861,864c861
< // Retrieve user information
< User user = getUser(context, username);
< if (user == null)
< return (null);
---
> List roles = null;
866,868c863,866
< // Check the user's credentials
< if (!checkCredentials(context, user, credentials))
< return (null);
---
> if ( userPassword == null )
> {
> // Bind to the directory to authenticate (and obtain roles).
> roles = bindAsUser(context, username, credentials);
870,871c868,870
< // Search for additional roles
< List roles = getRoles(context, user);
---
> if ( debug >= 2 )
> log(sm.getString(((roles != null) ? "jndiRealm.authenticateSuccess" : "jndiRealm.authenticateFailure"),
> username));
872a872,901
> if ( roles == null )
> return(null);
> }
> else
> {
> // Retrieve user information
> User user = getUser(context, username);
> if (user == null)
> return (null);
>
> boolean validated = compareCredentials(context, user, credentials);
>
> if (debug >= 2) {
> if (validated) {
> log(sm.getString("jndiRealm.authenticateSuccess",
> user.username));
> } else {
> log(sm.getString("jndiRealm.authenticateFailure",
> user.username));
> }
> }
>
> // Check the user's credentials
> if (!validated)
> return (null);
>
> // Search for additional roles
> roles = getRoles(context, user);
> }
>
1073,1114d1101
< * Check whether the given User can be authenticated with the
< * given credentials. If the userPassword
< * configuration attribute is specified, the credentials
< * previously retrieved from the directory are compared explicitly
< * with those presented by the user. Otherwise the presented
< * credentials are checked by binding to the directory as the
< * user.
< *
< * @param context The directory context
< * @param user The User to be authenticated
< * @param credentials The credentials presented by the user
< *
< * @exception NamingException if a directory server error occurs
< */
< protected boolean checkCredentials(DirContext context,
< User user,
< String credentials)
< throws NamingException {
<
< boolean validated = false;
<
< if (userPassword == null) {
< validated = bindAsUser(context, user, credentials);
< } else {
< validated = compareCredentials(context, user, credentials);
< }
<
< if (debug >= 2) {
< if (validated) {
< log(sm.getString("jndiRealm.authenticateSuccess",
< user.username));
< } else {
< log(sm.getString("jndiRealm.authenticateFailure",
< user.username));
< }
< }
< return (validated);
< }
<
<
<
< /**
1153c1140,1144
< * Check credentials by binding to the directory as the user
---
> * Return a List of roles associated with the given User. Any
> * roles present in the user's directory entry are supplemented by
> * a directory search. If no roles are associated with this user,
> * a zero-length List is returned. If the user is not validated,
> * returns null
.
1156,1157c1147,1149
< * @param user The User to be authenticated
< * @param credentials Authentication credentials
---
> * @param username Username of the Principal to look up
> * @param credentials Password or other credentials to use in
> * authenticating this username
1161,1165c1153,1156
< protected boolean bindAsUser(DirContext context,
< User user,
< String credentials)
< throws NamingException {
< Attributes attr;
---
> protected List bindAsUser(DirContext context,
> String username,
> String credentials)
> throws NamingException {
1167,1170c1158,1233
< if (credentials == null || user == null)
< return (false);
<
< String dn = user.dn;
---
> if (username == null || username.equals("")
> || credentials == null || credentials.equals(""))
> return (null);
>
> ArrayList roles = null;
>
> // Bind to the directory to authenticate and obtain roles.
>
> String dn = null;
>
> // Use pattern or search for user entry
> if (userPatternFormat != null) {
> if (debug >= 2)
> log("lookupUser(" + username + ")");
>
> // Form the dn from the user pattern
> dn = userPatternFormat.format(new String[] { username });
> if (debug >= 3) {
> log(" dn=" + dn);
> }
> } else {
> if (userSearchFormat == null)
> return (null);
>
> // Form the search filter
> String filter = userSearchFormat.format(new String[] { username });
>
> // Set up the search controls
> SearchControls constraints = new SearchControls();
>
> if (userSubtree) {
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> }
> else {
> constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
> }
> constraints.setReturningAttributes(new String[0]);
>
> if (debug > 3) {
> log(" Searching for " + username);
> log(" base: " + userBase + " filter: " + filter);
> }
>
> NamingEnumeration results =
> context.search(userBase, filter, constraints);
>
> // Fail if no entries found
> if (results == null || !results.hasMore()) {
> if (debug > 2) {
> log(" username not found");
> }
> return(null);
> }
>
> // Get result for the first entry found
> SearchResult result = (SearchResult)results.next();
>
> // Check no further entries were found
> if (results.hasMore()) {
> log("username " + username + " has multiple entries");
> return (null);
> }
>
> // Get the entry's distinguished name
> NameParser parser = context.getNameParser("");
> Name contextName = parser.parse(context.getNameInNamespace());
> Name baseName = parser.parse(userBase);
> Name entryName = parser.parse(result.getName());
> Name name = contextName.addAll(baseName);
> name = name.addAll(entryName);
> dn = name.toString();
>
> if (debug > 2)
> log(" entry found for " + username + " with dn " + dn);
> }
>
1172c1235
< return (false);
---
> return (null);
1184d1246
< boolean validated = false;
1189,1190c1251,1270
< attr = context.getAttributes("", null);
< validated = true;
---
> ArrayList list = new ArrayList();
> if (userRoleName != null)
> list.add(userRoleName);
> String[] attrIds = new String[list.size()];
> list.toArray(attrIds);
>
> Attributes attrs = context.getAttributes("", attrIds);
> if (attrs != null)
> {
> // Retrieve values of userRoleName attribute
> if (userRoleName != null)
> roles = addAttributeValues(userRoleName, attrs, roles);
> }
>
> // Search for additional roles.
> roles = (ArrayList)getRoles(context, new User(username, dn, null, roles));
>
> // To indicate success roles must be non-null.
> if ( roles == null )
> roles = new ArrayList();
1197c1277
<
---
>
1213,1214c1293,1294
< return (validated);
< }
---
> return (roles);
> }