Package org.apache.catalina.realm
Class JNDIRealm
- java.lang.Object
- 
- org.apache.catalina.util.LifecycleBase
- 
- org.apache.catalina.util.LifecycleMBeanBase
- 
- org.apache.catalina.realm.RealmBase
- 
- org.apache.catalina.realm.JNDIRealm
 
 
 
 
- 
- All Implemented Interfaces:
- javax.management.MBeanRegistration,- Contained,- GSSRealm,- JmxEnabled,- Lifecycle,- Realm
 
 public class JNDIRealm extends RealmBase Implementation of Realm that works with a directory server accessed via the Java Naming and Directory Interface (JNDI) APIs. The following constraints are imposed on the data structure in the underlying directory server: - Each user that can be authenticated is represented by an individual
     element in the top level DirContextthat is accessed via theconnectionURLproperty.
- If a socket connection cannot be made to the connectURLan attempt will be made to use thealternateURLif it exists.
- Each user element has a distinguished name that can be formed by
     substituting the presented username into a pattern configured by the
     userPatternproperty.
- Alternatively, if the userPatternproperty is not specified, a unique element can be located by searching the directory context. In this case:- The userSearchpattern specifies the search filter after substitution of the username.
- The userBaseproperty can be set to the element that is the base of the subtree containing users. If not specified, the search base is the top-level context.
- The userSubtreeproperty can be set totrueif you wish to search the entire subtree of the directory context. The default value offalserequests a search of only the current level.
 
- The 
- The user may be authenticated by binding to the directory with the
      username and password presented. This method is used when the
      userPasswordproperty is not specified.
- The user may be authenticated by retrieving the value of an attribute
     from the directory and comparing it explicitly with the value presented
     by the user. This method is used when the userPasswordproperty is specified, in which case:- The element for this user must contain an attribute named by the
         userPasswordproperty.
- The value of the user password attribute is either a cleartext
         String, or the result of passing a cleartext String through the
         RealmBase.digest()method (using the standard digest support included inRealmBase).
- The user is considered to be authenticated if the presented
         credentials (after being passed through
         RealmBase.digest()) are equal to the retrieved value for the user password attribute.
 
- The element for this user must contain an attribute named by the
         
- Each group of users that has been assigned a particular role may be
     represented by an individual element in the top level
     DirContextthat is accessed via theconnectionURLproperty. This element has the following characteristics:- The set of all possible groups of interest can be selected by a
         search pattern configured by the roleSearchproperty.
- The roleSearchpattern optionally includes pattern replacements "{0}" for the distinguished name, and/or "{1}" for the username, and/or "{2}" the value of an attribute from the user's directory entry (the attribute is specified by theuserRoleAttributeproperty), of the authenticated user for which roles will be retrieved.
- The roleBaseproperty can be set to the element that is the base of the search for matching roles. If not specified, the entire context will be searched.
- The roleSubtreeproperty can be set totrueif you wish to search the entire subtree of the directory context. The default value offalserequests a search of only the current level.
- The element includes an attribute (whose name is configured by
         the roleNameproperty) containing the name of the role represented by this element.
 
- The set of all possible groups of interest can be selected by a
         search pattern configured by the 
- In addition, roles may be represented by the values of an attribute
 in the user's element whose name is configured by the
 userRoleNameproperty.
- A default role can be assigned to each user that was successfully
 authenticated by setting the commonRoleproperty to the name of this role. The role doesn't have to exist in the directory.
- If the directory server contains nested roles, you can search for them
 by setting roleNestedtotrue. The default value isfalse, so role searches will not find nested roles.
- Note that the standard <security-role-ref>element in the web application deployment descriptor allows applications to refer to roles programmatically by names other than those used in the directory server itself.
 WARNING - There is a reported bug against the Netscape provider code (com.netscape.jndi.ldap.LdapContextFactory) with respect to successfully authenticated a non-existing user. The report is here: https://bz.apache.org/bugzilla/show_bug.cgi?id=11210 . With luck, Netscape has updated their provider code and this is not an issue. - Author:
- John Holman, Craig R. McClanahan
 
- 
- 
Nested Class SummaryNested Classes Modifier and Type Class Description protected static classJNDIRealm.JNDIConnectionClass holding the connection to the directory plus the associated non thread safe message formats.protected static classJNDIRealm.UserA protected class representing a User- 
Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBaseRealmBase.AllRolesMode
 - 
Nested classes/interfaces inherited from interface org.apache.catalina.LifecycleLifecycle.SingleUse
 
