Example usage for javax.naming TimeLimitExceededException getMessage

List of usage examples for javax.naming TimeLimitExceededException getMessage

Introduction

In this page you can find the example usage for javax.naming TimeLimitExceededException getMessage.

Prototype

public String getMessage() 

Source Link

Document

Returns the detail message string of this throwable.

Usage

From source file:hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.java

/**
 * Resolves all the groups that the user is in.
 *
 * We now use <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms680275(v=vs.85).aspx">tokenGroups</a>
 * attribute, which is a computed attribute that lists all the SIDs of the groups that the user is directly/indirectly in.
 * We then use that to retrieve all the groups in one query and resolve their canonical names.
 *
 * @param userDN/*ww w. ja v  a  2s  . c o m*/
 *      User's distinguished name.
 * @param context Used for making queries.
 */
private Set<GrantedAuthority> resolveGroups(String domainDN, String userDN, DirContext context)
        throws NamingException {
    if (userDN.contains("/")) {
        userDN = userDN.replace("/", "\\/");
    }
    Set<GrantedAuthority> groups = new HashSet<GrantedAuthority>();

    LOGGER.log(Level.FINER, "Looking up group of {0}", userDN);
    Attributes id = context.getAttributes(userDN, new String[] { "tokenGroups", "memberOf", "CN" });
    Attribute tga = id.get("tokenGroups");

    if (tga == null) {
        // tga will be null if you are not using a global catalogue
        // or if the user is not actually a member of any security groups.
        LOGGER.log(Level.FINE, "Failed to retrieve tokenGroups for {0}", userDN);
        // keep on trucking as we can still use memberOf for Distribution Groups.
    } else {
        // build up the query to retrieve all the groups
        StringBuilder query = new StringBuilder("(|");
        List<byte[]> sids = new ArrayList<byte[]>();

        NamingEnumeration<?> tokenGroups = tga.getAll();
        while (tokenGroups.hasMore()) {
            byte[] gsid = (byte[]) tokenGroups.next();
            query.append("(objectSid={" + sids.size() + "})");
            sids.add(gsid);
        }
        tokenGroups.close();

        query.append(")");

        NamingEnumeration<SearchResult> renum = new LDAPSearchBuilder(context, domainDN).subTreeScope()
                .returns("cn").search(query.toString(), sids.toArray());
        parseMembers(userDN, groups, renum);
        renum.close();
    }

    {/*
     stage 2: use memberOf to find groups that aren't picked up by tokenGroups.
     This includes distribution groups
        */
        LOGGER.fine("Stage 2: looking up via memberOf");

        while (true) {
            switch (groupLookupStrategy) {
            case TOKENGROUPS:
                // no extra lookup - ever.
                return groups;
            case AUTO:
                // try the accurate one first, and if it's too slow fall back to recursive in the hope that it's faster
                long start = System.nanoTime();
                boolean found = false;
                long duration = 0;
                try {
                    found = chainGroupLookup(domainDN, userDN, context, groups);
                    duration = TimeUnit2.NANOSECONDS.toSeconds(System.nanoTime() - start);
                } catch (TimeLimitExceededException e) {
                    LOGGER.log(Level.WARNING,
                            "The LDAP request did not terminate within the specified time limit. AD will fall back to recursive lookup",
                            e);
                } catch (NamingException e) {
                    if (e.getMessage().contains("LDAP response read timed out")) {
                        LOGGER.log(Level.WARNING,
                                "LDAP response read time out. AD will fall back to recursive lookup", e);
                    } else {
                        throw e;
                    }
                }
                if (!found && duration >= 10) {
                    LOGGER.log(Level.WARNING,
                            "Group lookup via Active Directory's 'LDAP_MATCHING_RULE_IN_CHAIN' extension timed out after {0} seconds. Falling back to recursive group lookup strategy for this and future queries",
                            duration);
                    groupLookupStrategy = GroupLookupStrategy.RECURSIVE;
                    continue;
                } else if (found && duration >= 10) {
                    LOGGER.log(Level.WARNING,
                            "Group lookup via Active Directory's 'LDAP_MATCHING_RULE_IN_CHAIN' extension matched user's groups but took {0} seconds to run. Switching to recursive lookup for future group lookup queries",
                            duration);
                    groupLookupStrategy = GroupLookupStrategy.RECURSIVE;
                    return groups;
                } else if (!found) {
                    LOGGER.log(Level.WARNING,
                            "Group lookup via Active Directory's 'LDAP_MATCHING_RULE_IN_CHAIN' extension failed. Falling back to recursive group lookup strategy for this and future queries");
                    groupLookupStrategy = GroupLookupStrategy.RECURSIVE;
                    continue;
                } else {
                    // it run fast enough, so let's stick to it
                    groupLookupStrategy = GroupLookupStrategy.CHAIN;
                    return groups;
                }
            case RECURSIVE:
                recursiveGroupLookup(context, id, groups);
                return groups;
            case CHAIN:
                chainGroupLookup(domainDN, userDN, context, groups);
                return groups;
            }
        }
    }
}