1 /** 2 * Waffle (https://github.com/dblock/waffle) 3 * 4 * Copyright (c) 2010 - 2015 Application Security, Inc. 5 * 6 * All rights reserved. This program and the accompanying materials 7 * are made available under the terms of the Eclipse Public License v1.0 8 * which accompanies this distribution, and is available at 9 * http://www.eclipse.org/legal/epl-v10.html 10 * 11 * Contributors: 12 * Application Security, Inc. 13 */ 14 package waffle.shiro; 15 16 import java.util.Collection; 17 import java.util.HashMap; 18 import java.util.HashSet; 19 import java.util.Map; 20 import java.util.Set; 21 22 import org.apache.shiro.authz.AuthorizationInfo; 23 import org.apache.shiro.authz.SimpleAuthorizationInfo; 24 25 /** 26 * A {@link org.apache.shiro.realm.Realm} that authenticates with Active Directory using WAFFLE and assigns roles to 27 * users based on a mapping from their groups. To define permissions based on these roles, set a 28 * {@link org.apache.shiro.authz.permission.RolePermissionResolver}. 29 */ 30 public class GroupMappingWaffleRealm extends AbstractWaffleRealm { 31 32 /** The group roles map. */ 33 private final Map<String, String> groupRolesMap = new HashMap<String, String>(); 34 35 /** 36 * Sets the translation from group names to role names. If not set, the map is empty, resulting in no users getting 37 * roles. 38 * 39 * @param value 40 * the group roles map to set 41 */ 42 public void setGroupRolesMap(final Map<String, String> value) { 43 this.groupRolesMap.clear(); 44 if (value != null) { 45 this.groupRolesMap.putAll(value); 46 } 47 } 48 49 /** 50 * This method is called by to translate group names to role names. This implementation uses the groupRolesMap to 51 * map group names to role names. 52 * 53 * @param groupNames 54 * the group names that apply to the current user 55 * @return a collection of roles that are implied by the given role names 56 * @see #setGroupRolesMap 57 */ 58 protected Collection<String> getRoleNamesForGroups(final Collection<String> groupNames) { 59 final Set<String> roleNames = new HashSet<String>(); 60 for (final String groupName : groupNames) { 61 final String roleName = this.groupRolesMap.get(groupName); 62 if (roleName != null) { 63 roleNames.add(roleName); 64 } 65 } 66 return roleNames; 67 } 68 69 /** 70 * Builds an {@link AuthorizationInfo} object based on the user's groups. The groups are translated to roles names 71 * by using the configured groupRolesMap. 72 * 73 * @param principal 74 * the principal of Subject that is being authorized 75 * @return the AuthorizationInfo for the given Subject principal 76 * 77 * @see #setGroupRolesMap 78 * @see #getRoleNamesForGroups 79 */ 80 @Override 81 protected AuthorizationInfo buildAuthorizationInfo(final WaffleFqnPrincipal principal) { 82 final SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); 83 authorizationInfo.addRoles(this.getRoleNamesForGroups(principal.getGroupFqns())); 84 return authorizationInfo; 85 } 86 }