- 
 - 
Field SummaryFields Modifier and Type Field Description protected booleanadCompatShould we ignore PartialResultExceptions when iterating over NamingEnumerations?protected java.lang.StringalternateURLAn alternate URL, to which, we should connect if connectionURL fails.protected java.lang.StringauthenticationThe type of authentication to useprotected java.lang.StringcommonRoleAdd this role to every authenticated userprotected intconnectionAttemptThe number of connection attempts.protected java.lang.StringconnectionNameThe connection username for the server we will contact.protected java.lang.StringconnectionPasswordThe connection password for the server we will contact.protected SynchronizedStack<JNDIRealm.JNDIConnection>connectionPoolConnection pool.protected intconnectionPoolSizeThe pool size limit.protected java.lang.StringconnectionTimeoutThe timeout, in milliseconds, to use when trying to create a connection to the directory.protected java.lang.StringconnectionURLThe connection URL for the server we will contact.protected java.lang.StringcontextFactoryThe JNDI context factory used to acquire our InitialContext.static java.lang.StringDEREF_ALIASESConstant that holds the name of the environment property for specifying the manner in which aliases should be dereferenced.protected java.lang.StringderefAliasesHow aliases should be dereferenced during search operations.protected static java.lang.StringnameDeprecated.This will be removed in Tomcat 9 onwards.protected java.lang.StringprotocolThe protocol that will be used in the communication with the directory server.protected java.lang.StringreadTimeoutThe timeout, in milliseconds, to use when trying to read from a connection to the directory.protected java.lang.StringreferralsHow should we handle referrals?protected java.lang.StringroleBaseThe base element for role searches.protected java.lang.StringroleNameThe name of the attribute containing roles held elsewhereprotected booleanroleNestedShould we look for nested group in order to determine roles?protected java.lang.StringroleSearchThe message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes.protected booleanroleSearchAsUserWhen searching for user roles, should the search be performed as the user currently being authenticated?protected booleanroleSubtreeShould we search the entire subtree for matching memberships?protected JNDIRealm.JNDIConnectionsingleConnectionNon pooled connection to our directory server.protected java.util.concurrent.locks.LocksingleConnectionLockThe lock to ensure single connection thread safety.protected longsizeLimitThe sizeLimit (also known as the countLimit) to use when the realm is configured withuserSearch.protected java.lang.StringspnegoDelegationQopThe QOP that should be used for the connection to the LDAP server after authentication.protected inttimeLimitThe timeLimit (in milliseconds) to use when the realm is configured withuserSearch.protected booleanuseContextClassLoaderWhether to use context ClassLoader or default ClassLoader.protected booleanuseDelegatedCredentialShould delegated credentials from the SPNEGO authenticator be used if availableprotected java.lang.StringuserBaseThe base element for user searches.protected java.lang.StringuserPasswordThe attribute name used to retrieve the user password.protected java.lang.StringuserPatternThe message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.protected java.lang.String[]userPatternArrayA string of LDAP user patterns or paths, ":"-separated These will be used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.protected java.lang.StringuserRoleAttributeThe name of the attribute inside the users directory entry where the value will be taken to search for roles This attribute is not used during a nested searchprotected java.lang.StringuserRoleNameThe name of an attribute in the user's entry containing roles for that userprotected java.lang.StringuserSearchThe message format used to search for a user, with "{0}" marking the spot where the username goes.protected booleanuserSubtreeShould we search the entire subtree for matching users?- 
Fields inherited from class org.apache.catalina.realm.RealmBaseallRolesMode, container, containerLog, realmPath, sm, stripRealmForGss, support, validate, x509UsernameRetriever, x509UsernameRetrieverClassName
 - 
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBasemserver
 - 
Fields inherited from interface org.apache.catalina.LifecycleAFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
 
