Java-从LDAP检索shiro的权限
[英]Java- Retrieving permissions from LDAP for shiro
问题描述
im trying to get the User Permissions (read, write, browse,...) for LDAP objects using a java application with shiro. 
我试图使用带有shiro的Java应用程序获取LDAP对象的用户权限(读取,写入,浏览等)。 I dont have much experience with LDAP. 我对LDAP没有太多经验。 I set up a server with Apache Directory Studio for testing purpose. 我使用Apache Directory Studio设置了服务器以进行测试。 Then i created a domain (dc=testdomain) and added a subentry with the "accessControlSubentry" objectclass and added the "prescriptiveACI" attribute. 然后,我创建了一个域(dc = testdomain),并添加了带有“ accessControlSubentry”对象类的子条目,并添加了“ prescriptiveACI”属性。 Everthing works the way it should if i browse the server with Apache DS and i can connect to the server in my java app. 如果我使用Apache DS浏览服务器并且可以连接到我的Java应用程序中的服务器,Everthing会以应有的方式工作。
In order to get the permissions i subclassed the ActiveDirectoryRealm from shiro. 为了获得权限,我从shiro继承了ActiveDirectoryRealm。 But i cant manage to make the query get the subentrys. 但是我无法设法使查询获得子项。
private Set<String> getPermissionsForUser(String username, LdapContext ldapContext) throws NamingException{
Set<String> permissions;
permissions = new LinkedHashSet<String>();
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchCtls.setReturningAttributes(new String[]{"prescriptiveACI"});
String searchFilter = "(objectClass=subentry)";
String searchBase = "dc=testdomain";
NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchCtls);
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();
if (log.isDebugEnabled()) {
log.debug("Retrieving permissions for user [" + sr.getName() + "]");
}
Attributes attrs = sr.getAttributes();
if (attrs != null) {
NamingEnumeration ae = attrs.getAll();
while (ae.hasMore()) {
Attribute attr = (Attribute) ae.next();
if (attr.getID().equals("prescriptiveACI")) {
if (log.isDebugEnabled()) {
log.debug("Permissions found");
}
}
}
}
}
return permissions;
}
When I change the searchFilter to "(objectClass=*)" i get all the OrganisationUnits in the domain. 当我将searchFilter更改为“(objectClass = *)”时,我获得了域中的所有OrganisationUnits。 But i just cant seem to find the subentry objects that i need for the prescriptiveACI attribute. 但是我似乎无法找到我为prescriptiveACI属性所需的子条目对象。
Here is the content of my Shiro.ini file 这是我的Shiro.ini文件的内容
activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealmPermissions
activeDirectoryRealm.systemUsername = uid=admin,ou=system
activeDirectoryRealm.systemPassword = secret
activeDirectoryRealm.url = ldap://localhost:10389
activeDirectoryRealm.searchBase = ""
How can i make the search query subentries? 如何使搜索查询子条目? Or is there a better/alternative way to get the permission from the LDAP server? 还是有更好/替代的方法来获取LDAP服务器的许可?
1 个解决方案
解决方案1
1 2014-11-19 16:59:02
So you want to find all instances of accessControlSubentry objects with a prescriptiveACI attribute? 因此,您想查找具有prescriptiveACI属性的accessControlSubentry对象的所有实例吗?
Try this: 尝试这个:
(&(objectClass=accessControlSubentry)(prescriptiveACI=*))
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.