I wrote some java code using javax.naming.directory to authenticate a user in AD using ldap, that code working fine as I'm expecting. But the same code i need to implement using Spring ldap api. Any one can help on these.
To Initialize
private void setDefaultInitialContext() throws Exception
{
LOG.debug("Setting default initail context");
try
{
this.moLdapEnv.put(JAVA_NAMING_FACTORY_INITIAL, COM_SUN_JNDI_LDAP_LDAP_CTX_FACTORY);
this.moLdapEnv.put(JAVA_NAMING_PROVIDER_URL, PropertiesReader.getLdapProperty(LDAP_URL) + ":" + PropertiesReader.getLdapProperty(LDAP_PORT));
this.moLdapEnv.put(JAVA_NAMING_SECURITY_AUTHENTICATION, PropertiesReader.getLdapProperty(LDAP_AUTHTYPE));
this.moLdapEnv.put(JAVA_NAMING_SECURITY_PRINCIPAL, PropertiesReader.getLdapProperty(LDAP_BIND_USER_DN));
this.moLdapEnv.put(JAVA_NAMING_SECURITY_CREDENTIALS, PropertiesReader.getLdapProperty(LDAP_PASSWORD));
this.moLdapContext = new InitialDirContext(this.moLdapEnv);
LOG.debug("Default initail context is set");
} catch (Exception exception)
{
LOG.error("An Exception occurred LdapDao setting default initial context :" + exception.getMessage(), exception);
throw exception;
}
}
Authenticate:
public Boolean authenticate(String asUsername, String asUserPassword) throws Exception
{
NamingEnumeration<SearchResult> results = null;
Boolean liAuthResult = Boolean.FALSE;
try
{
setDefaultInitialContext();
SearchControls controls = new SearchControls();
controls.setSearchScope(2);
results = this.moLdapContext.search(PropertiesReader.getLdapProperty(LDAP_SEARCH_BASE_DN),
"(&(objectclass=person)(sAMAccountName=" + asUsername + ")(memberOf=" + PropertiesReader.getLdapProperty(LDAP_GROUP_DN) + "))",
controls);
if (null != results && results.hasMore())
{
SearchResult searchResult = (SearchResult) results.next();
if (null != searchResult)
{
moAttributes = searchResult.getAttributes();
Attribute userDnAttr = moAttributes.get(DISTINGUISHED_NAME);
String userDn = (String) userDnAttr.get();
this.moLdapContext.close();
this.moLdapEnv.put(JAVA_NAMING_SECURITY_PRINCIPAL, userDn);
this.moLdapEnv.put(JAVA_NAMING_SECURITY_CREDENTIALS, asUserPassword);
this.moLdapEnv.put(COM_SUN_JNDI_LDAP_CONNECT_POOL, FALSE);
this.moLdapContext = new InitialDirContext(this.moLdapEnv);
liAuthResult = Boolean.TRUE;
}
LOG.debug("User Authenticated successfully");
}
} catch (NamingException exception)
{
throw exception;
} catch (Exception exception)
{
throw exception;
} finally
{
closeAllResources(results);
}
return liAuthResult;
}
There's a separate chapter on authentication in the Spring LDAP reference manual. If you have specific questions feel free to ask.
Please note that for authentication/authorization purposes you really should look into Spring Security (which in turn uses Spring LDAP under the covers).
Related
I want to change Web Application's class loader order to PARENT_LAST using WebSphere Java Administration API.
Enterprise Applications > MyAppEAR > Manage Modules > MyApp.war
How to get the attribute to set using ConfigService.
Tried the below code which threw
java.lang.ClassCastException: java.util.ArrayList cannot be cast to javax.management.AttributeList
at com.kony.admin.deployment.websphere.KonyWebsphereDeployer.updateArtifact(KonyWebsphereDeployer.java:1854)
AttributeList clList = (AttributeList) configService.getAttribute (session, appDeplID, "modules");
ConfigServiceHelper.setAttributeValue (clList, "classloaderMode", "PARENT_LAST");
attrList.add (new Attribute ("modules", clList));
Thanks,
Kusuma
Below is the solution
private void updateArtifactConfig(String appName, DeploymentConfig dc)
throws DeploymentException {
Session session = new Session();
try {
ObjectName[] classLoadersId = configService.resolve(session,
"Deployment=" + appName + "\":ApplicationDeployment:WebModuleDeployment:");
AttributeList attrList = new AttributeList();
AttributeList clList = (AttributeList)configService.getAttribute(session, classLoadersId[0],
"classloader");
ConfigServiceHelper.setAttributeValue(clList, "mode",
"PARENT_LAST");
attrList.add(new Attribute("classloader", clList));
configService.setAttributes(session, classLoadersId[0], attrList);
configService.save(session, true);
} catch (Exception ex) {
LOGGER.error("Not able to update " + appName, ex);
} finally {
try {
configService.discard(session);
} catch (ConfigServiceException csEx) {
LOGGER.error("Not able to discard updateArtifact " + appName + " session", csEx);
} catch (ConnectorException cnEx) {
throw new DeploymentException("Unable to connect to IBM WebSphere Application Server # "
+ dc.getHostname() + ":" + dc.getPort());
}
}
}
I am using spring Application and my gigaspace is connecting at startup. I am not getting any exception, if gigaspace is down.
