArrayList(java.util.ArrayList)
SearchControls(javax.naming.directory.SearchControls)
NamingEnumeration(javax.naming.NamingEnumeration)
SearchResult(javax.naming.directory.SearchResult)
Rdn(javax.naming.ldap.Rdn)
LoginException(javax.security.auth.login.LoginException)
BadRealmException(com.sun.enterprise.security.auth.realm.BadRealmException)
NamingException(javax.naming.NamingException)
NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException)
InvalidOperationException(com.sun.enterprise.security.auth.realm.InvalidOperationException)
NoSuchUserException(com.sun.enterprise.security.auth.realm.NoSuchUserException)
LdapName(javax.naming.ldap.LdapName)
Example 88 with LdapName
use of javax.naming.ldap.LdapName in project Payara by payara.
the class CertificateRealm method authenticate.
/**
* @param subject The Subject object for the authentication request.
* @param principal The Principal object from the user certificate.
* @return principal's name
*/
public String authenticate(Subject subject, X500Principal principal) {
validateSubjectViaAPI(subject, principal);
_logger.finest(() -> String.format("authenticate(subject=%s, principal=%s)", subject, principal));
final LdapName dn = getLdapName(principal);
_logger.log(Level.FINE, "dn={0}", dn);
final String principalName = getPrincipalName(dn);
_logger.log(Level.FINE, "Certificate realm is setting up security context for principal: {0}", principalName);
final Enumeration<String> defaultGroups = getGroupNames(principalName);
final Set<Principal> principalSet = subject.getPrincipals();
while (defaultGroups.hasMoreElements()) {
principalSet.add(new Group(defaultGroups.nextElement()));
}
final Set<Group> groupsFromDN = getGroupNamesFromDN(dn);
principalSet.addAll(groupsFromDN);
_logger.log(Level.FINE, "principalSet: {0}", principalSet);
if (!subject.getPrincipals().isEmpty()) {
subject.getPublicCredentials().add(new DistinguishedPrincipalCredential(principal));
}
// Making authentication final - setting the authenticated caller name
// in the security context
SecurityContext.setCurrent(new SecurityContext(principalName, subject));
return principalName;
}
Also used :
Group(org.glassfish.security.common.Group)
SecurityContext(com.sun.enterprise.security.SecurityContext)
DistinguishedPrincipalCredential(com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)
X500Principal(javax.security.auth.x500.X500Principal)
Principal(java.security.Principal)
LdapName(javax.naming.ldap.LdapName)
Aggregations
LdapName (javax.naming.ldap.LdapName)88
Rdn (javax.naming.ldap.Rdn)44
InvalidNameException (javax.naming.InvalidNameException)27
Attribute (javax.naming.directory.Attribute)18
NamingException (javax.naming.NamingException)17
Attributes (javax.naming.directory.Attributes)12
SearchResult (javax.naming.directory.SearchResult)10
Test (org.junit.Test)10
ArrayList (java.util.ArrayList)8
X509Certificate (java.security.cert.X509Certificate)6
HashMap (java.util.HashMap)6
IOException (java.io.IOException)5
Test (org.junit.jupiter.api.Test)5
PolyString (com.evolveum.midpoint.prism.polystring.PolyString)4
HashSet (java.util.HashSet)4
List (java.util.List)4
NoSuchElementException (java.util.NoSuchElementException)4
TreeSet (java.util.TreeSet)4
SearchControls (javax.naming.directory.SearchControls)4
SSLException (javax.net.ssl.SSLException)4
