使用 LDAP 身份验证和 JDBC 授权实现 Tomcat 领域

【问题标题】:Implement a Tomcat Realm with LDAP authentication and JDBC authorization使用 LDAP 身份验证和 JDBC 授权实现 Tomcat 领域
【发布时间】:2010-11-11 10:15:03
【问题描述】:

我在旧环境中工作,其中 LDAP 服务器仅用于身份验证并且不包含任何角色,并且针对包含用户角色映射但没有密码的数据库完成授权。

我的计划是通过扩展 JNDIRealm 来实现一个新的 Tomcat Realm,并重写角色方法来调用封装的 JDBCRealm。

我的领域在 server.xml 中声明:

<Realm className="com.example.LdapJdbcRealm"
   connectionURL="ldap://ldaphost:389"
   resourceName="LDAP Auth"
   userPattern="uid={0}, ou=Portal, dc=example, dc=com"
   dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname"
   userTable="db_user" userNameCol="user_id"
   userRoleTable="db_user_role_xref" roleNameCol="role_id" />

这是 JNDIRealm 和 JDBCRealm 的标准属性名称的组合,稍有改动,因为它们都使用 connectionURL。

package com.example;

import org.apache.catalina.Realm;
import org.apache.catalina.Context;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.realm.JNDIRealm;
import org.apache.catalina.realm.JDBCRealm;

import java.security.Principal;
import java.io.IOException;

public class LdapJdbcRealm extends JNDIRealm implements Realm
{
    private JDBCRealm jdbcRealm = new JDBCRealm();

    protected static final String info = "com.example.LdapJdbcRealm/1.0";
    protected static final String name = "LdapJdbcRealm";

    public String getDbConnectionURL() {
        return jdbcRealm.getConnectionURL();
    }

    public void setDbConnectionURL(String dbConnectionURL) {
        jdbcRealm.setConnectionURL(dbConnectionURL);
    }

    public String getUserTable() {
        return jdbcRealm.getUserTable();
    }

    public void setUserTable(String userTable) {
        jdbcRealm.setUserTable(userTable);
    }

    public String getUserNameCol() {
        return jdbcRealm.getUserNameCol();
    }

    public void setUserNameCol(String userNameCol) {
        jdbcRealm.setUserNameCol(userNameCol);
    }

    public String getUserRoleTable() {
        return jdbcRealm.getUserRoleTable();
    }

    public void setUserRoleTable(String userRoleTable) {
        jdbcRealm.setUserRoleTable(userRoleTable);
    }

    public String getRoleNameCol() {
        return jdbcRealm.getRoleNameCol();
    }

    public void setRoleNameCol(String roleNameCol) {
        jdbcRealm.setRoleNameCol(roleNameCol);
    }

    public boolean hasResourcePermission(Request request,
                                         Response response,
                                         SecurityConstraint[]constraints,
                                         Context context) throws IOException
    {
        return jdbcRealm.hasResourcePermission(request, response, constraints, context);
    }

    public boolean hasRole(Principal principal, String role) {
        return jdbcRealm.hasRole(principal, role);
    }
}

这似乎很有效,授权从 LDAP 返回一个 Principal,它没有预期的角色。同一个 Principal 输入 hasResourcePermission() 并失败,因为它没有 require 角色。显然我遗漏了一些关键代码。

我正在寻找解决方案。我可以尝试扩展 JDBCRealm 并添加 LDAP 身份验证,但这似乎需要更多工作。

我也相信这种 LDAP 身份验证/数据库授权并不是一种不常见的模式。是否已经有替代解决方案?

向 LDAP 添加角色或向数据库添加密码在我的控制范围内,所以这些不是我的解决方案。

【问题讨论】:

  • 是的,我正在使用 Tomcat 6.0.18

标签: tomcat jdbc ldap authorization


【解决方案1】:

你没有指定你使用的 Tomcat 的版本,所以我在这里选择 6.x。

看起来您将hasResourcePermission 委托给了JDBC,而将findSecurityConstraintshasUserDataPermission 都交给了JNDI。您应该全部委托或不委托。

更新JNDIRealm 调用 protected getRoles(DirContext, User) 作为其 authenticate() 方法的一部分。您需要覆盖它并将其转发到 JDBCRealm 的 getRoles()

