org.springframework.security.ldap.userdetails
Class DefaultLdapAuthoritiesPopulator

java.lang.Object
  extended by org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator
All Implemented Interfaces:
LdapAuthoritiesPopulator

public class DefaultLdapAuthoritiesPopulator
extends Object
implements LdapAuthoritiesPopulator

The default strategy for obtaining user role information from the directory.

It obtains roles by performing a search for "groups" the user is a member of.

A typical group search scenario would be where each group/role is specified using the groupOfNames (or groupOfUniqueNames) LDAP objectClass and the user's DN is listed in the member (or uniqueMember) attribute to indicate that they should be assigned that role. The following LDIF sample has the groups stored under the DN ou=groups,dc=springframework,dc=org and a group called "developers" with "ben" and "luke" as members:

 dn: ou=groups,dc=springframework,dc=org
 objectClass: top
 objectClass: organizationalUnit
 ou: groups

 dn: cn=developers,ou=groups,dc=springframework,dc=org
 objectClass: groupOfNames
 objectClass: top
 cn: developers
 description: Spring Security Developers
 member: uid=ben,ou=people,dc=springframework,dc=org
 member: uid=luke,ou=people,dc=springframework,dc=org
 ou: developer
 

The group search is performed within a DN specified by the groupSearchBase property, which should be relative to the root DN of its InitialDirContextFactory. If the search base is null, group searching is disabled. The filter used in the search is defined by the groupSearchFilter property, with the filter argument {0} being the full DN of the user. You can also optionally use the parameter {1}, which will be substituted with the username. You can also specify which attribute defines the role name by setting the groupRoleAttribute property (the default is "cn").

The configuration below shows how the group search might be performed with the above schema.

 <bean id="ldapAuthoritiesPopulator"
       class="org.springframework.security.authentication.ldap.populator.DefaultLdapAuthoritiesPopulator">
   <constructor-arg ref="contextSource"/>
   <constructor-arg value="ou=groups"/>
   <property name="groupRoleAttribute" value="ou"/>
 <!-- the following properties are shown with their default values -->
   <property name="searchSubTree" value="false"/>
   <property name="rolePrefix" value="ROLE_"/>
   <property name="convertToUpperCase" value="true"/>
 </bean>
 
A search for roles for user "uid=ben,ou=people,dc=springframework,dc=org" would return the single granted authority "ROLE_DEVELOPER".

The single-level search is performed by default. Setting the searchSubTree property to true will enable a search of the entire subtree under groupSearchBase.

Version:
$Id: DefaultLdapAuthoritiesPopulator.java 3925 2009-10-05 19:28:53Z ltaylor $
Author:
Luke Taylor

Constructor Summary
DefaultLdapAuthoritiesPopulator(org.springframework.ldap.core.ContextSource contextSource, String groupSearchBase)
          Constructor for group search scenarios.
 
Method Summary
protected  Set<GrantedAuthority> getAdditionalRoles(org.springframework.ldap.core.DirContextOperations user, String username)
          This method should be overridden if required to obtain any additional roles for the given user (on top of those obtained from the standard search implemented by this class).
protected  org.springframework.ldap.core.ContextSource getContextSource()
           
 Collection<GrantedAuthority> getGrantedAuthorities(org.springframework.ldap.core.DirContextOperations user, String username)
          Obtains the authorities for the user who's directory entry is represented by the supplied LdapUserDetails object.
 Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username)
           
protected  String getGroupSearchBase()
           
 void setConvertToUpperCase(boolean convertToUpperCase)
           
 void setDefaultRole(String defaultRole)
          The default role which will be assigned to all users.
 void setGroupRoleAttribute(String groupRoleAttribute)
           
 void setGroupSearchFilter(String groupSearchFilter)
           
 void setIgnorePartialResultException(boolean ignore)
          Sets the corresponding property on the underlying template, avoiding specific issues with Active Directory.
 void setRolePrefix(String rolePrefix)
          Sets the prefix which will be prepended to the values loaded from the directory.
 void setSearchSubtree(boolean searchSubtree)
          If set to true, a subtree scope search will be performed.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

DefaultLdapAuthoritiesPopulator

public DefaultLdapAuthoritiesPopulator(org.springframework.ldap.core.ContextSource contextSource,
                                       String groupSearchBase)
Constructor for group search scenarios. userRoleAttributes may still be set as a property.

Parameters:
contextSource - supplies the contexts used to search for user roles.
groupSearchBase - if this is an empty string the search will be performed from the root DN of the context factory.
Method Detail

getAdditionalRoles

protected Set<GrantedAuthority> getAdditionalRoles(org.springframework.ldap.core.DirContextOperations user,
                                                   String username)
This method should be overridden if required to obtain any additional roles for the given user (on top of those obtained from the standard search implemented by this class).

Parameters:
user - the context representing the user who's roles are required
Returns:
the extra roles which will be merged with those returned by the group search

getGrantedAuthorities

public final Collection<GrantedAuthority> getGrantedAuthorities(org.springframework.ldap.core.DirContextOperations user,
                                                                String username)
Obtains the authorities for the user who's directory entry is represented by the supplied LdapUserDetails object.

Specified by:
getGrantedAuthorities in interface LdapAuthoritiesPopulator
Parameters:
user - the user who's authorities are required
Returns:
the set of roles granted to the user.

getGroupMembershipRoles

public Set<GrantedAuthority> getGroupMembershipRoles(String userDn,
                                                     String username)

getContextSource

protected org.springframework.ldap.core.ContextSource getContextSource()

getGroupSearchBase

protected String getGroupSearchBase()

setConvertToUpperCase

public void setConvertToUpperCase(boolean convertToUpperCase)

setDefaultRole

public void setDefaultRole(String defaultRole)
The default role which will be assigned to all users.

Parameters:
defaultRole - the role name, including any desired prefix.

setGroupRoleAttribute

public void setGroupRoleAttribute(String groupRoleAttribute)

setGroupSearchFilter

public void setGroupSearchFilter(String groupSearchFilter)

setRolePrefix

public void setRolePrefix(String rolePrefix)
Sets the prefix which will be prepended to the values loaded from the directory. Defaults to "ROLE_" for compatibility with RoleVoter/tt>.


setSearchSubtree

public void setSearchSubtree(boolean searchSubtree)
If set to true, a subtree scope search will be performed. If false a single-level search is used.

Parameters:
searchSubtree - set to true to enable searching of the entire tree below the groupSearchBase.

setIgnorePartialResultException

public void setIgnorePartialResultException(boolean ignore)
Sets the corresponding property on the underlying template, avoiding specific issues with Active Directory.

See Also:
LdapTemplate.setIgnoreNameNotFoundException(boolean)


Copyright © 2004-2009 SpringSource, Inc. All Rights Reserved.