GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Created sandbox including a LDAP-based authentication DAO, as contributed by Karel Miarka and with improvements by Daniel Miller.

1.0.x
Ben Alex 22 years ago
parent
9e59374477
commit
03781aeccd
3 changed files with 523 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      .classpath
  2. 334
      sandbox/src/main/java/org/acegisecurity/providers/dao/ldap/LdapPasswordAuthenticationDao.java
  3. 187
      sandbox/src/test/java/org/acegisecurity/providers/dao/ldap/TestLdapPasswordAuthenticationDao.java

2
.classpath
Unescape View File

@ -1,6 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<classpath> <classpath>
<classpathentry kind="src" path="src"/> <classpathentry kind="src" path="src"/>
<classpathentry kind="src" path="sandbox/src"/>
<classpathentry kind="src" path="sandbox/test"/>
<classpathentry kind="src" path="test"/> <classpathentry kind="src" path="test"/>
<classpathentry kind="src" path="samples/contacts/src"/> <classpathentry kind="src" path="samples/contacts/src"/>
<classpathentry kind="src" path="samples/attributes/src"/> <classpathentry kind="src" path="samples/attributes/src"/>

334
sandbox/src/main/java/org/acegisecurity/providers/dao/ldap/LdapPasswordAuthenticationDao.java
Unescape View File