【讨论】:

  • 我已经覆盖了 findSecurityConstraints() 和 hasUserDataPermission() 以通过 JDBCRealm 调用。但是,JDBCRealm 的 getRoles() 是受保护的。你建议我怎么称呼它?
  • 您有 3 个选择:使用反射(Method.setAccessible() 将有助于使用 protected),将您的领域实现移动到 org.apache.catalina.realm 包或完全放弃 JDBCRealm 并编写您自己的代码以从中检索角色数据库)。
  • 移动到包 org.apache.catalina.realm 效果很好。我也忽略了指定驱动程序,因此我为此添加了 getter 和 setter 以及 DB 用户和密码。现在一切正常,谢谢。
【解决方案2】:

我仍然经常收到关于这个问题的电子邮件,所以这是供所有人使用的最终产品。

LdapJdbcRealm.java

package org.apache.catalina.realm;

import org.apache.catalina.Realm;
import org.apache.catalina.Context;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;

import javax.naming.directory.DirContext;
import java.io.IOException;
import java.security.Principal;
import java.util.List;

/**
 * LdapJdbcRealm is a minimal implementation of a <b>Realm</b> to connect to LDAP
 * for authentication and a database for authorization.<br>
 * <br>
 * Example server.xml configuration fragment:<br>
 * <pre>
   &lt;Realm className="org.apache.catalina.realm.LdapJdbcRealm"
      connectionURL="ldap://ldaphost:389"
      resourceName="LDAP Auth" driverName="oracle.jdbc.driver.OracleDriver"
      userPattern="uid={0}, ou=Portal, dc=example, dc=com"
      dbConnectionName="dbuser" dbConnectionPassword="dbpassword"
      dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname"
      userTable="users" userNameCol="user_id"
      userRoleTable="user_role_xref" roleNameCol="role_id" /&gt;
 * </pre>
 *
 * @author Greg Chabala
 *
 * Created by IntelliJ IDEA.
 * User: gchabala
 * Date: Jul 14, 2009
 * Time: 4:56:37 PM
 */
public class LdapJdbcRealm extends JNDIRealm implements Realm
{
    /**
     * Encapsulated <b>JDBCRealm</b> to do role lookups
     */
    private JDBCRealm jdbcRealm = new JDBCRealm();

    /**
     * Descriptive information about this <b>Realm</b> implementation.
     */
    protected static final String info = "org.apache.catalina.realm.LdapJdbcRealm/1.0";

    /**
     * Descriptive information about this <b>Realm</b> implementation.
     */
    protected static final String name = "LdapJdbcRealm";

    /**
     * Set the all roles mode.
     *
     * @param allRolesMode authentication mode
     */
    public void setAllRolesMode(String allRolesMode) {
        super.setAllRolesMode(allRolesMode);
        jdbcRealm.setAllRolesMode(allRolesMode);
    }

    /**
     * Return the username to use to connect to the database.
     *
     * @return username
     * @see JDBCRealm#getConnectionName()
     */
    public String getDbConnectionName() {
        return jdbcRealm.getConnectionName();
    }

    /**
     * Set the username to use to connect to the database.
     *
     * @param dbConnectionName username
     * @see JDBCRealm#setConnectionName(String)
     */
    public void setDbConnectionName(String dbConnectionName) {
        jdbcRealm.setConnectionName(dbConnectionName);
    }

    /**
     * Return the password to use to connect to the database.
     *
     * @return password
     * @see JDBCRealm#getConnectionPassword()
     */
    public String getDbConnectionPassword() {
        return jdbcRealm.getConnectionPassword();
    }

    /**
     * Set the password to use to connect to the database.
     *
     * @param dbConnectionPassword password
     * @see JDBCRealm#setConnectionPassword(String)
     */
    public void setDbConnectionPassword(String dbConnectionPassword) {
        jdbcRealm.setConnectionPassword(dbConnectionPassword);
    }

    /**
     * Return the URL to use to connect to the database.
     *
     * @return database connection URL
     * @see JDBCRealm#getConnectionURL()
     */
    public String getDbConnectionURL() {
        return jdbcRealm.getConnectionURL();
    }

