RelationalDatabaseConnector

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

Overview

The RelationalDatabase DataConnector generates multiple IdPAttribute objects from a relational database via a JDBC DataSource. The results are generated such that each IdPAttribute represents a column of the query result set. The ordered values represent the rows of the result set and each IdPAttribute will contain the same number of values, including any embedded nulls in the results. Nulls are represented explicitly with objects of type EmptyAttributeValue as placeholders within the ordered lists.

Data Sources and Drivers

This connector uses a JDBC DataSource to connect to the database. This can be supplied via a few different techniques, but the recommended approach is to define one using Spring syntax in global.xml (or similar location) and use the <BeanManagedConnection> element, the reason being it can be easily shared across multiple connectors. If you need the ability to reload the data source's settings, then the suggested approach is to create a new Spring file to contain the bean, and add it to the set of AttributeResolverConfiguration resources in services.xml

Whatever driver you use should generally be installed to edit-webapp/WEB-INF/lib, after which you will need to stop your container, rebuild the warfile, and restart the container. Failure to do so will lead to ClassNotFound exceptions that reference the driver class.

Connection Pooling

If you want to use connection pooling, the Apache DBCP library is included with the IdP. The DBCP library provides various DataSource implementations that wrap an actual database driver, and you will have to add the driver itself as well. A rudimentary example is included below, but be aware that there are a lot of options available and no particular "best practice" is implied by our limited experience with them.

Read Only Connections

Previous versions of the IdP marked the connections used for attribute resolution as read-only. A configuration attribute was provided to override this behavior and allow connection pools to be shared between the RDBMS Data Connector and other read-write uses.  In V4, the DataConnector no longer marks the connections as read-only itself.  If you want to enforce read-only behavior, you should do so via the JDBC connection URL and/or limiting the access of the service account.

Reference

Spring Configuration

If the springResource or springResourceRef attributes are specified, then the configuration of the DataConnector bean is delegated to the supplied resources. The system will create a factory for an RDBMSDataConnector object, and look for beans in the Spring resource(s) supplied that match the types of properties supported by that type and its parent classes.

In prior versons, most of these extension points were non-API classes and interfaces, but in V4+ they have been moved and promoted to API status.

In practice, the RDBMS Data Connector may be supplied with beans of the following types:

• DataSource 

• ExecutableSearchBuilder<ExecutableStatement>
  Two classes which implement this interface are available:

  • FormatExecutableStatementBuilder

  • TemplatedExecutableStatementBuilder

• com.google.common.cache.Cache<String,Map<String,IdPAttribute>>

• Validator

  • The only class available in the IdP which implements this Interface is NonFailFastValidator

• ResultMappingStrategy

  • The only class available in the IdP which implements this Interface is  StringResultMappingStrategy

In addition, native bean IDs can be injected as follows:

1. The DataSource can be specified as an externally defined bean via the <BeanManagedConnection> element (as a recommended replacement for the the <ContainerManagedConnection> element).

2. The builder for the SQL query can be specified as an externally defined bean via the executableSearchBuilderRef attribute (as a replacement for the <QueryTemplate> element).

3. The mapping of column names can be specified as an externally defined bean via the mappingStrategyRef attribute (as a replacement for the <Column> elements).

4. The caching of results can be specified as an externally defined bean via the <ResultCacheBean> element (as a replacement for the <ResultCache> element).

5. Rarely, a non-default Velocity engine can be injected via the templateEngine attribute.

Examples

Simple DataConnector entirely in custom syntax

 <DataConnector id="myDatabase" xsi:type="RelationalDatabase">
   <FailoverDataConnector ref="BackupDataseConnector"/>
   <SimpleManagedConnection 
       jdbcDriver="org.hsqldb.jdbc.JDBCDriver" jdbcURL="jdbc:hsqldb:mem:RDBMSDataConnectorStore"
       jdbcUserName="SA" jdbcPassword="secret" />
   <QueryTemplate>
       <![CDATA[
         SELECT * FROM people WHERE userid='$resolutionContext.principal'
       ]]>
   </QueryTemplate>
 
   <Column columnName="homephone" attributeID="phonenumber" />
</DataConnector>

Simple Data Connector using external bean

<DataConnector id="myDatabase" xsi:type="RelationalDatabase" mappingStrategyRef="MappingBeanId">
  <BeanManagedConnection>DataConnectorBeanId</BeanManagedConnection>
   <QueryTemplate>
       <![CDATA[
         SELECT * FROM people WHERE userid='$resolutionContext.principal'
       ]]>
   </QueryTemplate>
  <ResultCacheBean>ResultCacheBeanId</ResultCacheBean>
</DataConnector>

The example below demonstrates a number of approaches:

• Use of a Spring file to define the various low-level objects, which could be referenced via
  <DataConnector" xsi:type="RelationalDatabase" springResources="....." />

• Use of a Spring file to define a data source which could be referenced via
  <BeanManagedConnection>dataSource</BeanManagedConnection>

• Use of the DBCP pooling library to wrap a database driver in a simple pool.

Example of a springResources file

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:c="http://www.springframework.org/schema/c"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

	<bean class="net.shibboleth.idp.attribute.resolver.dc.rdbms.FormatExecutableStatementBuilder">
		<constructor-arg index="0" value="SELECT * FROM people WHERE userid='%s'" />
	</bean>

	<bean id="mappings" class="net.shibboleth.idp.attribute.resolver.dc.rdbms.StringResultMappingStrategy"
	        p:noResultAnError="true" p:multipleResultsAnError="true">
        <property name="resultRenamingMap">
            <map>
                <entry key="homephone" value="phonenumber" />
            </map>
        </property>
	</bean>

	<!-- The rest of these beans would be unneeded for a simple BeanManagedConnection. -->

	<bean id="dataSource" class="org.apache.commons.dbcp2.BasicDataSource" destroy-method="close"
		p:driverClass="org.mariadb.jdbc.Driver"
        p:jdbcUrl="jdbc:mysql://mysql.example.org:3306/shibboleth"
		p:user="admin" p:password="secret"
        p:maxTotal="20"
        p:maxIdle="5"
        p:maxWaitMillis="2000"
        p:testOnBorrow="true"
        p:validationQuery="select 1"
        p:validationQueryTimeout="5" />

	<bean id="cacheBuilder" class="com.google.common.cache.CacheBuilder" factory-method="from">
		<constructor-arg value="expireAfterAccess=10s,maximumSize=25" />
	</bean>

	<bean id="cache" class="com.google.common.cache.Cache" factory-bean="cacheBuilder" factory-method="build" />
</beans>