#Override
public void onContextRefreshed(ContextRefreshedEvent event) {
String gigaSpaceURL = null;
LOGGER.info("({}) initializing gigaspaces client", getName());
try {
initGSProxy();
Iterator<Map.Entry<ConfiguredSpace, Space>> entries = spaces.entrySet().iterator();
while (entries.hasNext()) {
Map.Entry<ConfiguredSpace, Space> entry = entries.next();
LOGGER.info("({}) initialing space- key=" +
entry.getKey() + ", value = " + entry.getValue(),
getName());
// TODO : Need to verify Boolean Value Input
gigaspace.createSpace(entry.getKey().name(),
entry.getValue().getURL(), false);
gigaSpaceURL = entry.getValue().getURL();
}
} catch (Exception e) {
return;
}
GenericUtil.updateLogLevel("INFO",
"com.renovite.ripps.ap.gs.Spaces");
LOGGER.info("\n************************************\nConnected with Gigaspace successfully:URL:" + gigaSpaceURL
+ "\n************************************\n");
GenericUtil.updateLogLevel("ERROR",
"com.renovite.ripps.ap.gs.Spaces");
}
Take reference of Gigaspace by using getGigaSpace() method which takes spacekey as an argument.If it throw exception at run time, it means application is not able to connect with specified Gigaspace url.
Or more elegant way, In your Gigaspace proxy class (which actually implements IGigaspace) override the getGigaSpace() method such that it will return null if connection is not possible.
/** The spaces. */
private transient Map spaces = new HashMap<>();
#Override
public GigaSpace getGigaSpace(String spaceKey) {
if(spaces.get(spaceKey) != null){
return spaces.get(spaceKey).getGigaSpace();
}
return null;
}
spaces is a Map of all urls that are registered with Gigapsace.If no one is registered, we are returning null in the above method.
Is it possible to create Group and User in AEM6.2 by using Jackrabbit User Manager API with permissions.
I have just followed below URL's but the code is throwing some exception :
https://helpx.adobe.com/experience-manager/using/jackrabbit-users.html
https://stackoverflow.com/questions/38259047/how-to-give-permission-all-in-aem-through-programatically
ResourceResolverFactory getServiceResourceResolver throws Exception in AEM 6.1
As getAdministrativeResourceResolver(Map) method is deprecated then how can we use getServiceResourceResolver(Map) method instead.
Sharing my solution which will be helpful for others.
