org.apache.zeppelin.server

Class ActiveDirectoryGroupRealm

java.lang.Object

org.apache.shiro.realm.CachingRealm

org.apache.shiro.realm.AuthenticatingRealm

org.apache.shiro.realm.AuthorizingRealm

org.apache.shiro.realm.ldap.AbstractLdapRealm

org.apache.zeppelin.server.ActiveDirectoryGroupRealm

All Implemented Interfaces:

org.apache.shiro.authc.LogoutAware, org.apache.shiro.authz.Authorizer, org.apache.shiro.authz.permission.PermissionResolverAware, org.apache.shiro.authz.permission.RolePermissionResolverAware, org.apache.shiro.cache.CacheManagerAware, org.apache.shiro.realm.Realm, org.apache.shiro.util.Initializable, org.apache.shiro.util.Nameable

public class ActiveDirectoryGroupRealm
extends org.apache.shiro.realm.ldap.AbstractLdapRealm

A Realm that authenticates with an active directory LDAP server to determine the roles for a particular user. This implementation queries for the user's groups and then maps the group names to roles using the groupRolesMap.

Since:

0.1

Field Summary

Fields inherited from class org.apache.shiro.realm.ldap.AbstractLdapRealm

principalSuffix, searchBase, systemPassword, systemUsername, url

Constructor Summary

Constructors

Constructor and Description
ActiveDirectoryGroupRealm()

Method Summary

Methods

Modifier and Type	Method and Description
protected org.apache.shiro.authc.AuthenticationInfo	buildAuthenticationInfo(String username, char[] password)
protected org.apache.shiro.authz.AuthorizationInfo	buildAuthorizationInfo(Set<String> roleNames)
protected Collection<String>	getRoleNamesForGroups(Collection<String> groupNames) This method is called by the default implementation to translate Active Directory group names to role names.
protected org.apache.shiro.authc.AuthenticationInfo	queryForAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken token, org.apache.shiro.realm.ldap.LdapContextFactory ldapContextFactory) Builds an AuthenticationInfo object by querying the active directory LDAP context for the specified username.
protected org.apache.shiro.authz.AuthorizationInfo	queryForAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection principals, org.apache.shiro.realm.ldap.LdapContextFactory ldapContextFactory) Builds an AuthorizationInfo object by querying the active directory LDAP context for the groups that a user is a member of.
void	setGroupRolesMap(Map<String,String> groupRolesMap)

Methods inherited from class org.apache.shiro.realm.ldap.AbstractLdapRealm

doGetAuthenticationInfo, doGetAuthorizationInfo, onInit, setLdapContextFactory, setPrincipalSuffix, setSearchBase, setSystemPassword, setSystemUsername, setUrl

Methods inherited from class org.apache.shiro.realm.AuthorizingRealm

afterCacheManagerSet, checkPermission, checkPermission, checkPermission, checkPermissions, checkPermissions, checkPermissions, checkRole, checkRole, checkRoles, checkRoles, checkRoles, clearCachedAuthorizationInfo, doClearCache, getAuthorizationCache, getAuthorizationCacheKey, getAuthorizationCacheName, getAuthorizationInfo, getPermissionResolver, getRolePermissionResolver, hasAllRoles, hasRole, hasRole, hasRoles, hasRoles, isAuthorizationCachingEnabled, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, isPermittedAll, setAuthorizationCache, setAuthorizationCacheName, setAuthorizationCachingEnabled, setName, setPermissionResolver, setRolePermissionResolver

Methods inherited from class org.apache.shiro.realm.AuthenticatingRealm

assertCredentialsMatch, clearCachedAuthenticationInfo, getAuthenticationCache, getAuthenticationCacheKey, getAuthenticationCacheKey, getAuthenticationCacheName, getAuthenticationInfo, getAuthenticationTokenClass, getCredentialsMatcher, init, isAuthenticationCachingEnabled, isAuthenticationCachingEnabled, setAuthenticationCache, setAuthenticationCacheName, setAuthenticationCachingEnabled, setAuthenticationTokenClass, setCredentialsMatcher, supports

Methods inherited from class org.apache.shiro.realm.CachingRealm

clearCache, getAvailablePrincipal, getCacheManager, getName, isCachingEnabled, onLogout, setCacheManager, setCachingEnabled

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.shiro.util.Initializable

init

Constructor Detail

ActiveDirectoryGroupRealm

public ActiveDirectoryGroupRealm()

Method Detail

setGroupRolesMap

public void setGroupRolesMap(Map<String,String> groupRolesMap)

queryForAuthenticationInfo

protected org.apache.shiro.authc.AuthenticationInfo queryForAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken token,
                                                                   org.apache.shiro.realm.ldap.LdapContextFactory ldapContextFactory)
                                                                        throws NamingException

Builds an AuthenticationInfo object by querying the active directory LDAP context for the specified username. This method binds to the LDAP server using the provided username and password - which if successful, indicates that the password is correct.

This method can be overridden by subclasses to query the LDAP server in a more complex way.

Specified by:

queryForAuthenticationInfo in class org.apache.shiro.realm.ldap.AbstractLdapRealm

Parameters:

token - the authentication token provided by the user.

ldapContextFactory - the factory used to build connections to the LDAP server.

Returns:

an AuthenticationInfo instance containing information retrieved from LDAP.

Throws:

NamingException - if any LDAP errors occur during the search.

buildAuthenticationInfo

protected org.apache.shiro.authc.AuthenticationInfo buildAuthenticationInfo(String username,
                                                                char[] password)

queryForAuthorizationInfo

protected org.apache.shiro.authz.AuthorizationInfo queryForAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection principals,
                                                                 org.apache.shiro.realm.ldap.LdapContextFactory ldapContextFactory)
                                                                      throws NamingException

Builds an AuthorizationInfo object by querying the active directory LDAP context for the groups that a user is a member of. The groups are then translated to role names by using the configured groupRolesMap.

This implementation expects the principal argument to be a String username.

Subclasses can override this method to determine authorization data (roles, permissions, etc) in a more complex way. Note that this default implementation does not support permissions, only roles.

Specified by:

queryForAuthorizationInfo in class org.apache.shiro.realm.ldap.AbstractLdapRealm

Parameters:

principals - the principal of the Subject whose account is being retrieved.

ldapContextFactory - the factory used to create LDAP connections.

Returns:

the AuthorizationInfo for the given Subject principal.

Throws:

NamingException - if an error occurs when searching the LDAP server.

buildAuthorizationInfo

protected org.apache.shiro.authz.AuthorizationInfo buildAuthorizationInfo(Set<String> roleNames)

getRoleNamesForGroups

protected Collection<String> getRoleNamesForGroups(Collection<String> groupNames)

This method is called by the default implementation to translate Active Directory group names to role names. This implementation uses the groupRolesMap to map group names to role names.

Parameters:

groupNames - the group names that apply to the current user.

Returns:

a collection of roles that are implied by the given role names.