-
1. Re: Roles using LDAPLoginModule
shane.bryzak Nov 28, 2007 6:52 PM (in response to dennisrjohn)It should just work. The subject is passed in the LoginContext when you authenticate with Identity.login(), and as long as your login module conforms to the standard of placing roles inside a group called "Roles" then any roles granted by the login module will be reflected by Identity.hasRole().
-
2. Re: Roles using LDAPLoginModule
dennisrjohn Nov 28, 2007 8:09 PM (in response to dennisrjohn)I thought that was the case, but it still doesn't seem to work.
I ended up overriding the LDAPLoginModule anyway, here are the relavant pieces:
public class LdapLoginModule extends UsernamePasswordLoginModule {
private static final String BASE_DN = "dc=body,dc=local";
private static final String PRINCIPAL_DN_PREFIX_OPT = "principalDNPrefix";
private static final String PRINCIPAL_DN_SUFFIX_OPT = "principalDNSuffix";
private static final String MATCH_ON_USER_DN_OPT = "matchOnUserDN";
public LdapLoginModule()
{
}
private transient SimpleGroup userRoles = new SimpleGroup("Roles");
...
private void createLdapInitContext(String username, Object credential) throws NamingException
{
...
try
{
NamingEnumeration answer = ctx.search(rolesCtxDN, matchAttrs);
while (answer.hasMore())
{
SearchResult sr = (SearchResult) answer.next();
Attributes attrs = sr.getAttributes();
Attribute roles = attrs.get("name");
for (int r = 0; r < roles.size(); r++)
{
String roleName = roles.get(r).toString();
if (roleName != null)
{
try
{
Principal p = super.createIdentity(roleName);
log.trace("Assign user to role " + roleName);
userRoles.addMember(p);
}
catch (Exception e)
{
log.debug("Failed to create principal: " + roleName, e);
}
}
}
}
}
catch (NamingException e)
{
log.trace("Failed to locate roles", e);
}
...
}
Thanks for the reply, hopefully I'm just missing something. -
3. Re: Roles using LDAPLoginModule
shane.bryzak Nov 28, 2007 9:41 PM (in response to dennisrjohn)Are you adding userRoles to the subject?
-
4. Re: Roles using LDAPLoginModule
dennisrjohn Nov 29, 2007 1:50 PM (in response to dennisrjohn)Yep, you are correct! It was "just working"
It turns out it was an EL issue in my tag.
Thanks for the help!