Following is the code using getServiceResourceResolver(Map) method for creating Group first and then User and then add user into group with ACL privileges and permission:
public void createGroupUser(SlingHttpServletRequest request) {
String userName = request.getParameter("userName");
String password = request.getParameter("password");
String groupName = request.getParameter("groupName");
Session session = null;
ResourceResolver resourceResolver = null;
try {
Map<String, Object> param = new HashMap<String, Object>();
param.put(ResourceResolverFactory.SUBSERVICE, "datawrite");
resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);
session = resourceResolver.adaptTo(Session.class);
// Create UserManager Object
final UserManager userManager = AccessControlUtil.getUserManager(session);
// Create a Group
Group group = null;
if (userManager.getAuthorizable(groupName) == null) {
group = userManager.createGroup(groupName);
ValueFactory valueFactory = session.getValueFactory();
Value groupNameValue = valueFactory.createValue(groupName, PropertyType.STRING);
group.setProperty("./profile/givenName", groupNameValue);
session.save();
log.info("---> {} Group successfully created.", group.getID());
} else {
log.info("---> Group already exist..");
}
// Create a User
User user = null;
if (userManager.getAuthorizable(userName) == null) {
user = userManager.createUser(userName, password);
ValueFactory valueFactory = session.getValueFactory();
Value firstNameValue = valueFactory.createValue("Arpit", PropertyType.STRING);
user.setProperty("./profile/givenName", firstNameValue);
Value lastNameValue = valueFactory.createValue("Bora", PropertyType.STRING);
user.setProperty("./profile/familyName", lastNameValue);
Value emailValue = valueFactory.createValue("arpit.p.bora#gmail.com", PropertyType.STRING);
user.setProperty("./profile/email", emailValue);
session.save();
// Add User to Group
Group addUserToGroup = (Group) (userManager.getAuthorizable(groupName));
addUserToGroup.addMember(userManager.getAuthorizable(userName));
session.save();
// set Resource-based ACLs
String nodePath = user.getPath();
setAclPrivileges(nodePath, session);
log.info("---> {} User successfully created and added into group.", user.getID());
} else {
log.info("---> User already exist..");
}
} catch (Exception e) {
log.info("---> Not able to perform User Management..");
log.info("---> Exception.." + e.getMessage());
} finally {
if (session != null && session.isLive()) {
session.logout();
}
if (resourceResolver != null)
resourceResolver.close();
}
}
public static void setAclPrivileges(String path, Session session) {
try {
AccessControlManager aMgr = session.getAccessControlManager();
// create a privilege set
Privilege[] privileges = new Privilege[] {
aMgr.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
aMgr.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
aMgr.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES),
aMgr.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT),
aMgr.privilegeFromName(Privilege.JCR_NODE_TYPE_MANAGEMENT),
aMgr.privilegeFromName(Replicator.REPLICATE_PRIVILEGE) };
AccessControlList acl;
try {
// get first applicable policy (for nodes w/o a policy)
acl = (AccessControlList) aMgr.getApplicablePolicies(path).nextAccessControlPolicy();
} catch (NoSuchElementException e) {
// else node already has a policy, get that one
acl = (AccessControlList) aMgr.getPolicies(path)[0];
}
// remove all existing entries
for (AccessControlEntry e : acl.getAccessControlEntries()) {
acl.removeAccessControlEntry(e);
}
// add a new one for the special "everyone" principal
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);
// the policy must be re-set
aMgr.setPolicy(path, acl);
// and the session must be saved for the changes to be applied
session.save();
} catch (Exception e) {
log.info("---> Not able to perform ACL Privileges..");
log.info("---> Exception.." + e.getMessage());
}
}
In code "datawrite" is a service mapping which is mapped with system user in "Apache Sling Service User Mapper Service" which is configurable in the OSGI configuration admin interface.
For more detail about system user check link - How to Create System User in AEM?
I am providing this code direcly from a training of an official Adobe channel, and it is based on AEM 6.1. So I assume this might be the best practice.
private void modifyPermissions() {
Session adminSession = null;
try{
adminSession = repository.loginService(null, repository.getDefaultWorkspace());
UserManager userMgr= ((org.apache.jackrabbit.api.JackrabbitSession)adminSession).getUserManager();
AccessControlManager accessControlManager = adminSession.getAccessControlManager();
Authorizable denyAccess = userMgr.getAuthorizable("deny-access");
AccessControlPolicyIterator policyIterator =
accessControlManager.getApplicablePolicies(CONTENT_GEOMETRIXX_FR);
AccessControlList acl;
try{
acl=(JackrabbitAccessControlList) policyIterator.nextAccessControlPolicy();
}catch(NoSuchElementException nse){
acl=(JackrabbitAccessControlList) accessControlManager.getPolicies(CONTENT_GEOMETRIXX_FR)[0];
}
Privilege[] privileges = {accessControlManager.privilegeFromName(Privilege.JCR_READ)};
acl.addAccessControlEntry(denyAccess.getPrincipal(), privileges);
accessControlManager.setPolicy(CONTENT_GEOMETRIXX_FR, acl);
adminSession.save();
}catch (RepositoryException e){
LOGGER.error("**************************Repo Exception", e);
}finally{
if (adminSession != null)
adminSession.logout();
}
i need to give group permission in AEM by use programatically instead of ALL i need only give permission [Replicate] and [Edit] and [Create]
My Codes Here :-
privileges = new Privilege[] {accCtrlMgr.privilegeFromName(Privilege.JCR_ALL)};
Instead of [ Privilege.JCR_ALL ] i want only [Replicate] and [Edit] and [Create]
I hope this code is helpful.
