org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm

All Implemented Interfaces:: LogoutAware, Authorizer, PermissionResolverAware, RolePermissionResolverAware, org.apache.shiro.cache.CacheManagerAware, org.apache.shiro.lang.util.Initializable, org.apache.shiro.lang.util.Nameable, Realm

public class ActiveDirectoryRealm extends AbstractLdapRealm

A Realm that authenticates with an active directory LDAP server to determine the roles for a particular user. This implementation queries for the user's groups and then maps the group names to roles using the groupRolesMap.

Since:: 0.1

Field Summary

Fields inherited from class org.apache.shiro.realm.ldap.AbstractLdapRealm
principalSuffix, searchBase, searchFilter, systemPassword, systemUsername, url
Constructor Summary

Constructors

Constructor

Description

ActiveDirectoryRealm()
Method Summary

Modifier and Type

Method

Description

protected AuthenticationInfo

buildAuthenticationInfo(String username, char[] password)

protected AuthorizationInfo

buildAuthorizationInfo(Set<String> roleNames)

protected Collection<String>

getRoleNamesForGroups(Collection<String> groupNames)

This method is called by the default implementation to translate Active Directory group names to role names.

protected Set<String>

getRoleNamesForUser(String username, LdapContext ldapContext)

protected AuthenticationInfo

queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory)

Builds an AuthenticationInfo object by querying the active directory LDAP context for the specified username.

protected AuthorizationInfo

queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory)

Builds an AuthorizationInfo object by querying the active directory LDAP context for the groups that a user is a member of.

void

setGroupRolesMap(Map<String,String> groupRolesMap)

Methods inherited from class org.apache.shiro.realm.ldap.AbstractLdapRealm
doGetAuthenticationInfo, doGetAuthorizationInfo, onInit, setLdapContextFactory, setSearchBase, setSearchFilter, setSystemPassword, setSystemUsername, setUrl

Methods inherited from class org.apache.shiro.realm.AuthorizingRealm
afterCacheManagerSet, checkPermission, checkPermission, checkPermission, checkPermissions, checkPermissions, checkPermissions, checkRole, checkRole, checkRoles, checkRoles, checkRoles, clearCachedAuthorizationInfo, doClearCache, getAuthorizationCache, getAuthorizationCacheKey, getAuthorizationCacheName, getAuthorizationInfo, getPermissionResolver, getPermissions, getRolePermissionResolver, hasAllRoles, hasRole, hasRole, hasRoles, hasRoles, isAuthorizationCachingEnabled, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, isPermittedAll, setAuthorizationCache, setAuthorizationCacheName, setAuthorizationCachingEnabled, setName, setPermissionResolver, setRolePermissionResolver

Methods inherited from class org.apache.shiro.realm.AuthenticatingRealm
assertCredentialsMatch, clearCachedAuthenticationInfo, getAuthenticationCache, getAuthenticationCacheKey, getAuthenticationCacheKey, getAuthenticationCacheName, getAuthenticationInfo, getAuthenticationTokenClass, getCredentialsMatcher, init, isAuthenticationCachingEnabled, isAuthenticationCachingEnabled, setAuthenticationCache, setAuthenticationCacheName, setAuthenticationCachingEnabled, setAuthenticationTokenClass, setCredentialsMatcher, supports

Methods inherited from class org.apache.shiro.realm.CachingRealm
clearCache, getAvailablePrincipal, getCacheManager, getName, isCachingEnabled, onLogout, setCacheManager, setCachingEnabled

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.shiro.lang.util.Initializable
init

Constructor Details
- ActiveDirectoryRealm
  
  public ActiveDirectoryRealm()
Method Details
- setGroupRolesMap
  
  public void setGroupRolesMap(Map<String,String> groupRolesMap)
- queryForAuthenticationInfo
  
  protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException
  
  Builds an AuthenticationInfo object by querying the active directory LDAP context for the specified username. This method binds to the LDAP server using the provided username and password - which, if successful, indicates that the password is correct.
  This method can be overridden by subclasses to query the LDAP server in a more complex way.
  
  Specified by:
  
  queryForAuthenticationInfo in class AbstractLdapRealm
  
  Parameters:
  
  token - the authentication token provided by the user.
  
  ldapContextFactory - the factory used to build connections to the LDAP server.
  
  Returns:
  
  an AuthenticationInfo instance containing information retrieved from LDAP.
  
  Throws:
  
  NamingException - if any LDAP errors occur during the search.
- buildAuthenticationInfo
  
  protected AuthenticationInfo buildAuthenticationInfo(String username, char[] password)
- queryForAuthorizationInfo
  
  protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException
  
  Builds an AuthorizationInfo object by querying the active directory LDAP context for the groups that a user is a member of. The groups are then translated to role names by using the configured groupRolesMap.
  This implementation expects the principal argument to be a String username.
  Subclasses can override this method to determine authorization data (roles, permissions, etc.) in a more complex way. Note that this default implementation does not support permissions, only roles.
  
  Specified by:
  
  queryForAuthorizationInfo in class AbstractLdapRealm
  
  Parameters:
  
  principals - the principal of the Subject whose account is being retrieved.
  
  ldapContextFactory - the factory used to create LDAP connections.
  
  Returns:
  
  the AuthorizationInfo for the given Subject principal.
  
  Throws:
  
  NamingException - if an error occurs when searching the LDAP server.
- buildAuthorizationInfo
  
  protected AuthorizationInfo buildAuthorizationInfo(Set<String> roleNames)
- getRoleNamesForUser
  
  protected Set<String> getRoleNamesForUser(String username, LdapContext ldapContext) throws NamingException
  
  Throws:
  
  NamingException
- getRoleNamesForGroups
  
  protected Collection<String> getRoleNamesForGroups(Collection<String> groupNames)
  
  This method is called by the default implementation to translate Active Directory group names to role names. This implementation uses the groupRolesMap to map group names to role names.
  
  Parameters:
  
  groupNames - the group names that apply to the current user.
  
  Returns:
  
  a collection of roles that are implied by the given role names.

Class ActiveDirectoryRealm

Field Summary

Fields inherited from class org.apache.shiro.realm.ldap.AbstractLdapRealm

Constructor Summary

Method Summary

Methods inherited from class org.apache.shiro.realm.ldap.AbstractLdapRealm

Methods inherited from class org.apache.shiro.realm.AuthorizingRealm

Methods inherited from class org.apache.shiro.realm.AuthenticatingRealm

Methods inherited from class org.apache.shiro.realm.CachingRealm

Methods inherited from class java.lang.Object

Methods inherited from interface org.apache.shiro.lang.util.Initializable

Constructor Details

ActiveDirectoryRealm

Method Details

setGroupRolesMap

queryForAuthenticationInfo

buildAuthenticationInfo

queryForAuthorizationInfo

buildAuthorizationInfo

getRoleNamesForUser

getRoleNamesForGroups