I\'m working in a legacy environment where an LDAP server is used only for authentication and contains no roles, and authorization is done against a database which contains
I still get emails about this question with regular frequency, so here is the final product for all to use.
LdapJdbcRealm.java
package org.apache.catalina.realm;
import org.apache.catalina.Realm;
import org.apache.catalina.Context;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;
import javax.naming.directory.DirContext;
import java.io.IOException;
import java.security.Principal;
import java.util.List;
/**
* LdapJdbcRealm is a minimal implementation of a <b>Realm</b> to connect to LDAP
* for authentication and a database for authorization.<br>
* <br>
* Example server.xml configuration fragment:<br>
* <pre>
<Realm className="org.apache.catalina.realm.LdapJdbcRealm"
connectionURL="ldap://ldaphost:389"
resourceName="LDAP Auth" driverName="oracle.jdbc.driver.OracleDriver"
userPattern="uid={0}, ou=Portal, dc=example, dc=com"
dbConnectionName="dbuser" dbConnectionPassword="dbpassword"
dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname"
userTable="users" userNameCol="user_id"
userRoleTable="user_role_xref" roleNameCol="role_id" />
* </pre>
*
* @author Greg Chabala
*
* Created by IntelliJ IDEA.
* User: gchabala
* Date: Jul 14, 2009
* Time: 4:56:37 PM
*/
public class LdapJdbcRealm extends JNDIRealm implements Realm
{
/**
* Encapsulated <b>JDBCRealm</b> to do role lookups
*/
private JDBCRealm jdbcRealm = new JDBCRealm();
/**
* Descriptive information about this <b>Realm</b> implementation.
*/
protected static final String info = "org.apache.catalina.realm.LdapJdbcRealm/1.0";
/**
* Descriptive information about this <b>Realm</b> implementation.
*/
protected static final String name = "LdapJdbcRealm";
/**
* Set the all roles mode.
*
* @param allRolesMode authentication mode
*/
public void setAllRolesMode(String allRolesMode) {
super.setAllRolesMode(allRolesMode);
jdbcRealm.setAllRolesMode(allRolesMode);
}
/**
* Return the username to use to connect to the database.
*
* @return username
* @see JDBCRealm#getConnectionName()
*/
public String getDbConnectionName() {
return jdbcRealm.getConnectionName();
}
/**
* Set the username to use to connect to the database.
*
* @param dbConnectionName username
* @see JDBCRealm#setConnectionName(String)
*/
public void setDbConnectionName(String dbConnectionName) {
jdbcRealm.setConnectionName(dbConnectionName);
}
/**
* Return the password to use to connect to the database.
*
* @return password
* @see JDBCRealm#getConnectionPassword()
*/
public String getDbConnectionPassword() {
return jdbcRealm.getConnectionPassword();
}
/**
* Set the password to use to connect to the database.
*
* @param dbConnectionPassword password
* @see JDBCRealm#setConnectionPassword(String)
*/
public void setDbConnectionPassword(String dbConnectionPassword) {
jdbcRealm.setConnectionPassword(dbConnectionPassword);
}
/**
* Return the URL to use to connect to the database.
*
* @return database connection URL
* @see JDBCRealm#getConnectionURL()
*/
public String getDbConnectionURL() {
return jdbcRealm.getConnectionURL();
}
/**
* Set the URL to use to connect to the database.
*
* @param dbConnectionURL The new connection URL
* @see JDBCRealm#setConnectionURL(String)
*/
public void setDbConnectionURL(String dbConnectionURL) {
jdbcRealm.setConnectionURL(dbConnectionURL);
}
/**
* Return the JDBC driver that will be used.
*
* @return driver classname
* @see JDBCRealm#getDriverName()
*/
public String getDriverName() {
return jdbcRealm.getDriverName();
}
/**
* Set the JDBC driver that will be used.
*
* @param driverName The driver name
* @see JDBCRealm#setDriverName(String)
*/
public void setDriverName(String driverName) {
jdbcRealm.setDriverName(driverName);
}
/**
* Return the table that holds user data..
*
* @return table name
* @see JDBCRealm#getUserTable()
*/
public String getUserTable() {
return jdbcRealm.getUserTable();
}
/**
* Set the table that holds user data.
*
* @param userTable The table name
* @see JDBCRealm#setUserTable(String)
*/
public void setUserTable(String userTable) {
jdbcRealm.setUserTable(userTable);
}
/**
* Return the column in the user table that holds the user's name.
*
* @return username database column name
* @see JDBCRealm#getUserNameCol()
*/
public String getUserNameCol() {
return jdbcRealm.getUserNameCol();
}
/**
* Set the column in the user table that holds the user's name.
*
* @param userNameCol The column name
* @see JDBCRealm#setUserNameCol(String)
*/
public void setUserNameCol(String userNameCol) {
jdbcRealm.setUserNameCol(userNameCol);
}
/**
* Return the table that holds the relation between user's and roles.
*
* @return user role database table name
* @see JDBCRealm#getUserRoleTable()
*/
public String getUserRoleTable() {
return jdbcRealm.getUserRoleTable();
}
/**
* Set the table that holds the relation between user's and roles.
*
* @param userRoleTable The table name
* @see JDBCRealm#setUserRoleTable(String)
*/
public void setUserRoleTable(String userRoleTable) {
jdbcRealm.setUserRoleTable(userRoleTable);
}
/**
* Return the column in the user role table that names a role.
*
* @return role column name
* @see JDBCRealm#getRoleNameCol()
*/
public String getRoleNameCol() {
return jdbcRealm.getRoleNameCol();
}
/**
* Set the column in the user role table that names a role.
*
* @param roleNameCol The column name
* @see JDBCRealm#setRoleNameCol(String)
*/
public void setRoleNameCol(String roleNameCol) {
jdbcRealm.setRoleNameCol(roleNameCol);
}
@Override
public SecurityConstraint[] findSecurityConstraints(Request request, Context context)
{
return jdbcRealm.findSecurityConstraints(request, context);
}
@Override
public boolean hasUserDataPermission(Request request, Response response,
SecurityConstraint []constraints) throws IOException
{
return jdbcRealm.hasUserDataPermission(request, response, constraints);
}
@Override
public boolean hasResourcePermission(Request request, Response response,
SecurityConstraint[]constraints,
Context context) throws IOException
{
return jdbcRealm.hasResourcePermission(request, response, constraints, context);
}
@Override
public boolean hasRole(Principal principal, String role) {
return jdbcRealm.hasRole(principal, role);
}
/**
* Return a List of roles associated with the given User. If no roles
* are associated with this user, a zero-length List is returned.
*
* @param context unused. JDBC does not need this field.
* @param user The User to be checked
* @return list of role names
*
* @see JNDIRealm#getRoles(DirContext, User)
* @see JDBCRealm#getRoles(String)
*/
@Override
protected List<String> getRoles(DirContext context, User user)
{
return jdbcRealm.getRoles(user.username);
}
}
You haven't specified the version of Tomcat you're using, so I'm going with 6.x here.
It looks like you're delegating hasResourcePermission
to JDBC while leaving both findSecurityConstraints
and hasUserDataPermission
in hands of JNDI. You should delegate all of them or none of them.
Update: JNDIRealm
calls protected getRoles(DirContext, User)
as part of its authenticate()
method. You need to override that and forward it to JDBCRealm's getRoles()
.