Implement a Tomcat Realm with LDAP authentication and JDBC authorization
10,114
Solution 1
You haven't specified the version of Tomcat you're using, so I'm going with 6.x here.
It looks like you're delegating hasResourcePermission to JDBC while leaving both findSecurityConstraints and hasUserDataPermission in hands of JNDI. You should delegate all of them or none of them.
Update: JNDIRealm calls protected getRoles(DirContext, User) as part of its authenticate() method. You need to override that and forward it to JDBCRealm's getRoles().
Solution 2
I still get emails about this question with regular frequency, so here is the final product for all to use.
LdapJdbcRealm.java
package org.apache.catalina.realm;
import org.apache.catalina.Realm;
import org.apache.catalina.Context;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;
import javax.naming.directory.DirContext;
import java.io.IOException;
import java.security.Principal;
import java.util.List;
/**
* LdapJdbcRealm is a minimal implementation of a <b>Realm</b> to connect to LDAP
* for authentication and a database for authorization.<br>
* <br>
* Example server.xml configuration fragment:<br>
* <pre>
<Realm className="org.apache.catalina.realm.LdapJdbcRealm"
connectionURL="ldap://ldaphost:389"
resourceName="LDAP Auth" driverName="oracle.jdbc.driver.OracleDriver"
userPattern="uid={0}, ou=Portal, dc=example, dc=com"
dbConnectionName="dbuser" dbConnectionPassword="dbpassword"
dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname"
userTable="users" userNameCol="user_id"
userRoleTable="user_role_xref" roleNameCol="role_id" />
* </pre>
*
* @author Greg Chabala
*
* Created by IntelliJ IDEA.
* User: gchabala
* Date: Jul 14, 2009
* Time: 4:56:37 PM
*/
public class LdapJdbcRealm extends JNDIRealm implements Realm
{
/**
* Encapsulated <b>JDBCRealm</b> to do role lookups
*/
private JDBCRealm jdbcRealm = new JDBCRealm();
/**
* Descriptive information about this <b>Realm</b> implementation.
*/
protected static final String info = "org.apache.catalina.realm.LdapJdbcRealm/1.0";
/**
* Descriptive information about this <b>Realm</b> implementation.
*/
protected static final String name = "LdapJdbcRealm";
/**
* Set the all roles mode.
*
* @param allRolesMode authentication mode
*/
public void setAllRolesMode(String allRolesMode) {
super.setAllRolesMode(allRolesMode);
jdbcRealm.setAllRolesMode(allRolesMode);
}
/**
* Return the username to use to connect to the database.
*
* @return username
* @see JDBCRealm#getConnectionName()
*/
public String getDbConnectionName() {
return jdbcRealm.getConnectionName();
}
/**
* Set the username to use to connect to the database.
*
* @param dbConnectionName username
* @see JDBCRealm#setConnectionName(String)
*/
public void setDbConnectionName(String dbConnectionName) {
jdbcRealm.setConnectionName(dbConnectionName);
}
/**
* Return the password to use to connect to the database.
*
* @return password
* @see JDBCRealm#getConnectionPassword()
*/
public String getDbConnectionPassword() {
return jdbcRealm.getConnectionPassword();
}
/**
* Set the password to use to connect to the database.
*
* @param dbConnectionPassword password
* @see JDBCRealm#setConnectionPassword(String)
*/
public void setDbConnectionPassword(String dbConnectionPassword) {
jdbcRealm.setConnectionPassword(dbConnectionPassword);
}
/**
* Return the URL to use to connect to the database.
*
* @return database connection URL
* @see JDBCRealm#getConnectionURL()
*/
public String getDbConnectionURL() {
return jdbcRealm.getConnectionURL();
}
/**
* Set the URL to use to connect to the database.
*
* @param dbConnectionURL The new connection URL
* @see JDBCRealm#setConnectionURL(String)
*/
public void setDbConnectionURL(String dbConnectionURL) {
jdbcRealm.setConnectionURL(dbConnectionURL);
}
/**
* Return the JDBC driver that will be used.
