org.apache.shiro.realm.activedirectory
Class ActiveDirectoryRealm
java.lang.Object
org.apache.shiro.realm.CachingRealm
org.apache.shiro.realm.AuthenticatingRealm
org.apache.shiro.realm.AuthorizingRealm
org.apache.shiro.realm.ldap.AbstractLdapRealm
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
- All Implemented Interfaces:
- LogoutAware, Authorizer, PermissionResolverAware, RolePermissionResolverAware, CacheManagerAware, Realm, Initializable, Nameable
public class ActiveDirectoryRealm
- extends AbstractLdapRealm
A Realm
that authenticates with an active directory LDAP
server to determine the roles for a particular user. This implementation
queries for the user's groups and then maps the group names to roles using the
groupRolesMap
.
- Since:
- 0.1
Methods inherited from class org.apache.shiro.realm.AuthorizingRealm |
afterCacheManagerSet, checkPermission, checkPermission, checkPermission, checkPermissions, checkPermissions, checkPermissions, checkRole, checkRole, checkRoles, checkRoles, checkRoles, clearCachedAuthorizationInfo, doClearCache, getAuthorizationCache, getAuthorizationCacheKey, getAuthorizationCacheName, getAuthorizationInfo, getPermissionResolver, getRolePermissionResolver, hasAllRoles, hasRole, hasRole, hasRoles, hasRoles, isAuthorizationCachingEnabled, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, isPermittedAll, setAuthorizationCache, setAuthorizationCacheName, setAuthorizationCachingEnabled, setName, setPermissionResolver, setRolePermissionResolver |
Methods inherited from class org.apache.shiro.realm.AuthenticatingRealm |
assertCredentialsMatch, clearCachedAuthenticationInfo, getAuthenticationCache, getAuthenticationCacheKey, getAuthenticationCacheKey, getAuthenticationCacheName, getAuthenticationInfo, getAuthenticationTokenClass, getCredentialsMatcher, init, isAuthenticationCachingEnabled, isAuthenticationCachingEnabled, setAuthenticationCache, setAuthenticationCacheName, setAuthenticationCachingEnabled, setAuthenticationTokenClass, setCredentialsMatcher, supports |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
ActiveDirectoryRealm
public ActiveDirectoryRealm()
setGroupRolesMap
public void setGroupRolesMap(Map<String,String> groupRolesMap)
queryForAuthenticationInfo
protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token,
LdapContextFactory ldapContextFactory)
throws NamingException
- Builds an
AuthenticationInfo
object by querying the active directory LDAP context for the
specified username. This method binds to the LDAP server using the provided username and password -
which if successful, indicates that the password is correct.
This method can be overridden by subclasses to query the LDAP server in a more complex way.
- Specified by:
queryForAuthenticationInfo
in class AbstractLdapRealm
- Parameters:
token
- the authentication token provided by the user.ldapContextFactory
- the factory used to build connections to the LDAP server.
- Returns:
- an
AuthenticationInfo
instance containing information retrieved from LDAP.
- Throws:
NamingException
- if any LDAP errors occur during the search.
buildAuthenticationInfo
protected AuthenticationInfo buildAuthenticationInfo(String username,
char[] password)
queryForAuthorizationInfo
protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals,
LdapContextFactory ldapContextFactory)
throws NamingException
- Builds an
AuthorizationInfo
object by querying the active directory LDAP context for the
groups that a user is a member of. The groups are then translated to role names by using the
configured groupRolesMap
.
This implementation expects the principal argument to be a String username.
Subclasses can override this method to determine authorization data (roles, permissions, etc) in a more
complex way. Note that this default implementation does not support permissions, only roles.
- Specified by:
queryForAuthorizationInfo
in class AbstractLdapRealm
- Parameters:
principals
- the principal of the Subject whose account is being retrieved.ldapContextFactory
- the factory used to create LDAP connections.
- Returns:
- the AuthorizationInfo for the given Subject principal.
- Throws:
NamingException
- if an error occurs when searching the LDAP server.
buildAuthorizationInfo
protected AuthorizationInfo buildAuthorizationInfo(Set<String> roleNames)
getRoleNamesForGroups
protected Collection<String> getRoleNamesForGroups(Collection<String> groupNames)
- This method is called by the default implementation to translate Active Directory group names
to role names. This implementation uses the
groupRolesMap
to map group names to role names.
- Parameters:
groupNames
- the group names that apply to the current user.
- Returns:
- a collection of roles that are implied by the given role names.
Copyright © 2004-2012 The Apache Software Foundation. All Rights Reserved.