2 * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
9 package org.opendaylight.aaa.shiro.realm;
11 import org.apache.shiro.authc.AuthenticationException;
12 import org.apache.shiro.authc.AuthenticationInfo;
13 import org.apache.shiro.authc.AuthenticationToken;
14 import org.apache.shiro.realm.ldap.JndiLdapRealm;
15 import org.opendaylight.aaa.shiro.accounting.Accounter;
16 import org.slf4j.Logger;
17 import org.slf4j.LoggerFactory;
20 * Wrapper class for <code>org.apache.shiro.realm.ldap.JndiLdapRealm</code>.
21 * This implementation disables Authorization so any LDAP user is able to access
22 * server resources. This is particularly useful for quickly prototyping ODL
23 * without worrying about resolving LDAP attributes (groups) to OpenDaylight
26 * The motivation for subclassing Shiro's implementation is two-fold: 1) Enhance
27 * the default logging of Shiro. This allows us to more easily log incoming
28 * connections, providing some security auditing. 2) Provide a common package in
29 * the classpath for ODL supported Realm implementations (i.e.,
30 * <code>org.opendaylight.aaa.shiro.realm</code>), which consolidates the number
31 * of <code>Import-Package</code> statements consumers need to enumerate. For
32 * example, the netconf project only needs to import
33 * <code>org.opendaylight.aaa.shiro.realm</code>, and does not need to worry
34 * about importing Shiro packages.
36 * @author Ryan Goulding (ryandgoulding@gmail.com)
39 public class ODLJndiLdapRealmAuthNOnly extends JndiLdapRealm {
41 private static final Logger LOG = LoggerFactory.getLogger(ODLJndiLdapRealmAuthNOnly.class);
43 private static final String LDAP_CONNECTION_MESSAGE = "AAA LDAP connection from ";
46 * Adds debugging information surrounding creation of ODLJndiLdapRealm
48 public ODLJndiLdapRealmAuthNOnly() {
49 LOG.debug("Creating ODLJndiLdapRealmAuthNOnly");
53 * (non-Javadoc) Overridden to expose important audit trail information for
57 * org.apache.shiro.realm.ldap.JndiLdapRealm#doGetAuthenticationInfo(org
58 * .apache.shiro.authc.AuthenticationToken)
61 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
62 throws AuthenticationException {
65 final String username = getUsername(token);
66 logIncomingConnection(username);
67 return super.doGetAuthenticationInfo(token);
68 } catch (ClassCastException e) {
69 LOG.info("Couldn't service the LDAP connection", e);
75 * Logs an incoming LDAP connection
80 protected void logIncomingConnection(final String username) {
81 final String message = LDAP_CONNECTION_MESSAGE + username;
83 Accounter.output(message);
87 * Extracts the username from <code>token</code>
89 * @param token Which possibly contains a username
90 * @return the username if it can be extracted
91 * @throws ClassCastException
92 * The incoming token is not username/password (i.e., X.509
95 public static String getUsername(AuthenticationToken token) throws ClassCastException {
99 return (String) token.getPrincipal();