*
* @return driver classname
* @see JDBCRealm#getDriverName()
*/
public String getDriverName() {
return jdbcRealm.getDriverName();
}
/**
* Set the JDBC driver that will be used.
*
* @param driverName The driver name
* @see JDBCRealm#setDriverName(String)
*/
public void setDriverName(String driverName) {
jdbcRealm.setDriverName(driverName);
}
/**
* Return the table that holds user data..
*
* @return table name
* @see JDBCRealm#getUserTable()
*/
public String getUserTable() {
return jdbcRealm.getUserTable();
}
/**
* Set the table that holds user data.
*
* @param userTable The table name
* @see JDBCRealm#setUserTable(String)
*/
public void setUserTable(String userTable) {
jdbcRealm.setUserTable(userTable);
}
/**
* Return the column in the user table that holds the user's name.
*
* @return username database column name
* @see JDBCRealm#getUserNameCol()
*/
public String getUserNameCol() {
return jdbcRealm.getUserNameCol();
}
/**
* Set the column in the user table that holds the user's name.
*
* @param userNameCol The column name
* @see JDBCRealm#setUserNameCol(String)
*/
public void setUserNameCol(String userNameCol) {
jdbcRealm.setUserNameCol(userNameCol);
}
/**
* Return the table that holds the relation between user's and roles.
*
* @return user role database table name
* @see JDBCRealm#getUserRoleTable()
*/
public String getUserRoleTable() {
return jdbcRealm.getUserRoleTable();
}
/**
* Set the table that holds the relation between user's and roles.
*
* @param userRoleTable The table name
* @see JDBCRealm#setUserRoleTable(String)
*/
public void setUserRoleTable(String userRoleTable) {
jdbcRealm.setUserRoleTable(userRoleTable);
}
/**
* Return the column in the user role table that names a role.
*
* @return role column name
* @see JDBCRealm#getRoleNameCol()
*/
public String getRoleNameCol() {
return jdbcRealm.getRoleNameCol();
}
/**
* Set the column in the user role table that names a role.
*
* @param roleNameCol The column name
* @see JDBCRealm#setRoleNameCol(String)
*/
public void setRoleNameCol(String roleNameCol) {
jdbcRealm.setRoleNameCol(roleNameCol);
}
@Override
public SecurityConstraint[] findSecurityConstraints(Request request, Context context)
{
return jdbcRealm.findSecurityConstraints(request, context);
}
@Override
public boolean hasUserDataPermission(Request request, Response response,
SecurityConstraint []constraints) throws IOException
{
return jdbcRealm.hasUserDataPermission(request, response, constraints);
}
@Override
public boolean hasResourcePermission(Request request, Response response,
SecurityConstraint[]constraints,
Context context) throws IOException
{
return jdbcRealm.hasResourcePermission(request, response, constraints, context);
}
@Override
public boolean hasRole(Principal principal, String role) {
return jdbcRealm.hasRole(principal, role);
}
/**
* Return a List of roles associated with the given User. If no roles
* are associated with this user, a zero-length List is returned.
*
* @param context unused. JDBC does not need this field.
* @param user The User to be checked
* @return list of role names
*
* @see JNDIRealm#getRoles(DirContext, User)
* @see JDBCRealm#getRoles(String)
*/
@Override
protected List<String> getRoles(DirContext context, User user)
{
return jdbcRealm.getRoles(user.username);
}
}
Related videos on Youtube
54 : 20
225 Java Web application by FORM based authentication | Tomcat Security Realm | Servlet Tutorial Adv
![[JSP Servlet] Ứng dụng MVC JDBC trong JSP Servlet](https://i.ytimg.com/vi/3OEVanzf9E4/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCpQKiKEoB9BLCRAm0MVAtW6rpHig)
41 : 28
[JSP Servlet] Ứng dụng MVC JDBC trong JSP Servlet
08 : 04
221 Security Realm | What is security realm | Security Realm in Apache Tomcat Server | Advance java
26 : 00
224 Java Web application enable DIGEST model authentication Security Realm Tomcat Server | Servlet
08 : 14
5. LDAP Java : Create LDAP Connection in Java(LDAP Authentication)
05 : 04
JBoss EAP - 39 LDAP Realm
14 : 54
jBPM 7 - LDAP Authentication & authorization
08 : 02
Configuring Tomcat for HTTPS & User Authentication | Security 7
Author by
Greg Chabala
Asked if I am a Java programmer, I would say yes. Asked if I am a J2EE programmer, I would say no. *How many years of experience do you have?* Do you mean programming, programming with Java, or some specific library within Java?
