tomcat使用ldap验证

The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.JNDIRealm" here.

The directory username to use when establishing a connection to the directory for LDAP search operations. If not specified an anonymous connection is made, which is often sufficient unless you specify the userPassword property.

The directory password to use when establishing a connection to the directory for LDAP search operations. If not specified an anonymous connection is made, which is often sufficient unless you specify the userPassword property.

The connection URL to be passed to the JNDI driver when establishing a connection to the directory.

The fully qualified Java class name of the JNDI context factory to be used for this connection. By default, the standard JNDI LDAP provider is used (com.sun.jndi.ldap.LdapCtxFactory).

The level of debugging detail logged by this Realm to the associated Logger. Higher numbers generate more detailed output. If not specified, the default debugging detail level is zero (0).

The digest algorithm to apply to the plaintext password offered by the user before comparing it with the value retrieved from the directory. Valid values are those accepted for the algorithm name by the java.security.MessageDigest class. See Digested Passwords for more information. If not specified the plaintext password is assumed to be retrieved. Not required unless userPassword is specified

The base directory entry for performing role searches. If not specified, the top level element in the directory context will be used.

The name of the attribute that contains role names in the directory entries found by a role search. In addition you can use the userRoleName property to specify the name of an attribute, in the user's entry, containing additional role names. If roleName is not specified a role search does not take place, and roles are taken only from the user's entry.

The LDAP filter expression used for performing role searches, following the syntax supported by the java.text.MessageFormat class. Use {0} to substitute the distinguished name (DN) of the user, and/or {1} to substitute the username. If not specified a role search does not take place and roles are taken only from the attribute in the user's entry specified by the userRoleName property.

Set to true if you want to search the entire subtree of the element specified by the roleBase property for role entries associated with the user. The default value of false causes only the top level to be searched.

The base element for user searches performed using the userSearch expression. If not specified, the top level element in the directory context will be used. Not used if you are using the userPattern expression.

Name of the attribute in the user's entry containing the user's password. If you specify this value, JNDIRealm will bind to the directory using the values specified by connectionName and connectionPassword properties, and retrieve the corresponding attribute for comparison to the value specified by the user being authenticated. If the digest attribute is set, the specified digest algorithm is applied to the password offered by the user before comparing it with the value retrieved from the directory. If you do not specify this value, JNDIRealm will attempt a simple bind to the directory using the DN of the user's entry and password specified by the user, with a successful bind being interpreted as an authenticated user.

A pattern for the distinguished name (DN) of the user's directory entry, following the syntax supported by the java.text.MessageFormat class with {0} marking where the actual username should be inserted. Multiple search locations are achieved by separating each with parentheses. You can use this property instead of userSearch, userSubtree and userBase when the distinguished name contains the username and is otherwise the same for all users.

The name of an attribute in the user's directory entry containing zero or more values for the names of roles assigned to this user. In addition you can use the roleName property to specify the name of an attribute to be retrieved from individual role entries found by searching the directory. If userRoleName is not specified all the roles for a user derive from the role search.

The LDAP filter expression to use when searching for a user's directory entry, with {0} marking where the actual username should be inserted. Use this property (along with the userBase and userSubtree properties) instead of userPattern to search the directory for the user's entry.

Set to true if you want to search the entire subtree of the element specified by the userBase property for the user's entry. The default value of false causes only the top level to be searched. Not used if you are using the userPattern expression.