View Javadoc
1   /*
2    * Copyright 2013–2019 Michael Osipov
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package net.sf.michaelo.tomcat.realm;
17  
18  import java.security.Principal;
19  import java.util.Arrays;
20  import java.util.Collections;
21  import java.util.List;
22  import java.util.Map;
23  
24  import org.apache.catalina.TomcatPrincipal;
25  import org.ietf.jgss.GSSCredential;
26  import org.ietf.jgss.GSSName;
27  
28  /**
29   * Represents a principal from Active Directory with a list of roles.
30   * <p>
31   * An Active Directory principal is comprised of the following items:
32   * <ul>
33   * <li>the GSS name,</li>
34   * <li>the security identifier (SID),</li>
35   * <li>an optional GSS credential for credential delegation (impersonation),</li>
36   * <li>the array of security groups the user has been assigned to, stored as SID strings (the actual
37   * values are queried with {@code memberOf} and retrieved from {@code objectSid} and
38   * {@code sIDHistory}),</li>
39   * <li>and a map with additional attributes which are either a {@code String}, {@code byte[]} or a
40   * {@code List} of either one.</li>
41   * </ul>
42   *
43   * @version $Id: ActiveDirectoryPrincipal.java 346 2019-12-08 13:17:01Z michael-o $
44   */
45  public class ActiveDirectoryPrincipal implements TomcatPrincipal {
46  
47  	private final GSSName gssName;
48  	private final Sid sid;
49  	private final transient GSSCredential gssCredential;
50  	private final String[] roles;
51  	private final Map<String, Object> additionalAttributes;
52  
53  	/**
54  	 * Constructs a new principal for the given parameters.
55  	 */
56  	public ActiveDirectoryPrincipal(GSSName gssName, Sid sid, GSSCredential gssCredential) {
57  		this(gssName, sid, null, gssCredential, null);
58  	}
59  
60  	/**
61  	 * Constructs a new principal for the given parameters.
62  	 */
63  	public ActiveDirectoryPrincipal(GSSName gssName, Sid sid, List<String> roles,
64  			GSSCredential gssCredential, Map<String, Object> additionalAttributes) {
65  		this.gssName = gssName;
66  		this.sid = sid;
67  		if (roles == null || roles.isEmpty())
68  			this.roles = new String[0];
69  		else {
70  			this.roles = roles.toArray(new String[0]);
71  			Arrays.sort(this.roles);
72  		}
73  		this.gssCredential = gssCredential;
74  		if (additionalAttributes == null || additionalAttributes.isEmpty())
75  			this.additionalAttributes = Collections.emptyMap();
76  		else
77  			this.additionalAttributes = Collections.unmodifiableMap(additionalAttributes);
78  	}
79  
80  	@Override
81  	public Principal getUserPrincipal() {
82  		return this;
83  	}
84  
85  	@Override
86  	public String getName() {
87  		return gssName.toString();
88  	}
89  
90  	/**
91  	 * Returns the underlying GSS name.
92  	 *
93  	 * @return the underlying GSS name
94  	 */
95  	public GSSName getGssName() {
96  		return gssName;
97  	}
98  
99  	/**
100 	 * Returns the security identifier (SID) of the principal.
101 	 *
102 	 * @return the security identifier
103 	 */
104 	public Sid getSid() {
105 		return sid;
106 	}
107 
108 	@Override
109 	public GSSCredential getGssCredential() {
110 		return gssCredential;
111 	}
112 
113 	/**
114 	 * Grants access if supplied role is associated with this principal.
115 	 *
116 	 * @param role
117 	 *            the role to check
118 	 * @return true if principal is associated with the role, else false
119 	 */
120 	public boolean hasRole(String role) {
121 		if ("*".equals(role)) // Special 2.4 role meaning everyone
122 			return true;
123 		if (role == null)
124 			return false;
125 		return Arrays.binarySearch(roles, role) >= 0;
126 	}
127 
128 	/**
129 	 * Returns the role SID strings of the given principal.
130 	 *
131 	 * @return a read-only view of the roles
132 	 */
133 	public String[] getRoles() {
134 		return Arrays.copyOf(roles, roles.length);
135 	}
136 
137 	/**
138 	 * Holds additional attributes for a given principal which may be stored in Active Directory.
139 	 *
140 	 * @return a read-only view of the additional attributes
141 	 */
142 	public Map<String, Object> getAdditionalAttributes() {
143 		return additionalAttributes;
144 	}
145 
146 	@Override
147 	public boolean equals(Object obj) {
148 		if (obj == null)
149 			return false;
150 
151 		if (!(obj instanceof ActiveDirectoryPrincipal))
152 			return false;
153 
154 		ActiveDirectoryPrincipal other = (ActiveDirectoryPrincipal) obj;
155 
156 		return gssName.equals((Object) other.gssName);
157 	}
158 
159 	@Override
160 	public int hashCode() {
161 		return gssName.hashCode();
162 	}
163 
164 	@Override
165 	public String toString() {
166 		return gssName.toString();
167 	}
168 
169 	@Override
170 	public void logout() throws Exception {
171 		if (gssCredential != null) {
172 			gssCredential.dispose();
173 		}
174 	}
175 
176 }