- 
 - 
Constructor SummaryConstructors Constructor Description JNDIRealm()
 - 
Method SummaryAll Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description java.security.Principalauthenticate(java.lang.String username)Return the Principal associated with the specified username, if there is one; otherwise returnnull.java.security.Principalauthenticate(java.lang.String username, java.lang.String credentials)Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull.java.security.Principalauthenticate(java.lang.String username, java.lang.String clientDigest, java.lang.String nonce, java.lang.String nc, java.lang.String cnonce, java.lang.String qop, java.lang.String realm, java.lang.String md5a2)Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 2617 (which is a superset of RFC 2069).java.security.Principalauthenticate(java.security.cert.X509Certificate[] certs)Return the Principal associated with the specified chain of X509 client certificates.java.security.Principalauthenticate(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String credentials)Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull.java.security.Principalauthenticate(org.ietf.jgss.GSSContext gssContext, boolean storeCred)Try to authenticate using aGSSContextjava.security.Principalauthenticate(org.ietf.jgss.GSSName gssName, org.ietf.jgss.GSSCredential gssCredential)Try to authenticate using aGSSNameprotected booleanbindAsUser(javax.naming.directory.DirContext context, JNDIRealm.User user, java.lang.String credentials)Check credentials by binding to the directory as the userprotected booleancheckCredentials(javax.naming.directory.DirContext context, JNDIRealm.User user, java.lang.String credentials)Check whether the given User can be authenticated with the given credentials.protected voidclose(JNDIRealm.JNDIConnection connection)Close any open connection to the directory server for this Realm.protected voidclosePooledConnections()Close all pooled connections.protected booleancompareCredentials(javax.naming.directory.DirContext context, JNDIRealm.User info, java.lang.String credentials)Check whether the credentials presented by the user match those retrieved from the directory.protected static java.lang.StringconvertToHexEscape(java.lang.String input)protected JNDIRealm.JNDIConnectioncreate()Create a new connection wrapper, along with the message formats.protected java.lang.StringdoAttributeValueEscaping(java.lang.String input)Implements the necessary escaping to represent an attribute value as a String as per RFC 4514.protected java.lang.StringdoFilterEscaping(java.lang.String inString)Given an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines.protected java.lang.StringdoRFC2254Encoding(java.lang.String inString)Deprecated.Will be removed in Tomcat 10.1.x onwardsprotected JNDIRealm.JNDIConnectionget()Open (if necessary) and return a connection to the configured directory server for this Realm.booleangetAdCompat()java.lang.StringgetAlternateURL()Getter for property alternateURL.java.lang.StringgetAuthentication()java.lang.StringgetCommonRole()java.lang.StringgetConnectionName()java.lang.StringgetConnectionPassword()intgetConnectionPoolSize()java.lang.StringgetConnectionTimeout()java.lang.StringgetConnectionURL()java.lang.StringgetContextFactory()java.lang.StringgetDerefAliases()protected java.util.Hashtable<java.lang.String,java.lang.String>getDirectoryContextEnvironment()Create our directory context configuration.protected java.lang.StringgetDistinguishedName(javax.naming.directory.DirContext context, java.lang.String base, javax.naming.directory.SearchResult result)Returns the distinguished name of a search result.booleangetForceDnHexEscape()javax.net.ssl.HostnameVerifiergetHostnameVerifier()java.lang.StringgetHostnameVerifierClassName()protected java.lang.StringgetName()Deprecated.protected java.lang.StringgetPassword(java.lang.String username)Get the password for the specified user.protected java.security.PrincipalgetPrincipal(java.lang.String username)Get the principal associated with the specified certificate.protected java.security.PrincipalgetPrincipal(java.lang.String username, org.ietf.jgss.GSSCredential gssCredential)Get the principal associated with the specified user name.protected java.security.PrincipalgetPrincipal(JNDIRealm.JNDIConnection connection, java.lang.String username, org.ietf.jgss.GSSCredential gssCredential)Get the principal associated with the specified certificate.protected java.security.PrincipalgetPrincipal(org.ietf.jgss.GSSName gssName, org.ietf.jgss.GSSCredential gssCredential)Get the principal associated with the specifiedGSSName.java.lang.StringgetProtocol()java.lang.StringgetReadTimeout()java.lang.StringgetReferrals()java.lang.StringgetRoleBase()java.lang.StringgetRoleName()booleangetRoleNested()protected java.util.List<java.lang.String>getRoles(JNDIRealm.JNDIConnection connection, JNDIRealm.User user)Return a List of roles associated with the given User.java.lang.StringgetRoleSearch()booleangetRoleSubtree()longgetSizeLimit()java.lang.StringgetSpnegoDelegationQop()intgetTimeLimit()protected JNDIRealm.UsergetUser(JNDIRealm.JNDIConnection connection, java.lang.String username)Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.protected JNDIRealm.UsergetUser(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String credentials)Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.protected JNDIRealm.UsergetUser(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String credentials, int curUserPattern)Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.java.lang.StringgetUserBase()protected JNDIRealm.UsergetUserByPattern(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String[] attrIds, java.lang.String dn)Use the distinguished name to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull.protected JNDIRealm.UsergetUserByPattern(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String credentials, java.lang.String[] attrIds, int curUserPattern)Use theUserPatternconfiguration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull.protected JNDIRealm.UsergetUserBySearch(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String[] attrIds)Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.java.lang.StringgetUserPassword()java.lang.StringgetUserPattern()java.lang.StringgetUserRoleAttribute()java.lang.StringgetUserRoleName()java.lang.StringgetUserSearch()booleangetUserSubtree()booleangetUseStartTls()booleanisAvailable()Return the availability of the realm for authentication.booleanisRoleSearchAsUser()booleanisUseContextClassLoader()Returns whether to use the context or default ClassLoader.booleanisUseDelegatedCredential()booleanisUserSearchAsUser()protected voidopen(JNDIRealm.JNDIConnection connection)Create a new connection to the directory server.protected java.lang.String[]parseUserPatternString(java.lang.String userPatternString)Given a string containing LDAP patterns for user locations (separated by parentheses in a pseudo-LDAP search string format - "(location1)(location2)", returns an array of those paths.protected voidrelease(JNDIRealm.JNDIConnection connection)Release our use of this connection so that it can be recycled.voidsetAdCompat(boolean adCompat)How do we handle PartialResultExceptions?voidsetAlternateURL(java.lang.String alternateURL)Setter for property alternateURL.voidsetAuthentication(java.lang.String authentication)Set the type of authentication to use.voidsetCipherSuites(java.lang.String suites)Set the allowed cipher suites when opening a connection using StartTLS.voidsetCommonRole(java.lang.String commonRole)Set the common rolevoidsetConnectionName(java.lang.String connectionName)Set the connection username for this Realm.voidsetConnectionPassword(java.lang.String connectionPassword)Set the connection password for this Realm.voidsetConnectionPoolSize(int connectionPoolSize)Set the connection pool sizevoidsetConnectionTimeout(java.lang.String timeout)Set the connection timeout.voidsetConnectionURL(java.lang.String connectionURL)Set the connection URL for this Realm.voidsetContextFactory(java.lang.String contextFactory)Set the JNDI context factory for this Realm.voidsetDerefAliases(java.lang.String derefAliases)Set the value for derefAliases to be used when searching the directory.voidsetForceDnHexEscape(boolean forceDnHexEscape)voidsetHostnameVerifierClassName(java.lang.String verifierClassName)Set theHostnameVerifierto be used when opening connections using StartTLS.voidsetProtocol(java.lang.String protocol)Set the protocol for this Realm.voidsetReadTimeout(java.lang.String timeout)Set the read timeout.voidsetReferrals(java.lang.String referrals)How do we handle JNDI referrals?voidsetRoleBase(java.lang.String roleBase)Set the base element for role searches.voidsetRoleName(java.lang.String roleName)Set the role name attribute name for this Realm.voidsetRoleNested(boolean roleNested)Set the "search subtree for roles" flag.voidsetRoleSearch(java.lang.String roleSearch)Set the message format pattern for selecting roles in this Realm.voidsetRoleSearchAsUser(boolean roleSearchAsUser)voidsetRoleSubtree(boolean roleSubtree)Set the "search subtree for roles" flag.voidsetSizeLimit(long sizeLimit)voidsetSpnegoDelegationQop(java.lang.String spnegoDelegationQop)voidsetSslProtocol(java.lang.String protocol)Set the ssl protocol to be used for connections using StartTLS.voidsetSslSocketFactoryClassName(java.lang.String factoryClassName)Set theSSLSocketFactoryto be used when opening connections using StartTLS.voidsetTimeLimit(int timeLimit)voidsetUseContextClassLoader(boolean useContext)Sets whether to use the context or default ClassLoader.voidsetUseDelegatedCredential(boolean useDelegatedCredential)voidsetUserBase(java.lang.String userBase)Set the base element for user searches.voidsetUserPassword(java.lang.String userPassword)Set the password attribute used to retrieve the user password.voidsetUserPattern(java.lang.String userPattern)Set the message format pattern for selecting users in this Realm.voidsetUserRoleAttribute(java.lang.String userRoleAttribute)voidsetUserRoleName(java.lang.String userRoleName)Set the user role name attribute name for this Realm.voidsetUserSearch(java.lang.String userSearch)Set the message format pattern for selecting users in this Realm.voidsetUserSearchAsUser(boolean userSearchAsUser)voidsetUserSubtree(boolean userSubtree)Set the "search subtree for users" flag.voidsetUseStartTls(boolean useStartTls)Flag whether StartTLS should be used when connecting to the ldap serverprotected voidstartInternal()Prepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal().protected voidstopInternal()Gracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal().- 
Methods inherited from class org.apache.catalina.realm.RealmBaseaddPropertyChangeListener, backgroundProcess, Digest, findSecurityConstraints, getAllRolesMode, getContainer, getCredentialHandler, getDigest, getDomainInternal, getObjectNameKeyProperties, getPrincipal, getRealmPath, getRealmSuffix, getRoles, getServer, getTransportGuaranteeRedirectStatus, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasRoleInternal, hasUserDataPermission, initInternal, isStripRealmForGss, main, removePropertyChangeListener, setAllRolesMode, setContainer, setCredentialHandler, setRealmPath, setStripRealmForGss, setTransportGuaranteeRedirectStatus, setValidate, setX509UsernameRetrieverClassName, toString
 - 
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBasedestroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister
 - 
Methods inherited from class org.apache.catalina.util.LifecycleBaseaddLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
 
