GrouperWS权限验证
本文介绍了一种通过GrouperWS服务获取用户所属组信息,并据此判断服务访问权限的方法。该方法首先从GrouperWS获取用户的所有组成员资格,然后将这些信息整合到CAS属性中以决定是否允许服务访问。
import edu.internet2.middleware.grouperClient.ws.beans.WsGroup; //导入依赖的package包/类
@Override
public boolean doPrincipalAttributesAllowServiceAccess(final String principal, final Map principalAttributes) {
final Map allAttributes = new HashMap<>(principalAttributes);
final List grouperGroups = new ArrayList<>();
final WsGetGroupsResult[] results;
try {
final GcGetGroups groupsClient = new GcGetGroups().addSubjectId(principal);
results = groupsClient.execute().getResults();
} catch (final Exception e) {
LOGGER.warn("Grouper WS did not respond successfully. Ensure your credentials are correct "
+ ", the url endpoint for Grouper WS is correctly configured and the subject " + principal
+ " exists in Grouper.", e);
return false;
}
if (results == null || results.length == 0) {
LOGGER.warn("Subject id [{}] could not be located. Access denied", principal);
return false;
}
for (final WsGetGroupsResult groupsResult : results) {
if (groupsResult.getWsGroups() == null || groupsResult.getWsGroups().length == 0) {
LOGGER.warn("No groups could be found for subject [{}]. Access denied", groupsResult.getWsSubject().getName());
return false;
}
for (final WsGroup group : groupsResult.getWsGroups()) {
final String groupName = constructGrouperGroupAttribute(group);
LOGGER.debug("Found group name [{}] for [{}]", groupName, principal);
grouperGroups.add(groupName);
}
}
LOGGER.debug("Adding [{}] under attribute name [{}] to collection of CAS attributes",
grouperGroups, GROUPER_GROUPS_ATTRIBUTE_NAME);
allAttributes.put(GROUPER_GROUPS_ATTRIBUTE_NAME, grouperGroups);
return super.doPrincipalAttributesAllowServiceAccess(principal, allAttributes);
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
