1 /* 2 * MIT License 3 * 4 * Copyright (c) 2010-2022 The Waffle Project Contributors: https://github.com/Waffle/waffle/graphs/contributors 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to deal 8 * in the Software without restriction, including without limitation the rights 9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 * copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in all 14 * copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 package waffle.shiro; 25 26 import java.util.Collection; 27 import java.util.HashMap; 28 import java.util.HashSet; 29 import java.util.Map; 30 import java.util.Set; 31 32 import org.apache.shiro.authz.AuthorizationInfo; 33 import org.apache.shiro.authz.SimpleAuthorizationInfo; 34 35 /** 36 * A {@link org.apache.shiro.realm.Realm} that authenticates with Active Directory using WAFFLE and assigns roles to 37 * users based on a mapping from their groups. To define permissions based on these roles, set a 38 * {@link org.apache.shiro.authz.permission.RolePermissionResolver}. 39 */ 40 public class GroupMappingWaffleRealm extends AbstractWaffleRealm { 41 42 /** The group roles map. */ 43 private final Map<String, String> groupRolesMap = new HashMap<>(); 44 45 /** 46 * Sets the translation from group names to role names. If not set, the map is empty, resulting in no users getting 47 * roles. 48 * 49 * @param value 50 * the group roles map to set 51 */ 52 public void setGroupRolesMap(final Map<String, String> value) { 53 this.groupRolesMap.clear(); 54 if (value != null) { 55 this.groupRolesMap.putAll(value); 56 } 57 } 58 59 /** 60 * This method is called by to translate group names to role names. This implementation uses the groupRolesMap to 61 * map group names to role names. 62 * 63 * @param groupNames 64 * the group names that apply to the current user 65 * 66 * @return a collection of roles that are implied by the given role names 67 * 68 * @see #setGroupRolesMap 69 */ 70 protected Collection<String> getRoleNamesForGroups(final Collection<String> groupNames) { 71 final Set<String> roleNames = new HashSet<>(); 72 for (final String groupName : groupNames) { 73 final String roleName = this.groupRolesMap.get(groupName); 74 if (roleName != null) { 75 roleNames.add(roleName); 76 } 77 } 78 return roleNames; 79 } 80 81 /** 82 * Builds an {@link AuthorizationInfo} object based on the user's groups. The groups are translated to roles names 83 * by using the configured groupRolesMap. 84 * 85 * @param principal 86 * the principal of Subject that is being authorized 87 * 88 * @return the AuthorizationInfo for the given Subject principal 89 * 90 * @see #setGroupRolesMap 91 * @see #getRoleNamesForGroups 92 */ 93 @Override 94 protected AuthorizationInfo buildAuthorizationInfo(final WaffleFqnPrincipal principal) { 95 final SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); 96 authorizationInfo.addRoles(this.getRoleNamesForGroups(principal.getGroupFqns())); 97 return authorizationInfo; 98 } 99 100 }