861,864c861 < // Retrieve user information < User user = getUser(context, username); < if (user == null) < return (null); --- > List roles = null; 866,868c863,866 < // Check the user's credentials < if (!checkCredentials(context, user, credentials)) < return (null); --- > if ( userPassword == null ) > { > // Bind to the directory to authenticate (and obtain roles). > roles = bindAsUser(context, username, credentials); 870,871c868,870 < // Search for additional roles < List roles = getRoles(context, user); --- > if ( debug >= 2 ) > log(sm.getString(((roles != null) ? "jndiRealm.authenticateSuccess" : "jndiRealm.authenticateFailure"), > username)); 872a872,901 > if ( roles == null ) > return(null); > } > else > { > // Retrieve user information > User user = getUser(context, username); > if (user == null) > return (null); > > boolean validated = compareCredentials(context, user, credentials); > > if (debug >= 2) { > if (validated) { > log(sm.getString("jndiRealm.authenticateSuccess", > user.username)); > } else { > log(sm.getString("jndiRealm.authenticateFailure", > user.username)); > } > } > > // Check the user's credentials > if (!validated) > return (null); > > // Search for additional roles > roles = getRoles(context, user); > } > 1073,1114d1101 < * Check whether the given User can be authenticated with the < * given credentials. If the userPassword < * configuration attribute is specified, the credentials < * previously retrieved from the directory are compared explicitly < * with those presented by the user. Otherwise the presented < * credentials are checked by binding to the directory as the < * user. < * < * @param context The directory context < * @param user The User to be authenticated < * @param credentials The credentials presented by the user < * < * @exception NamingException if a directory server error occurs < */ < protected boolean checkCredentials(DirContext context, < User user, < String credentials) < throws NamingException { < < boolean validated = false; < < if (userPassword == null) { < validated = bindAsUser(context, user, credentials); < } else { < validated = compareCredentials(context, user, credentials); < } < < if (debug >= 2) { < if (validated) { < log(sm.getString("jndiRealm.authenticateSuccess", < user.username)); < } else { < log(sm.getString("jndiRealm.authenticateFailure", < user.username)); < } < } < return (validated); < } < < < < /** 1153c1140,1144 < * Check credentials by binding to the directory as the user --- > * Return a List of roles associated with the given User. Any > * roles present in the user's directory entry are supplemented by > * a directory search. If no roles are associated with this user, > * a zero-length List is returned. If the user is not validated, > * returns null. 1156,1157c1147,1149 < * @param user The User to be authenticated < * @param credentials Authentication credentials --- > * @param username Username of the Principal to look up > * @param credentials Password or other credentials to use in > * authenticating this username 1161,1165c1153,1156 < protected boolean bindAsUser(DirContext context, < User user, < String credentials) < throws NamingException { < Attributes attr; --- > protected List bindAsUser(DirContext context, > String username, > String credentials) > throws NamingException { 1167,1170c1158,1233 < if (credentials == null || user == null) < return (false); < < String dn = user.dn; --- > if (username == null || username.equals("") > || credentials == null || credentials.equals("")) > return (null); > > ArrayList roles = null; > > // Bind to the directory to authenticate and obtain roles. > > String dn = null; > > // Use pattern or search for user entry > if (userPatternFormat != null) { > if (debug >= 2) > log("lookupUser(" + username + ")"); > > // Form the dn from the user pattern > dn = userPatternFormat.format(new String[] { username }); > if (debug >= 3) { > log(" dn=" + dn); > } > } else { > if (userSearchFormat == null) > return (null); > > // Form the search filter > String filter = userSearchFormat.format(new String[] { username }); > > // Set up the search controls > SearchControls constraints = new SearchControls(); > > if (userSubtree) { > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); > } > else { > constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE); > } > constraints.setReturningAttributes(new String[0]); > > if (debug > 3) { > log(" Searching for " + username); > log(" base: " + userBase + " filter: " + filter); > } > > NamingEnumeration results = > context.search(userBase, filter, constraints); > > // Fail if no entries found > if (results == null || !results.hasMore()) { > if (debug > 2) { > log(" username not found"); > } > return(null); > } > > // Get result for the first entry found > SearchResult result = (SearchResult)results.next(); > > // Check no further entries were found > if (results.hasMore()) { > log("username " + username + " has multiple entries"); > return (null); > } > > // Get the entry's distinguished name > NameParser parser = context.getNameParser(""); > Name contextName = parser.parse(context.getNameInNamespace()); > Name baseName = parser.parse(userBase); > Name entryName = parser.parse(result.getName()); > Name name = contextName.addAll(baseName); > name = name.addAll(entryName); > dn = name.toString(); > > if (debug > 2) > log(" entry found for " + username + " with dn " + dn); > } > 1172c1235 < return (false); --- > return (null); 1184d1246 < boolean validated = false; 1189,1190c1251,1270 < attr = context.getAttributes("", null); < validated = true; --- > ArrayList list = new ArrayList(); > if (userRoleName != null) > list.add(userRoleName); > String[] attrIds = new String[list.size()]; > list.toArray(attrIds); > > Attributes attrs = context.getAttributes("", attrIds); > if (attrs != null) > { > // Retrieve values of userRoleName attribute > if (userRoleName != null) > roles = addAttributeValues(userRoleName, attrs, roles); > } > > // Search for additional roles. > roles = (ArrayList)getRoles(context, new User(username, dn, null, roles)); > > // To indicate success roles must be non-null. > if ( roles == null ) > roles = new ArrayList(); 1197c1277 < --- > 1213,1214c1293,1294 < return (validated); < } --- > return (roles); > }