View Javadoc
1   /**
2    * Waffle (https://github.com/dblock/waffle)
3    *
4    * Copyright (c) 2010 - 2015 Application Security, Inc.
5    *
6    * All rights reserved. This program and the accompanying materials
7    * are made available under the terms of the Eclipse Public License v1.0
8    * which accompanies this distribution, and is available at
9    * http://www.eclipse.org/legal/epl-v10.html
10   *
11   * Contributors:
12   *     Application Security, Inc.
13   */
14  package waffle.shiro;
15  
16  import java.util.Collection;
17  import java.util.HashMap;
18  import java.util.HashSet;
19  import java.util.Map;
20  import java.util.Set;
21  
22  import org.apache.shiro.authz.AuthorizationInfo;
23  import org.apache.shiro.authz.SimpleAuthorizationInfo;
24  
25  /**
26   * A {@link org.apache.shiro.realm.Realm} that authenticates with Active Directory using WAFFLE and assigns roles to
27   * users based on a mapping from their groups. To define permissions based on these roles, set a
28   * {@link org.apache.shiro.authz.permission.RolePermissionResolver}.
29   */
30  public class GroupMappingWaffleRealm extends AbstractWaffleRealm {
31      
32      /** The group roles map. */
33      private final Map<String, String> groupRolesMap = new HashMap<String, String>();
34  
35      /**
36       * Sets the translation from group names to role names. If not set, the map is empty, resulting in no users getting
37       * roles.
38       * 
39       * @param value
40       *            the group roles map to set
41       */
42      public void setGroupRolesMap(final Map<String, String> value) {
43          this.groupRolesMap.clear();
44          if (value != null) {
45              this.groupRolesMap.putAll(value);
46          }
47      }
48  
49      /**
50       * This method is called by to translate group names to role names. This implementation uses the groupRolesMap to
51       * map group names to role names.
52       * 
53       * @param groupNames
54       *            the group names that apply to the current user
55       * @return a collection of roles that are implied by the given role names
56       * @see #setGroupRolesMap
57       */
58      protected Collection<String> getRoleNamesForGroups(final Collection<String> groupNames) {
59          final Set<String> roleNames = new HashSet<String>();
60          for (final String groupName : groupNames) {
61              final String roleName = this.groupRolesMap.get(groupName);
62              if (roleName != null) {
63                  roleNames.add(roleName);
64              }
65          }
66          return roleNames;
67      }
68  
69      /**
70       * Builds an {@link AuthorizationInfo} object based on the user's groups. The groups are translated to roles names
71       * by using the configured groupRolesMap.
72       * 
73       * @param principal
74       *            the principal of Subject that is being authorized
75       * @return the AuthorizationInfo for the given Subject principal
76       * 
77       * @see #setGroupRolesMap
78       * @see #getRoleNamesForGroups
79       */
80      @Override
81      protected AuthorizationInfo buildAuthorizationInfo(final WaffleFqnPrincipal principal) {
82          final SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
83          authorizationInfo.addRoles(this.getRoleNamesForGroups(principal.getGroupFqns()));
84          return authorizationInfo;
85      }
86  }