- 
 
- 
- 
- 
Field Detail- 
authenticationprotected java.lang.String authentication The type of authentication to use
 - 
connectionNameprotected java.lang.String connectionName The connection username for the server we will contact.
 - 
connectionPasswordprotected java.lang.String connectionPassword The connection password for the server we will contact.
 - 
connectionURLprotected java.lang.String connectionURL The connection URL for the server we will contact.
 - 
contextFactoryprotected java.lang.String contextFactory The JNDI context factory used to acquire our InitialContext. By default, assumes use of an LDAP server using the standard JNDI LDAP provider.
 - 
derefAliasesprotected java.lang.String derefAliases How aliases should be dereferenced during search operations.
 - 
DEREF_ALIASESpublic static final java.lang.String DEREF_ALIASES Constant that holds the name of the environment property for specifying the manner in which aliases should be dereferenced.- See Also:
- Constant Field Values
 
 - 
name@Deprecated protected static final java.lang.String name Deprecated.This will be removed in Tomcat 9 onwards.Descriptive information about this Realm implementation.- See Also:
- Constant Field Values
 
 - 
protocolprotected java.lang.String protocol The protocol that will be used in the communication with the directory server.
 - 
adCompatprotected boolean adCompat Should we ignore PartialResultExceptions when iterating over NamingEnumerations? Microsoft Active Directory often returns referrals, which lead to PartialResultExceptions. Unfortunately there's no stable way to detect, if the Exceptions really come from an AD referral. Set to true to ignore PartialResultExceptions.
 - 
referralsprotected java.lang.String referrals How should we handle referrals? Microsoft Active Directory often returns referrals. If you need to follow them set referrals to "follow". Caution: if your DNS is not part of AD, the LDAP client lib might try to resolve your domain name in DNS to find another LDAP server.
 - 
userBaseprotected java.lang.String userBase The base element for user searches.
 - 
userSearchprotected java.lang.String userSearch The message format used to search for a user, with "{0}" marking the spot where the username goes.
 - 
userSubtreeprotected boolean userSubtree Should we search the entire subtree for matching users?
 - 
userPasswordprotected java.lang.String userPassword The attribute name used to retrieve the user password.
 - 
userRoleAttributeprotected java.lang.String userRoleAttribute The name of the attribute inside the users directory entry where the value will be taken to search for roles This attribute is not used during a nested search
 - 
userPatternArrayprotected java.lang.String[] userPatternArray A string of LDAP user patterns or paths, ":"-separated These will be used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes. This is similar to userPattern, but allows for multiple searches for a user.
 - 
userPatternprotected java.lang.String userPattern The message format used to form the distinguished name of a user, with "{0}" marking the spot where the specified username goes.
 - 
roleBaseprotected java.lang.String roleBase The base element for role searches.
 - 
userRoleNameprotected java.lang.String userRoleName The name of an attribute in the user's entry containing roles for that user
 - 
roleNameprotected java.lang.String roleName The name of the attribute containing roles held elsewhere
 - 
roleSearchprotected java.lang.String roleSearch The message format used to select roles for a user, with "{0}" marking the spot where the distinguished name of the user goes. The "{1}" and "{2}" are described in the Configuration Reference.
 - 
roleSubtreeprotected boolean roleSubtree Should we search the entire subtree for matching memberships?
 - 
roleNestedprotected boolean roleNested Should we look for nested group in order to determine roles?
 - 
roleSearchAsUserprotected boolean roleSearchAsUser When searching for user roles, should the search be performed as the user currently being authenticated? If false,connectionNameandconnectionPasswordwill be used if specified, else an anonymous connection will be used.
 - 
alternateURLprotected java.lang.String alternateURL An alternate URL, to which, we should connect if connectionURL fails.
 - 
connectionAttemptprotected int connectionAttempt The number of connection attempts. If greater than zero we use the alternate url.
 - 
commonRoleprotected java.lang.String commonRole Add this role to every authenticated user
 - 
connectionTimeoutprotected java.lang.String connectionTimeout The timeout, in milliseconds, to use when trying to create a connection to the directory. The default is 5000 (5 seconds).
 - 
readTimeoutprotected java.lang.String readTimeout The timeout, in milliseconds, to use when trying to read from a connection to the directory. The default is 5000 (5 seconds).
 - 
sizeLimitprotected long sizeLimit The sizeLimit (also known as the countLimit) to use when the realm is configured withuserSearch. Zero for no limit.
 - 
timeLimitprotected int timeLimit The timeLimit (in milliseconds) to use when the realm is configured withuserSearch. Zero for no limit.
 - 
useDelegatedCredentialprotected boolean useDelegatedCredential Should delegated credentials from the SPNEGO authenticator be used if available
 - 
spnegoDelegationQopprotected java.lang.String spnegoDelegationQop The QOP that should be used for the connection to the LDAP server after authentication. This value is used to set thejavax.security.sasl.qopenvironment property for the LDAP connection.
 - 
singleConnectionprotected JNDIRealm.JNDIConnection singleConnection Non pooled connection to our directory server.
 - 
singleConnectionLockprotected final java.util.concurrent.locks.Lock singleConnectionLock The lock to ensure single connection thread safety.
 - 
connectionPoolprotected SynchronizedStack<JNDIRealm.JNDIConnection> connectionPool Connection pool.
 - 
connectionPoolSizeprotected int connectionPoolSize The pool size limit. If 1, pooling is not used.
 - 
useContextClassLoaderprotected boolean useContextClassLoader Whether to use context ClassLoader or default ClassLoader. True means use context ClassLoader, and True is the default value.
 
- 
 - 
Method Detail- 
getForceDnHexEscapepublic boolean getForceDnHexEscape() 
 - 
setForceDnHexEscapepublic void setForceDnHexEscape(boolean forceDnHexEscape) 
 - 
getAuthenticationpublic java.lang.String getAuthentication() - Returns:
- the type of authentication to use.
 
 - 
setAuthenticationpublic void setAuthentication(java.lang.String authentication) Set the type of authentication to use.- Parameters:
- authentication- The authentication
 
 - 
getConnectionNamepublic java.lang.String getConnectionName() - Returns:
- the connection username for this Realm.
 
 - 
setConnectionNamepublic void setConnectionName(java.lang.String connectionName) Set the connection username for this Realm.- Parameters:
- connectionName- The new connection username
 
 - 
getConnectionPasswordpublic java.lang.String getConnectionPassword() - Returns:
- the connection password for this Realm.
 
 - 
setConnectionPasswordpublic void setConnectionPassword(java.lang.String connectionPassword) Set the connection password for this Realm.- Parameters:
- connectionPassword- The new connection password
 
 - 
getConnectionURLpublic java.lang.String getConnectionURL() - Returns:
- the connection URL for this Realm.
 
 - 
setConnectionURLpublic void setConnectionURL(java.lang.String connectionURL) Set the connection URL for this Realm.- Parameters:
- connectionURL- The new connection URL
 
 - 
getContextFactorypublic java.lang.String getContextFactory() - Returns:
- the JNDI context factory for this Realm.
 
 - 
setContextFactorypublic void setContextFactory(java.lang.String contextFactory) Set the JNDI context factory for this Realm.- Parameters:
- contextFactory- The new context factory
 
 - 
getDerefAliasespublic java.lang.String getDerefAliases() - Returns:
- the derefAliases setting to be used.
 
 - 
setDerefAliasespublic void setDerefAliases(java.lang.String derefAliases) Set the value for derefAliases to be used when searching the directory.- Parameters:
- derefAliases- New value of property derefAliases.
 
 - 
getProtocolpublic java.lang.String getProtocol() - Returns:
- the protocol to be used.
 
 - 
setProtocolpublic void setProtocol(java.lang.String protocol) Set the protocol for this Realm.- Parameters:
- protocol- The new protocol.
 
 - 
getAdCompatpublic boolean getAdCompat() - Returns:
- the current settings for handling PartialResultExceptions
 
 - 
setAdCompatpublic void setAdCompat(boolean adCompat) How do we handle PartialResultExceptions? True: ignore all PartialResultExceptions.- Parameters:
- adCompat-- trueto ignore partial results
 
 - 
getReferralspublic java.lang.String getReferrals() - Returns:
- the current settings for handling JNDI referrals.
 
 - 
setReferralspublic void setReferrals(java.lang.String referrals) How do we handle JNDI referrals? ignore, follow, or throw (see javax.naming.Context.REFERRAL for more information).- Parameters:
- referrals- The referral handling
 
 - 
getUserBasepublic java.lang.String getUserBase() - Returns:
- the base element for user searches.
 
 - 
setUserBasepublic void setUserBase(java.lang.String userBase) Set the base element for user searches.- Parameters:
- userBase- The new base element
 
 - 
getUserSearchpublic java.lang.String getUserSearch() - Returns:
- the message format pattern for selecting users in this Realm.
 
 - 
setUserSearchpublic void setUserSearch(java.lang.String userSearch) Set the message format pattern for selecting users in this Realm.- Parameters:
- userSearch- The new user search pattern
 
 - 
isUserSearchAsUserpublic boolean isUserSearchAsUser() 
 - 
setUserSearchAsUserpublic void setUserSearchAsUser(boolean userSearchAsUser) 
 - 
getUserSubtreepublic boolean getUserSubtree() - Returns:
- the "search subtree for users" flag.
 
 - 
setUserSubtreepublic void setUserSubtree(boolean userSubtree) Set the "search subtree for users" flag.- Parameters:
- userSubtree- The new search flag
 
 - 
getUserRoleNamepublic java.lang.String getUserRoleName() - Returns:
- the user role name attribute name for this Realm.
 
 - 
setUserRoleNamepublic void setUserRoleName(java.lang.String userRoleName) Set the user role name attribute name for this Realm.- Parameters:
- userRoleName- The new userRole name attribute name
 
 - 
getRoleBasepublic java.lang.String getRoleBase() - Returns:
- the base element for role searches.
 
 - 
setRoleBasepublic void setRoleBase(java.lang.String roleBase) Set the base element for role searches.- Parameters:
- roleBase- The new base element
 
 - 
getRoleNamepublic java.lang.String getRoleName() - Returns:
- the role name attribute name for this Realm.
 
 - 
setRoleNamepublic void setRoleName(java.lang.String roleName) Set the role name attribute name for this Realm.- Parameters:
- roleName- The new role name attribute name
 
 - 
getRoleSearchpublic java.lang.String getRoleSearch() - Returns:
- the message format pattern for selecting roles in this Realm.
 
 - 
setRoleSearchpublic void setRoleSearch(java.lang.String roleSearch) Set the message format pattern for selecting roles in this Realm.- Parameters:
- roleSearch- The new role search pattern
 
 - 
isRoleSearchAsUserpublic boolean isRoleSearchAsUser() 
 - 
setRoleSearchAsUserpublic void setRoleSearchAsUser(boolean roleSearchAsUser) 
 - 
getRoleSubtreepublic boolean getRoleSubtree() - Returns:
- the "search subtree for roles" flag.
 
 - 
setRoleSubtreepublic void setRoleSubtree(boolean roleSubtree) Set the "search subtree for roles" flag.- Parameters:
- roleSubtree- The new search flag
 
 - 
getRoleNestedpublic boolean getRoleNested() - Returns:
- the "The nested group search flag" flag.
 
 - 
setRoleNestedpublic void setRoleNested(boolean roleNested) Set the "search subtree for roles" flag.- Parameters:
- roleNested- The nested group search flag
 
 - 
getUserPasswordpublic java.lang.String getUserPassword() - Returns:
- the password attribute used to retrieve the user password.
 
 - 
setUserPasswordpublic void setUserPassword(java.lang.String userPassword) Set the password attribute used to retrieve the user password.- Parameters:
- userPassword- The new password attribute
 
 - 
getUserRoleAttributepublic java.lang.String getUserRoleAttribute() 
 - 
setUserRoleAttributepublic void setUserRoleAttribute(java.lang.String userRoleAttribute) 
 - 
getUserPatternpublic java.lang.String getUserPattern() - Returns:
- the message format pattern for selecting users in this Realm.
 
 - 
setUserPatternpublic void setUserPattern(java.lang.String userPattern) Set the message format pattern for selecting users in this Realm. This may be one simple pattern, or multiple patterns to be tried, separated by parentheses. (for example, either "cn={0}", or "(cn={0})(cn={0},o=myorg)" Full LDAP search strings are also supported, but only the "OR", "|" syntax, so "(|(cn={0})(cn={0},o=myorg))" is also valid. Complex search strings with &, etc are NOT supported.- Parameters:
- userPattern- The new user pattern
 
 - 
getAlternateURLpublic java.lang.String getAlternateURL() Getter for property alternateURL.- Returns:
- Value of property alternateURL.
 
 - 
setAlternateURLpublic void setAlternateURL(java.lang.String alternateURL) Setter for property alternateURL.- Parameters:
- alternateURL- New value of property alternateURL.
 
 - 
getCommonRolepublic java.lang.String getCommonRole() - Returns:
- the common role
 
 - 
setCommonRolepublic void setCommonRole(java.lang.String commonRole) Set the common role- Parameters:
- commonRole- The common role
 
 - 
getConnectionTimeoutpublic java.lang.String getConnectionTimeout() - Returns:
- the connection timeout.
 
 - 
setConnectionTimeoutpublic void setConnectionTimeout(java.lang.String timeout) Set the connection timeout.- Parameters:
- timeout- The new connection timeout
 
 - 
getReadTimeoutpublic java.lang.String getReadTimeout() - Returns:
- the read timeout.
 
 - 
setReadTimeoutpublic void setReadTimeout(java.lang.String timeout) Set the read timeout.- Parameters:
- timeout- The new read timeout
 
 - 
getSizeLimitpublic long getSizeLimit() 
 - 
setSizeLimitpublic void setSizeLimit(long sizeLimit) 
 - 
getTimeLimitpublic int getTimeLimit() 
 - 
setTimeLimitpublic void setTimeLimit(int timeLimit) 
 - 
isUseDelegatedCredentialpublic boolean isUseDelegatedCredential() 
 - 
setUseDelegatedCredentialpublic void setUseDelegatedCredential(boolean useDelegatedCredential) 
 - 
getSpnegoDelegationQoppublic java.lang.String getSpnegoDelegationQop() 
 - 
setSpnegoDelegationQoppublic void setSpnegoDelegationQop(java.lang.String spnegoDelegationQop) 
 - 
getUseStartTlspublic boolean getUseStartTls() - Returns:
- flag whether to use StartTLS for connections to the ldap server
 
 - 
setUseStartTlspublic void setUseStartTls(boolean useStartTls) Flag whether StartTLS should be used when connecting to the ldap server- Parameters:
- useStartTls-- truewhen StartTLS should be used. Default is- false.
 
 - 
setCipherSuitespublic void setCipherSuites(java.lang.String suites) Set the allowed cipher suites when opening a connection using StartTLS. The cipher suites are expected as a comma separated list.- Parameters:
- suites- comma separated list of allowed cipher suites
 
 - 
getConnectionPoolSizepublic int getConnectionPoolSize() - Returns:
- the connection pool size, or the default value 1 if pooling is disabled
 
 - 
setConnectionPoolSizepublic void setConnectionPoolSize(int connectionPoolSize) Set the connection pool size- Parameters:
- connectionPoolSize- the new pool size
 
 - 
getHostnameVerifierClassNamepublic java.lang.String getHostnameVerifierClassName() - Returns:
- name of the HostnameVerifierclass used for connections using StartTLS, or the empty string, if the default verifier should be used.
 
 - 
setHostnameVerifierClassNamepublic void setHostnameVerifierClassName(java.lang.String verifierClassName) Set theHostnameVerifierto be used when opening connections using StartTLS. An instance of the given class name will be constructed using the default constructor.- Parameters:
- verifierClassName- class name of the- HostnameVerifierto be constructed
 
 - 
getHostnameVerifierpublic javax.net.ssl.HostnameVerifier getHostnameVerifier() - Returns:
- the HostnameVerifierto use for peer certificate verification when opening connections using StartTLS.
 
 - 
setSslSocketFactoryClassNamepublic void setSslSocketFactoryClassName(java.lang.String factoryClassName) Set theSSLSocketFactoryto be used when opening connections using StartTLS. An instance of the factory with the given name will be created using the default constructor. The SSLSocketFactory can also be set usingsetSslProtocol(String).- Parameters:
- factoryClassName- class name of the factory to be constructed
 
 - 
setSslProtocolpublic void setSslProtocol(java.lang.String protocol) Set the ssl protocol to be used for connections using StartTLS.- Parameters:
- protocol- one of the allowed ssl protocol names
 
 - 
setUseContextClassLoaderpublic void setUseContextClassLoader(boolean useContext) Sets whether to use the context or default ClassLoader. True means use context ClassLoader.- Parameters:
- useContext- True means use context ClassLoader
 
 - 
isUseContextClassLoaderpublic boolean isUseContextClassLoader() Returns whether to use the context or default ClassLoader. True means to use the context ClassLoader.- Returns:
- The value of useContextClassLoader
 
 - 
authenticatepublic java.security.Principal authenticate(java.lang.String username, java.lang.String credentials)Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull. If there are any errors with the JDBC connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it.- Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- username- Username of the Principal to look up
- credentials- Password or other credentials to use in authenticating this username
- Returns:
- the associated principal, or nullif there is none.
 
 - 
authenticatepublic java.security.Principal authenticate(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String credentials) throws javax.naming.NamingException Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull.- Parameters:
- connection- The directory context
- username- Username of the Principal to look up
- credentials- Password or other credentials to use in authenticating this username
- Returns:
- the associated principal, or nullif there is none.
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
authenticatepublic java.security.Principal authenticate(java.lang.String username) Description copied from class:RealmBaseReturn the Principal associated with the specified username, if there is one; otherwise returnnull.- Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- username- Username of the Principal to look up
- Returns:
- the associated principal, or nullif none is associated.
 
 - 
authenticatepublic java.security.Principal authenticate(java.lang.String username, java.lang.String clientDigest, java.lang.String nonce, java.lang.String nc, java.lang.String cnonce, java.lang.String qop, java.lang.String realm, java.lang.String md5a2)Description copied from class:RealmBaseTry to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 2617 (which is a superset of RFC 2069).- Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- username- Username of the Principal to look up
- clientDigest- Digest which has been submitted by the client
- nonce- Unique (or supposedly unique) token which has been used for this request
- nc- the nonce counter
- cnonce- the client chosen nonce
- qop- the "quality of protection" (- ncand- cnoncewill only be used, if- qopis not- null).
- realm- Realm name
- md5a2- Second MD5 digest used to calculate the digest : MD5(Method + ":" + uri)
- Returns:
- the associated principal, or nullif there is none.
 
 - 
authenticatepublic java.security.Principal authenticate(java.security.cert.X509Certificate[] certs) Description copied from class:RealmBaseReturn the Principal associated with the specified chain of X509 client certificates. If there is none, returnnull.- Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- certs- Array of client certificates, with the first one in the array being the certificate of the client itself.
- Returns:
- the associated principal, or nullif there is none
 
 - 
authenticatepublic java.security.Principal authenticate(org.ietf.jgss.GSSContext gssContext, boolean storeCred)Description copied from class:RealmBaseTry to authenticate using aGSSContext- Specified by:
- authenticatein interface- Realm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- gssContext- The gssContext processed by the- Authenticator.
- storeCred- Should the realm attempt to store the delegated credentials in the returned Principal?
- Returns:
- the associated principal, or nullif there is none
 
 - 
authenticatepublic java.security.Principal authenticate(org.ietf.jgss.GSSName gssName, org.ietf.jgss.GSSCredential gssCredential)Description copied from class:RealmBaseTry to authenticate using aGSSName- Specified by:
- authenticatein interface- GSSRealm
- Overrides:
- authenticatein class- RealmBase
- Parameters:
- gssName- The- GSSNameof the principal to look up
- gssCredential- The- GSSCredentialof the principal, may be- null
- Returns:
- the associated principal, or nullif there is none
 
 - 
getUserprotected JNDIRealm.User getUser(JNDIRealm.JNDIConnection connection, java.lang.String username) throws javax.naming.NamingException Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.- Parameters:
- connection- The directory context
- username- Username to be looked up
- Returns:
- the User object
- Throws:
- javax.naming.NamingException- if a directory server error occurs
- See Also:
- getUser(JNDIConnection, String, String, int)
 
 - 
getUserprotected JNDIRealm.User getUser(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String credentials) throws javax.naming.NamingException Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.- Parameters:
- connection- The directory context
- username- Username to be looked up
- credentials- User credentials (optional)
- Returns:
- the User object
- Throws:
- javax.naming.NamingException- if a directory server error occurs
- See Also:
- getUser(JNDIConnection, String, String, int)
 
 - 
getUserprotected JNDIRealm.User getUser(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String credentials, int curUserPattern) throws javax.naming.NamingException Return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull. If theuserPasswordconfiguration attribute is specified, the value of that attribute is retrieved from the user's directory entry. If theuserRoleNameconfiguration attribute is specified, all values of that attribute are retrieved from the directory entry.- Parameters:
- connection- The directory context
- username- Username to be looked up
- credentials- User credentials (optional)
- curUserPattern- Index into userPatternFormatArray
- Returns:
- the User object
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
getUserByPatternprotected JNDIRealm.User getUserByPattern(javax.naming.directory.DirContext context, java.lang.String username, java.lang.String[] attrIds, java.lang.String dn) throws javax.naming.NamingException Use the distinguished name to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull.- Parameters:
- context- The directory context
- username- The username
- attrIds- String[]containing names of attributes to
- dn- Distinguished name of the user retrieve.
- Returns:
- the User object
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
getUserByPatternprotected JNDIRealm.User getUserByPattern(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String credentials, java.lang.String[] attrIds, int curUserPattern) throws javax.naming.NamingException Use theUserPatternconfiguration attribute to locate the directory entry for the user with the specified username and return a User object; otherwise returnnull.- Parameters:
- connection- The directory context
- username- The username
- credentials- User credentials (optional)
- attrIds- String[]containing names of attributes to
- curUserPattern- Index into userPatternFormatArray
- Returns:
- the User object
- Throws:
- javax.naming.NamingException- if a directory server error occurs
- See Also:
- getUserByPattern(DirContext, String, String[], String)
 
 - 
getUserBySearchprotected JNDIRealm.User getUserBySearch(JNDIRealm.JNDIConnection connection, java.lang.String username, java.lang.String[] attrIds) throws javax.naming.NamingException Search the directory to return a User object containing information about the user with the specified username, if found in the directory; otherwise returnnull.- Parameters:
- connection- The directory context
- username- The username
- attrIds- String[]containing names of attributes to retrieve.
- Returns:
- the User object
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
checkCredentialsprotected boolean checkCredentials(javax.naming.directory.DirContext context, JNDIRealm.User user, java.lang.String credentials) throws javax.naming.NamingExceptionCheck whether the given User can be authenticated with the given credentials. If theuserPasswordconfiguration attribute is specified, the credentials previously retrieved from the directory are compared explicitly with those presented by the user. Otherwise the presented credentials are checked by binding to the directory as the user.- Parameters:
- context- The directory context
- user- The User to be authenticated
- credentials- The credentials presented by the user
- Returns:
- trueif the credentials are validated
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
compareCredentialsprotected boolean compareCredentials(javax.naming.directory.DirContext context, JNDIRealm.User info, java.lang.String credentials) throws javax.naming.NamingExceptionCheck whether the credentials presented by the user match those retrieved from the directory.- Parameters:
- context- The directory context
- info- The User to be authenticated
- credentials- Authentication credentials
- Returns:
- trueif the credentials are validated
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
bindAsUserprotected boolean bindAsUser(javax.naming.directory.DirContext context, JNDIRealm.User user, java.lang.String credentials) throws javax.naming.NamingExceptionCheck credentials by binding to the directory as the user- Parameters:
- context- The directory context
- user- The User to be authenticated
- credentials- Authentication credentials
- Returns:
- trueif the credentials are validated
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
getRolesprotected java.util.List<java.lang.String> getRoles(JNDIRealm.JNDIConnection connection, JNDIRealm.User user) throws javax.naming.NamingException Return a List of roles associated with the given User. Any roles present in the user's directory entry are supplemented by a directory search. If no roles are associated with this user, a zero-length List is returned.- Parameters:
- connection- The directory context we are searching
- user- The User to be checked
- Returns:
- the list of role names
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
closeprotected void close(JNDIRealm.JNDIConnection connection) Close any open connection to the directory server for this Realm.- Parameters:
- connection- The directory context to be closed
 
 - 
closePooledConnectionsprotected void closePooledConnections() Close all pooled connections.
 - 
getName@Deprecated protected java.lang.String getName() Deprecated.
 - 
getPasswordprotected java.lang.String getPassword(java.lang.String username) Get the password for the specified user.- Specified by:
- getPasswordin class- RealmBase
- Parameters:
- username- The user name
- Returns:
- the password associated with the given principal's user name.
 
 - 
getPrincipalprotected java.security.Principal getPrincipal(java.lang.String username) Get the principal associated with the specified certificate.- Specified by:
- getPrincipalin class- RealmBase
- Parameters:
- username- The user name
- Returns:
- the Principal associated with the given certificate.
 
 - 
getPrincipalprotected java.security.Principal getPrincipal(org.ietf.jgss.GSSName gssName, org.ietf.jgss.GSSCredential gssCredential)Description copied from class:RealmBaseGet the principal associated with the specifiedGSSName.- Overrides:
- getPrincipalin class- RealmBase
- Parameters:
- gssName- The GSS name
- gssCredential- the GSS credential of the principal
- Returns:
- the principal associated with the given user name.
 
 - 
getPrincipalprotected java.security.Principal getPrincipal(java.lang.String username, org.ietf.jgss.GSSCredential gssCredential)Description copied from class:RealmBaseGet the principal associated with the specified user name.- Overrides:
- getPrincipalin class- RealmBase
- Parameters:
- username- The user name
- gssCredential- the GSS credential of the principal
- Returns:
- the principal associated with the given user name.
 
 - 
getPrincipalprotected java.security.Principal getPrincipal(JNDIRealm.JNDIConnection connection, java.lang.String username, org.ietf.jgss.GSSCredential gssCredential) throws javax.naming.NamingException Get the principal associated with the specified certificate.- Parameters:
- connection- The directory context
- username- The user name
- gssCredential- The credentials
- Returns:
- the Principal associated with the given certificate.
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
getprotected JNDIRealm.JNDIConnection get() throws javax.naming.NamingException Open (if necessary) and return a connection to the configured directory server for this Realm.- Returns:
- the connection
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
releaseprotected void release(JNDIRealm.JNDIConnection connection) Release our use of this connection so that it can be recycled.- Parameters:
- connection- The directory context to release
 
 - 
createprotected JNDIRealm.JNDIConnection create() Create a new connection wrapper, along with the message formats.- Returns:
- the new connection
 
 - 
openprotected void open(JNDIRealm.JNDIConnection connection) throws javax.naming.NamingException Create a new connection to the directory server.- Parameters:
- connection- The directory server connection wrapper
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
isAvailablepublic boolean isAvailable() Description copied from interface:RealmReturn the availability of the realm for authentication.- Specified by:
- isAvailablein interface- Realm
- Overrides:
- isAvailablein class- RealmBase
- Returns:
- trueif the realm is able to perform authentication
 
 - 
getDirectoryContextEnvironmentprotected java.util.Hashtable<java.lang.String,java.lang.String> getDirectoryContextEnvironment() Create our directory context configuration.- Returns:
- java.util.Hashtable the configuration for the directory context.
 
 - 
startInternalprotected void startInternal() throws LifecycleExceptionPrepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal().- Overrides:
- startInternalin class- RealmBase
- Throws:
- LifecycleException- if this component detects a fatal error that prevents this component from being used
 
 - 
stopInternalprotected void stopInternal() throws LifecycleExceptionGracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal().- Overrides:
- stopInternalin class- RealmBase
- Throws:
- LifecycleException- if this component detects a fatal error that needs to be reported
 
 - 
parseUserPatternStringprotected java.lang.String[] parseUserPatternString(java.lang.String userPatternString) Given a string containing LDAP patterns for user locations (separated by parentheses in a pseudo-LDAP search string format - "(location1)(location2)", returns an array of those paths. Real LDAP search strings are supported as well (though only the "|" "OR" type).- Parameters:
- userPatternString- - a string LDAP search paths surrounded by parentheses
- Returns:
- a parsed string array
 
 - 
doRFC2254Encoding@Deprecated protected java.lang.String doRFC2254Encoding(java.lang.String inString) Deprecated.Will be removed in Tomcat 10.1.x onwardsGiven an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines. The character mapping is as follows: char -> Replacement --------------------------- * -> \2a ( -> \28 ) -> \29 \ -> \5c \0 -> \00- Parameters:
- inString- string to escape according to RFC 2254 guidelines
- Returns:
- String the escaped/encoded result
 
 - 
doFilterEscapingprotected java.lang.String doFilterEscaping(java.lang.String inString) Given an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines. The character mapping is as follows: char -> Replacement --------------------------- * -> \2a ( -> \28 ) -> \29 \ -> \5c \0 -> \00- Parameters:
- inString- string to escape according to RFC 2254 guidelines
- Returns:
- String the escaped/encoded result
 
 - 
getDistinguishedNameprotected java.lang.String getDistinguishedName(javax.naming.directory.DirContext context, java.lang.String base, javax.naming.directory.SearchResult result) throws javax.naming.NamingExceptionReturns the distinguished name of a search result.- Parameters:
- context- Our DirContext
- base- The base DN
- result- The search result
- Returns:
- String containing the distinguished name
- Throws:
- javax.naming.NamingException- if a directory server error occurs
 
 - 
doAttributeValueEscapingprotected java.lang.String doAttributeValueEscaping(java.lang.String input) Implements the necessary escaping to represent an attribute value as a String as per RFC 4514.- Parameters:
- input- The original attribute value
- Returns:
- The string representation of the attribute value
 
 - 
convertToHexEscapeprotected static java.lang.String convertToHexEscape(java.lang.String input) 
 
- 
 
-