@ -0,0 +1,334 @@
/* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.providers.dao.ldap;
import net.sf.acegisecurity.BadCredentialsException;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.GrantedAuthorityImpl;
import net.sf.acegisecurity.UserDetails;
import net.sf.acegisecurity.providers.dao.PasswordAuthenticationDao;
import net.sf.acegisecurity.providers.dao.User;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.dao.DataAccessException;
import org.springframework.dao.DataAccessResourceFailureException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Hashtable;
import java.util.List;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchResult;
/**
* This is an example <code>PasswordAuthenticationDao</code> implementation
* using LDAP service for user authentication.
*
* @author Karel Miarka
* @author Daniel Miller
*/
public class LdapPasswordAuthenticationDao implements PasswordAuthenticationDao {
//~ Static fields/initializers =============================================
public static final String BAD_CREDENTIALS_EXCEPTION_MESSAGE = "Invalid username, password or context";
private static final transient Log log = LogFactory.getLog(LdapPasswordAuthenticationDao.class);
//~ Instance fields ========================================================
private String host;
private String rootContext;
private String userContext = "CN=Users";
private String[] rolesAttributes = {"memberOf"};
private int port = 389;
//~ Methods ================================================================
/**
* Set hostname or IP address of the host running LDAP server.
*
* @param hostname DOCUMENT ME!
*/
public void setHost(String hostname) {
this.host = hostname;
}
/**
* Set the port on which is running the LDAP server. <br>Default value: 389
*
* @param port DOCUMENT ME!
*/
public void setPort(int port) {
this.port = port;
}
/**
* Set the name of user object's attribute(s) which contains the list of
* user's role names. The role is converted to upper case and a "ROLE_"
* prefix is added when <code>GrantedAuthority</code> is created. Default
* value: { "memberOf" }.
*
* @param rolesAttributes DOCUMENT ME!
*/
public void setRolesAttributes(String[] rolesAttributes) {
this.rolesAttributes = rolesAttributes;
}
/**
* Set the root context to which you attempt to log in. <br>
* For example: DC=yourdomain,DC=com
*
* @param rootContext DOCUMENT ME!
*/
public void setRootContext(String rootContext) {
this.rootContext = rootContext;
}
/**
* Set the context in which all users reside relative to the root context. <br>
* Defalut value: "CN=Users"
*
* @param userContext DOCUMENT ME!
*/
public void setUserContext(String userContext) {
this.userContext = userContext;
}
public UserDetails loadUserByUsernameAndPassword(String username,
String password) throws DataAccessException, BadCredentialsException {
if ((password == null) || (password.length() == 0)) {
throw new BadCredentialsException("Empty password");
}
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
StringBuffer providerUrl = new StringBuffer();
providerUrl.append("ldap://");
providerUrl.append(this.host);
providerUrl.append(":");
providerUrl.append(this.port);
providerUrl.append("/");
providerUrl.append(this.rootContext);
env.put(Context.PROVIDER_URL, providerUrl.toString());
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, getUserPrincipal(username));
env.put(Context.SECURITY_CREDENTIALS, password);
try {
if (log.isDebugEnabled()) {
log.debug("Connecting to " + providerUrl + " as "
+ getUserPrincipal(username));
}
DirContext ctx = new InitialDirContext(env);
String[] attrIDs = getRolesAttributeNames();
Collection roles = getRolesFromContext(ctx, userContext, username,
attrIDs);
ctx.close();
if (roles.isEmpty()) {
throw new BadCredentialsException("The user has no granted "
+ "authorities or the rolesAttribute is invalid");
}
String[] ldapRoles = (String[]) roles.toArray(new String[] {});
return new User(username, password, true,
getGrantedAuthorities(ldapRoles));
} catch (AuthenticationException ex) {
throw new BadCredentialsException(BAD_CREDENTIALS_EXCEPTION_MESSAGE,
ex);
} catch (CommunicationException ex) {
throw new DataAccessResourceFailureException(ex.getRootCause()
.getMessage(), ex);
} catch (NamingException ex) {
throw new DataAccessResourceFailureException(ex.getMessage(), ex);
}
}
/**
* Get an array <code>GrantedAuthorities</code> given the list of roles
* obtained from the LDAP context. Delegates to
* <code>getGrantedAuthority(String ldapRole)</code>. This function may be
* overridden in a subclass.
*
* @param ldapRoles DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected GrantedAuthority[] getGrantedAuthorities(String[] ldapRoles) {
GrantedAuthority[] grantedAuthorities = new GrantedAuthority[ldapRoles.length];
for (int i = 0; i < ldapRoles.length; i++) {
grantedAuthorities[i] = getGrantedAuthority(ldapRoles[i]);
}
return grantedAuthorities;
}
/**
* Get a <code>GrantedAuthority</code> given a role obtained from the LDAP
* context. If found in the LDAP role, the following characters are
* converted to underscore: ',' (comma), '=' (equals), ' ' (space) This
* function may be overridden in a subclass.
*
* @param ldapRole DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected GrantedAuthority getGrantedAuthority(String ldapRole) {
GrantedAuthority ga = new GrantedAuthorityImpl("ROLE_"
+ ldapRole.toUpperCase());
if (log.isDebugEnabled()) {
log.debug("GrantedAuthority: " + ga);
}
return ga;
}
/**
* DOCUMENT ME!
*
* @param name DOCUMENT ME!
*
* @return Return true if the given name is a role attribute.
*/
protected boolean isRoleAttribute(String name) {
if (name != null) {
for (int i = 0; i < rolesAttributes.length; i++) {
if (name.equals(rolesAttributes[i])) {
return true;
}
}
}
return false;
}
/**
* Get the attributes to that contain role information. This function may
* be overridden in a subclass.
*
* @return DOCUMENT ME!
*/
protected String[] getRolesAttributeNames() {
return rolesAttributes;
}
protected Collection getRolesFromContext(DirContext ctx,
String userContext, String username, String[] roleAttributes)
throws NamingException {
List roles = new ArrayList();
if (log.isDebugEnabled()) {
String rolesString = "";
for (int i = 0; i < roleAttributes.length; i++) {
rolesString += (", " + roleAttributes[i]);
}
log.debug("Searching user context '" + userContext + "' for roles "
+ "attributes: " + rolesString.substring(1));
}
NamingEnumeration answer = ctx.search(userContext,
getUsernameAttributes(username), roleAttributes);
while (answer.hasMore()) {
SearchResult sr = (SearchResult) answer.next();
NamingEnumeration attrs = sr.getAttributes().getAll();
while (attrs.hasMore()) {
Attribute attr = (Attribute) attrs.next();
if (isRoleAttribute(attr.getID())) {
NamingEnumeration rolesAttr = attr.getAll();
while (rolesAttr.hasMore()) {
String role = (String) rolesAttr.next();
roles.add(role);
if (log.isDebugEnabled()) {
log.debug("Role read: " + attr.getID() + "=" + role);
}
}
}
}
}
return roles;
}
/**
* Get the <code>Context.SECURITY_PRINCIPAL</code> for the given username
* string. This implementation returns a string composed of the following:
* &lt;usernamePrefix&gt;&lt;username&gt;&lt;usernameSufix. This function
* may be overridden in a subclass.
*
* @param username DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected String getUserPrincipal(String username) {
StringBuffer principal = new StringBuffer();
principal.append("CN=");
principal.append(username);
principal.append(",");
principal.append(this.userContext);
principal.append(",");
principal.append(this.rootContext);
return principal.toString();
}
/**
* Get the attribute(s) to match when searching for the user object. This
* implementation returns a "distinguishedName" attribute with the value
* returned by <code>getUserPrincipal(username)</code>. A subclass may
* customize this behavior by overriding <code>getUserPrincipal</code>
* and/or <code>getUsernameAttributes</code>.
*
* @param username DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected Attributes getUsernameAttributes(String username) {
Attributes matchAttrs = new BasicAttributes(true); // ignore case
matchAttrs.put(new BasicAttribute("distinguishedName",
getUserPrincipal(username)));
return matchAttrs;
}
}

187
sandbox/src/test/java/org/acegisecurity/providers/dao/ldap/TestLdapPasswordAuthenticationDao.java
Unescape View File