    /**
     * Set the URL to use to connect to the database.
     *
     * @param dbConnectionURL The new connection URL
     * @see JDBCRealm#setConnectionURL(String)
     */
    public void setDbConnectionURL(String dbConnectionURL) {
        jdbcRealm.setConnectionURL(dbConnectionURL);
    }

    /**
     * Return the JDBC driver that will be used.
     *
     * @return driver classname
     * @see JDBCRealm#getDriverName()
     */
    public String getDriverName() {
        return jdbcRealm.getDriverName();
    }

    /**
     * Set the JDBC driver that will be used.
     *
     * @param driverName The driver name
     * @see JDBCRealm#setDriverName(String)
     */
    public void setDriverName(String driverName) {
        jdbcRealm.setDriverName(driverName);
    }

    /**
     * Return the table that holds user data..
     *
     * @return table name
     * @see JDBCRealm#getUserTable()
     */
    public String getUserTable() {
        return jdbcRealm.getUserTable();
    }

    /**
     * Set the table that holds user data.
     *
     * @param userTable The table name
     * @see JDBCRealm#setUserTable(String)
     */
    public void setUserTable(String userTable) {
        jdbcRealm.setUserTable(userTable);
    }

    /**
     * Return the column in the user table that holds the user's name.
     *
     * @return username database column name
     * @see JDBCRealm#getUserNameCol()
     */
    public String getUserNameCol() {
        return jdbcRealm.getUserNameCol();
    }

    /**
     * Set the column in the user table that holds the user's name.
     *
     * @param userNameCol The column name
     * @see JDBCRealm#setUserNameCol(String)
     */
    public void setUserNameCol(String userNameCol) {
        jdbcRealm.setUserNameCol(userNameCol);
    }

    /**
     * Return the table that holds the relation between user's and roles.
     *
     * @return user role database table name
     * @see JDBCRealm#getUserRoleTable()
     */
    public String getUserRoleTable() {
        return jdbcRealm.getUserRoleTable();
    }

    /**
     * Set the table that holds the relation between user's and roles.
     *
     * @param userRoleTable The table name
     * @see JDBCRealm#setUserRoleTable(String)
     */
    public void setUserRoleTable(String userRoleTable) {
        jdbcRealm.setUserRoleTable(userRoleTable);
    }

    /**
     * Return the column in the user role table that names a role.
     *
     * @return role column name
     * @see JDBCRealm#getRoleNameCol()
     */
    public String getRoleNameCol() {
        return jdbcRealm.getRoleNameCol();
    }

    /**
     * Set the column in the user role table that names a role.
     *
     * @param roleNameCol The column name
     * @see JDBCRealm#setRoleNameCol(String)
     */
    public void setRoleNameCol(String roleNameCol) {
        jdbcRealm.setRoleNameCol(roleNameCol);
    }

    @Override
    public SecurityConstraint[] findSecurityConstraints(Request request, Context context)
    {
        return jdbcRealm.findSecurityConstraints(request, context);
    }

    @Override
    public boolean hasUserDataPermission(Request request, Response response,
                                         SecurityConstraint []constraints) throws IOException
    {
        return jdbcRealm.hasUserDataPermission(request, response, constraints);
    }

    @Override
    public boolean hasResourcePermission(Request request, Response response,
                                         SecurityConstraint[]constraints,
                                         Context context) throws IOException
    {
        return jdbcRealm.hasResourcePermission(request, response, constraints, context);
    }

    @Override
    public boolean hasRole(Principal principal, String role) {
        return jdbcRealm.hasRole(principal, role);
    }

    /**
     * Return a List of roles associated with the given User. If no roles
     * are associated with this user, a zero-length List is returned.
     *
     * @param context unused. JDBC does not need this field.
     * @param user The User to be checked
     * @return list of role names
     *
     * @see JNDIRealm#getRoles(DirContext, User)
     * @see JDBCRealm#getRoles(String) 
     */
    @Override
    protected List<String> getRoles(DirContext context, User user)
    {
        return jdbcRealm.getRoles(user.username);
    }
}

【讨论】:

猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 2016-04-01
  • 2021-04-05
  • 1970-01-01
  • 1970-01-01
  • 2014-11-25
  • 1970-01-01
  • 2017-12-10
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode