View Javadoc

1   /**
2    * Originally contributed by eMation (www.emation.pt)
3    */
4   package org.itracker.services.authentication.adsson;
5   
6   import java.security.PrivilegedAction;
7   import java.util.Enumeration;
8   import java.util.Hashtable;
9   
10  import javax.naming.Context;
11  import javax.naming.NamingEnumeration;
12  import javax.naming.NamingException;
13  import javax.naming.PartialResultException;
14  import javax.naming.directory.Attributes;
15  import javax.naming.directory.DirContext;
16  import javax.naming.directory.InitialDirContext;
17  import javax.naming.directory.SearchControls;
18  import javax.naming.directory.SearchResult;
19  
20  import org.apache.log4j.Logger;
21  import org.itracker.model.User;
22  
23  //TODO: Add Javadocs here
24  
25  /**
26   * 
27   * @author ricardo
28   */
29  public class GetUserModelFromADPrivilegedAction implements PrivilegedAction<Object> {
30  
31      private static String ITRACKER_SUPER_USERS_GROUP = "ITracker Super Users";
32      
33      private final Logger logger;
34      private String login;
35      private String providerUrl;
36      private String baseBranch;
37  
38      public GetUserModelFromADPrivilegedAction(String login, String baseBranch, String providerUrl) {
39          this.logger = Logger.getLogger(getClass());
40          this.login = login;
41          this.providerUrl = providerUrl;
42          this.baseBranch = baseBranch;
43      }
44  
45      public Object run() {
46          try {
47              return getUserInfo(login);
48          } catch (NamingException e) {
49              logger.error(e.getMessage());
50              return (null);
51          }
52      }
53  
54      private User getUserInfo(String login) throws NamingException {
55          // Set up environment for creating initial context
56          Hashtable<String,String> env = new Hashtable<String,String>(11);
57          env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
58          // Must use fully qualified hostname
59          env.put(Context.PROVIDER_URL, providerUrl);
60          // Request the use of the "GSSAPI" SASL mechanism
61          // Authenticate by using already established Kerberos credentials
62          env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
63  
64          /* Create initial context */
65          DirContext ctx = new InitialDirContext(env);
66          // do something useful with ctx
67          SearchControls sc = new SearchControls();
68          sc.setCountLimit(1);
69          sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
70          String filter = "(&(objectclass=user)(sAMAccountName=" + login + "))";
71          NamingEnumeration<?> answer = ctx.search(baseBranch, filter, sc);
72  
73          if (!answer.hasMoreElements()) {
74              logger.error("A.D. had no info on " + login);
75              return (null);
76          }
77  
78          SearchResult sr;
79          try {
80              sr = (SearchResult) answer.next();
81              logger.info("A.D. had info on " + login);
82          } catch (PartialResultException e) {
83              logger.error("A.D. had no info on " + login);
84              return (null);
85          }
86  
87          Attributes attributes = sr.getAttributes();
88          String mail = "";
89          String firstName = "";
90          String lastName = "";
91  
92          // check that properties are present
93          // active directory sometimes doesn't have "mail"
94          if ((attributes.get("givenName") == null) || (attributes.get("sn") == null)) {
95              logger.error("AD didn't return proper attributes. Check that it has at least [mail, givenName , sn]");
96              return (null);
97          }
98  
99          if (attributes.get("mail") != null) {
100             mail = (String) attributes.get("Mail").get(); 
101         }
102         if (attributes.get("givenName") != null)
103             firstName = (String) attributes.get("givenName").get();
104         if (attributes.get("sn") != null) {
105             lastName = (String) attributes.get("sn").get();
106         }
107         logger.info("Got at least givenName and sn from A.D. for user " + login);
108 
109         // create user 
110         User user = new User();
111 
112         user.setEmail(mail);
113         user.setFirstName(firstName);
114         user.setLastName(lastName);
115         user.setLogin(login);
116         user.setPassword("notused=");
117 
118         // if user belongs to "ITracker Super Users" group
119         // make him a super user
120         user.setSuperUser(false);
121 
122         logger.info("About to check if user " + login + " is a super user");
123         logger.debug("User attributes for user " + login + " " + attributes);
124         if (attributes.get("memberOf") != null) {
125             for (Enumeration<?> groups = attributes.get("memberOf").getAll(); groups.hasMoreElements();) {
126                 String group = (String) groups.nextElement();
127                 logger.info(login + " belongs to NT Group " + group);
128                 if (group.indexOf(ITRACKER_SUPER_USERS_GROUP) > 0) {
129                 	user.setSuperUser(true);
130                     logger.info("User " + user.getLogin() + " was made an administrator ");
131                 }
132             }
133         } else {
134             logger.info("User attributes didn't contain memberOf...Looks like the A.D. user you specified in the adauth.properties properties file doesn't have enough permissions to check group membership for other users. Give that user enough privileges to read the memberOf attribute from A.D.");
135         }
136 
137         if (user.isSuperUser()) {
138             logger.info(login + " is a super user");
139         } else {
140             logger.info(login + " is not a super user");
141         }
142 
143         ctx.close();
144 
145         return user;
146     }
147 }