public static void setCreateEditReplicateAcl(final String aGroupPrincipal, String aPath, final UserManagementService aUserManagementService, final Session aSession) {
try {
UserManager userManager = aUserManagementService.getUserManager(aSession);
AccessControlManager accessControlManager = aSession.getAccessControlManager();
Authorizable group = userManager.getAuthorizable(aGroupPrincipal);
Privilege[] privileges = {
accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
accessControlManager.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES),
accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_NODE_TYPE_MANAGEMENT),
accessControlManager.privilegeFromName(Replicator.REPLICATE_PRIVILEGE)
};
AccessControlList aclList;
try {
aclList = (AccessControlList) accessControlManager.getApplicablePolicies(aPath).nextAccessControlPolicy();
} catch (NoSuchElementException e) {
aclList = (AccessControlList) accessControlManager.getPolicies(aPath)[0];
}
aclList.addAccessControlEntry(group.getPrincipal(), privileges);
accessControlManager.setPolicy(aPath, aclList);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
If you are setting the acl with the ui, it creates the following privileges:
jcr:versionManagement, jcr:modifyProperties, jcr:addChildNodes, crx:replicate, jcr:lockManagement, jcr:nodeTypeManagement
I think this are the privileges you need.
The JCR API package javax.jcr.security covers the authorization part, ie. what a certain user is allowed to do with the repository, but not UserManagement, which is provided by Jackrabbit as an implementation-specific feature.
Below is the code sample for giving Resource-based ACLs to a specific node/path:
public static void setAclPrivileges(String path, Session session) {
try {
AccessControlManager aMgr = session.getAccessControlManager();
// create privilege set
Privilege[] privileges = new Privilege[] {
aMgr.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
aMgr.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
aMgr.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES),
aMgr.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT),
aMgr.privilegeFromName(Privilege.JCR_NODE_TYPE_MANAGEMENT),
aMgr.privilegeFromName(Replicator.REPLICATE_PRIVILEGE) };
AccessControlList acl;
try {
// get first applicable policy (for nodes w/o a policy)
acl = (AccessControlList) aMgr.getApplicablePolicies(path).nextAccessControlPolicy();
} catch (NoSuchElementException e) {
// else node already has a policy, get that one
acl = (AccessControlList) aMgr.getPolicies(path)[0];
}
// remove all existing entries
for (AccessControlEntry e : acl.getAccessControlEntries()) {
acl.removeAccessControlEntry(e);
}
// add a new one for the special "everyone" principal
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);
// the policy must be re-set
aMgr.setPolicy(path, acl);
// and the session must be saved for the changes to be applied
session.save();
} catch (Exception e) {
log.info("---> Not able to perform ACL Privileges..");
log.info("---> Exception.." + e.getMessage());
}
}
Check Apache Jackrabbit AccessControl for more details.
Could any one please give me a link of a good tutorial that could give me an idea how i could build a XACMLObject using openSAML2 api from the policie file ?
Thanks
I haven't use OpenSAML library for this purpose. But I have used for some other purpose which involved XACML requests and responses. Following may help you to get an idea. It is creating a XACMLRequest from a String.
private String extractXACMLRequest(String decisionQuery) throws Exception {
RequestType xacmlRequest = null;
doBootstrap();
String queryString = null;
XACMLAuthzDecisionQueryType xacmlAuthzDecisionQuery;
try {
xacmlAuthzDecisionQuery = (XACMLAuthzDecisionQueryType) unmarshall(decisionQuery);
//Access the XACML request only if Issuer and the Signature are valid.
if (validateIssuer(xacmlAuthzDecisionQuery.getIssuer())) {
if (validateSignature(xacmlAuthzDecisionQuery.getSignature())) {
xacmlRequest = xacmlAuthzDecisionQuery.getRequest();
} else {
log.debug("The submitted signature is not valid!");
}
} else {
log.debug("The submitted issuer is not valid!");
}
if (xacmlRequest != null) {
queryString = marshall(xacmlRequest);
queryString = queryString.replace("<?xml version=\"1.0\" encoding=\"UTF-8\"?>", "").replace("\n", "");
}
return queryString;
} catch (Exception e) {
log.error("Error unmarshalling the XACMLAuthzDecisionQuery.", e);
throw new Exception("Error unmarshalling the XACMLAuthzDecisionQuery.", e);
}
}
You want to use sunXACML or JAXB to marshall / unmarshall XACML policies not openSAML2.