@ -0,0 +1,187 @@
/* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.providers.dao.ldap;
import junit.framework.TestCase;
import net.sf.acegisecurity.BadCredentialsException;
import net.sf.acegisecurity.GrantedAuthorityImpl;
import net.sf.acegisecurity.UserDetails;
import org.springframework.dao.DataAccessException;
/**
* DOCUMENT ME!
*
* @author Karel Miarka
*/
public class TestLdapPasswordAuthenticationDao extends TestCase {
//~ Static fields/initializers =============================================
static String HOSTNAME = "ntserver";
static String HOST_IP = "192.168.1.1";
static String ROOT_CONTEXT = "DC=issa,DC=cz";
static String USER_CONTEXT = "CN=Users";
// objectClass is a mandatory attribute in AD with list of classes
// so it is suitable for testing
static String ROLES_ATTRIBUTE = "objectClass";
static String USERNAME = "Karel Miarka";
static String PASSWORD = "password";
//~ Instance fields ========================================================
LdapPasswordAuthenticationDao dao;
//~ Methods ================================================================
public void testAuthenticationEmptyPassword() {
try {
UserDetails user = dao.loadUserByUsernameAndPassword(USERNAME, "");
fail();
} catch (BadCredentialsException ex) {
assertEquals("Empty password", ex.getMessage());
} catch (Exception ex) {
fail();
}
}
public void testAuthenticationInvalidHost() {
dao.setHost("xxx");
try {
UserDetails user = dao.loadUserByUsernameAndPassword(USERNAME,
PASSWORD);
fail();
} catch (DataAccessException ex) {
assertTrue(true);
} catch (Exception ex) {
fail();
}
}
public void testAuthenticationInvalidPassword() {
try {
UserDetails user = dao.loadUserByUsernameAndPassword(USERNAME, "xxx");
fail();
} catch (BadCredentialsException ex) {
assertTrue(ex.getMessage().startsWith(LdapPasswordAuthenticationDao.BAD_CREDENTIALS_EXCEPTION_MESSAGE));
} catch (Exception ex) {
fail();
}
}
public void testAuthenticationInvalidPort() {
dao.setPort(123);
try {
UserDetails user = dao.loadUserByUsernameAndPassword(USERNAME,
PASSWORD);
fail();
} catch (DataAccessException ex) {
assertTrue(true);
} catch (Exception ex) {
fail();
}
}
public void testAuthenticationInvalidRolesAttribute() {
// dao.setRolesAttribute("xxx");
try {
UserDetails user = dao.loadUserByUsernameAndPassword(USERNAME,
PASSWORD);
fail();
} catch (BadCredentialsException ex) {
assertEquals("The user has no granted authorities or the rolesAttribute is invalid",
ex.getMessage());
} catch (Exception ex) {
fail();
}
}
public void testAuthenticationInvalidRootContext() {
dao.setRootContext("DN=xxx");
try {
UserDetails user = dao.loadUserByUsernameAndPassword(USERNAME,
PASSWORD);
fail();
} catch (BadCredentialsException ex) {
assertTrue(ex.getMessage().startsWith(LdapPasswordAuthenticationDao.BAD_CREDENTIALS_EXCEPTION_MESSAGE));
} catch (Exception ex) {
fail();
}
}
public void testAuthenticationInvalidUserContext() {
dao.setUserContext("CN=xxx");
try {
UserDetails user = dao.loadUserByUsernameAndPassword(USERNAME,
PASSWORD);
fail();
} catch (BadCredentialsException ex) {
assertTrue(ex.getMessage().startsWith(LdapPasswordAuthenticationDao.BAD_CREDENTIALS_EXCEPTION_MESSAGE));
} catch (Exception ex) {
fail();
}
}
public void testAuthenticationInvalidUsername() {
try {
UserDetails user = dao.loadUserByUsernameAndPassword("xxx", PASSWORD);
fail();
} catch (BadCredentialsException ex) {
assertTrue(ex.getMessage().startsWith(LdapPasswordAuthenticationDao.BAD_CREDENTIALS_EXCEPTION_MESSAGE));
} catch (Exception ex) {
fail();
}
}
public void testAuthenticationValid() {
UserDetails user = dao.loadUserByUsernameAndPassword(USERNAME, PASSWORD);
assertEquals(USERNAME, user.getUsername());
assertEquals(PASSWORD, user.getPassword());
assertEquals(new GrantedAuthorityImpl("ROLE_TOP"),
user.getAuthorities()[0]);
assertEquals(new GrantedAuthorityImpl("ROLE_USER"),
user.getAuthorities()[3]);
}
public void testAuthenticationValidWithIpHost() {
dao.setHost(HOST_IP);
UserDetails user = dao.loadUserByUsernameAndPassword(USERNAME, PASSWORD);
assertEquals(USERNAME, user.getUsername());
assertEquals(PASSWORD, user.getPassword());
assertEquals(new GrantedAuthorityImpl("ROLE_TOP"),
user.getAuthorities()[0]);
assertEquals(new GrantedAuthorityImpl("ROLE_USER"),
user.getAuthorities()[3]);
}
protected void setUp() throws Exception {
super.setUp();
dao = new LdapPasswordAuthenticationDao();
dao.setHost(HOSTNAME); // ldap://lojza:389/DC=elcom,DC=cz
dao.setPort(389);
dao.setRootContext(ROOT_CONTEXT);
dao.setUserContext(USER_CONTEXT);
// dao.setRolesAttribute(ROLES_ATTRIBUTE);
}
}
Write Preview
Loading…
Cancel
Save