Home/ Questions/Q 8890705
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T22:33:48+00:00

The JavaDoc for Shiro class JndiLdapRealm explicitly says that authorization is by default disabled

  • 0

The JavaDoc for Shiro class JndiLdapRealm explicitly says that authorization is by default disabled and that authorization against an LDAP server should be implemented by the user by subclassing and overriding the JndiLdapRealm#doGetAuthorizationInfo method.
Is there sample code on how to do that including handling the communication / protocol with the LDAP server available anywhere?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    you should implement your own LdapRealm extending JndiLdapRealm.
    In this implementation, you would override queryForAuthorizationInfo() ; here is a simple example :

    protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException {

String username = (String) getAvailablePrincipal(principals);

// Perform context search
LdapContext ldapContext = ldapContextFactory.getSystemLdapContext();

Set<String> roleNames;

try {
  roleNames = getRoleNamesForUser(username, ldapContext);
} finally {
  LdapUtils.closeContext(ldapContext);
}

return buildAuthorizationInfo(roleNames);
}

protected AuthorizationInfo buildAuthorizationInfo(Set<String> roleNames) {
return new SimpleAuthorizationInfo(roleNames);
}

protected Set<String> getRoleNamesForUser(String username, LdapContext ldapContext) throws NamingException {
Set<String> roleNames;
roleNames = new LinkedHashSet<String>();

SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

//SHIRO-115 - prevent potential code injection:
String searchFilter = "(&(objectClass=*)(CN={0}))";
Object[] searchArguments = new Object[]{ username };

NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchArguments, searchCtls);

while (answer.hasMoreElements()) {
  SearchResult sr = (SearchResult) answer.next();

  if (log.isDebugEnabled()) {
    log.debug("Retrieving group names for user [" + sr.getName() + "]");
  }

  Attributes attrs = sr.getAttributes();

  if (attrs != null) {
    NamingEnumeration ae = attrs.getAll();
    while (ae.hasMore()) {
      Attribute attr = (Attribute) ae.next();

      if (attr.getID().equals("memberOf")) {

        Collection<String> groupNames = LdapUtils.getAllAttributeValues(attr);

        if (log.isDebugEnabled()) {
          log.debug("Groups found for user [" + username + "]: " + groupNames);
        }

        Collection<String> rolesForGroups = getRoleNamesForGroups(groupNames);
        roleNames.addAll(rolesForGroups);
      }
    }
  }
}
    • 0