Updated on April 17, 2022Comments
-
Greg Chabala about 2 years
I'm working in a legacy environment where an LDAP server is used only for authentication and contains no roles, and authorization is done against a database which contains the user-role mapping, but no passwords.
My plan is to implement a new Tomcat Realm by extending JNDIRealm, and overriding the role methods to call an encapsulated JDBCRealm.
My realm is declared in server.xml:
<Realm className="com.example.LdapJdbcRealm" connectionURL="ldap://ldaphost:389" resourceName="LDAP Auth" userPattern="uid={0}, ou=Portal, dc=example, dc=com" dbConnectionURL="jdbc:oracle:thin:@oracledb:1521:dbname" userTable="db_user" userNameCol="user_id" userRoleTable="db_user_role_xref" roleNameCol="role_id" />This is a combination of the standard property names for JNDIRealm & JDBCRealm, with a little change as they both use connectionURL.
package com.example; import org.apache.catalina.Realm; import org.apache.catalina.Context; import org.apache.catalina.deploy.SecurityConstraint; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.realm.JNDIRealm; import org.apache.catalina.realm.JDBCRealm; import java.security.Principal; import java.io.IOException; public class LdapJdbcRealm extends JNDIRealm implements Realm { private JDBCRealm jdbcRealm = new JDBCRealm(); protected static final String info = "com.example.LdapJdbcRealm/1.0"; protected static final String name = "LdapJdbcRealm"; public String getDbConnectionURL() { return jdbcRealm.getConnectionURL(); } public void setDbConnectionURL(String dbConnectionURL) { jdbcRealm.setConnectionURL(dbConnectionURL); } public String getUserTable() { return jdbcRealm.getUserTable(); } public void setUserTable(String userTable) { jdbcRealm.setUserTable(userTable); } public String getUserNameCol() { return jdbcRealm.getUserNameCol(); } public void setUserNameCol(String userNameCol) { jdbcRealm.setUserNameCol(userNameCol); } public String getUserRoleTable() { return jdbcRealm.getUserRoleTable(); } public void setUserRoleTable(String userRoleTable) { jdbcRealm.setUserRoleTable(userRoleTable); } public String getRoleNameCol() { return jdbcRealm.getRoleNameCol(); } public void setRoleNameCol(String roleNameCol) { jdbcRealm.setRoleNameCol(roleNameCol); } public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[]constraints, Context context) throws IOException { return jdbcRealm.hasResourcePermission(request, response, constraints, context); } public boolean hasRole(Principal principal, String role) { return jdbcRealm.hasRole(principal, role); } }This mostly seems to work, the authorization returns a Principal from LDAP, which has no roles as expected. That same Principal enters
hasResourcePermission()and fails because it doesn't have the require roles in it. Clearly I'm missing some crucial code.I'm looking for solutions. I could try extending JDBCRealm and adding LDAP authentication, but that seems like more work.
I also believe that this LDAP authentication/DB authorization is not an uncommon pattern. Is there an alternative solution already available?
It is not within my control to add roles to LDAP or passwords to the DB, so those are not solutions for me.
-
Greg Chabala almost 15 yearsI've overridden findSecurityConstraints() & hasUserDataPermission() to call though JDBCRealm. However, JDBCRealm's getRoles() is protected. How do you propose I call it?
-
Greg Chabala almost 15 yearsMoving to package org.apache.catalina.realm worked very well. I had also neglected to specify a driver, so I added getters and setters for that as well as DB user and password. All is working well now, thank you.
-
andy almost 7 yearsHi, I put this on github: github.com/rasenderhase/nest-tomcat-realms I am happy for pull requests.