Class LdapUserDetailsManager

java.lang.Object
org.springframework.security.ldap.userdetails.LdapUserDetailsManager
All Implemented Interfaces:
UserDetailsService, UserDetailsManager

public class LdapUserDetailsManager extends Object implements UserDetailsManager
An Ldap implementation of UserDetailsManager.

It is designed around a standard setup where users and groups/roles are stored under separate contexts, defined by the "userDnBase" and "groupSearchBase" properties respectively.

In this case, LDAP is being used purely to retrieve information and this class can be used in place of any other UserDetailsService for authentication. Authentication isn't performed directly against the directory, unlike with the LDAP authentication provider setup.

Since:
2.0
  • Constructor Details

    • LdapUserDetailsManager

      public LdapUserDetailsManager(org.springframework.ldap.core.ContextSource contextSource)
  • Method Details

    • loadUserByUsername

      public UserDetails loadUserByUsername(String username)
      Description copied from interface: UserDetailsService
      Locates the user based on the username. In the actual implementation, the search may possibly be case sensitive, or case insensitive depending on how the implementation instance is configured. In this case, the UserDetails object that comes back may have a username that is of a different case than what was actually requested..
      Specified by:
      loadUserByUsername in interface UserDetailsService
      Parameters:
      username - the username identifying the user whose data is required.
      Returns:
      a fully populated user record (never null)
    • changePassword

      public void changePassword(String oldPassword, String newPassword)
      Changes the password for the current user. The username is obtained from the security context.

      There are two supported strategies for modifying the user's password depending on the capabilities of the corresponding LDAP server.

      Configured one way, this method will modify the user's password via the LDAP Password Modify Extended Operation .

      See setUsePasswordModifyExtensionOperation(boolean) for details.

      By default, though, if the old password is supplied, the update will be made by rebinding as the user, thus modifying the password using the user's permissions. If oldPassword is null, the update will be attempted using a standard read/write context supplied by the context source.

      Specified by:
      changePassword in interface UserDetailsManager
      Parameters:
      oldPassword - the old password
      newPassword - the new value of the password.
    • createUser

      public void createUser(UserDetails user)
      Description copied from interface: UserDetailsManager
      Create a new user with the supplied details.
      Specified by:
      createUser in interface UserDetailsManager
    • updateUser

      public void updateUser(UserDetails user)
      Description copied from interface: UserDetailsManager
      Update the specified user.
      Specified by:
      updateUser in interface UserDetailsManager
    • deleteUser

      public void deleteUser(String username)
      Description copied from interface: UserDetailsManager
      Remove the user with the given login name from the system.
      Specified by:
      deleteUser in interface UserDetailsManager
    • userExists

      public boolean userExists(String username)
      Description copied from interface: UserDetailsManager
      Check if a user with the supplied login name exists in the system.
      Specified by:
      userExists in interface UserDetailsManager
    • buildGroupDn

      @Deprecated protected org.springframework.ldap.core.DistinguishedName buildGroupDn(String group)
      Deprecated.
      Creates a DN from a group name.
      Parameters:
      group - the name of the group
      Returns:
      the DN of the corresponding group, including the groupSearchBase
    • buildGroupName

      protected LdapName buildGroupName(String group)
    • copyToContext

      protected void copyToContext(UserDetails user, org.springframework.ldap.core.DirContextAdapter ctx)
    • addAuthorities

      @Deprecated protected void addAuthorities(org.springframework.ldap.core.DistinguishedName userDn, Collection<? extends GrantedAuthority> authorities)
      Deprecated.
    • addAuthorities

      protected void addAuthorities(LdapName userDn, Collection<? extends GrantedAuthority> authorities)
    • removeAuthorities

      @Deprecated protected void removeAuthorities(org.springframework.ldap.core.DistinguishedName userDn, Collection<? extends GrantedAuthority> authorities)
      Deprecated.
    • removeAuthorities

      protected void removeAuthorities(LdapName userDn, Collection<? extends GrantedAuthority> authorities)
    • setUsernameMapper

      public void setUsernameMapper(LdapUsernameToDnMapper usernameMapper)
    • setPasswordAttributeName

      public void setPasswordAttributeName(String passwordAttributeName)
    • setGroupSearchBase

      public void setGroupSearchBase(String groupSearchBase)
    • setGroupRoleAttributeName

      public void setGroupRoleAttributeName(String groupRoleAttributeName)
    • setAttributesToRetrieve

      public void setAttributesToRetrieve(String[] attributesToRetrieve)
    • setUserDetailsMapper

      public void setUserDetailsMapper(UserDetailsContextMapper userDetailsMapper)
    • setGroupMemberAttributeName

      public void setGroupMemberAttributeName(String groupMemberAttributeName)
      Sets the name of the multi-valued attribute which holds the DNs of users who are members of a group.

      Usually this will be uniquemember (the default value) or member.

      Parameters:
      groupMemberAttributeName - the name of the attribute used to store group members.
    • setRoleMapper

      public void setRoleMapper(org.springframework.ldap.core.AttributesMapper roleMapper)
    • setUsePasswordModifyExtensionOperation

      public void setUsePasswordModifyExtensionOperation(boolean usePasswordModifyExtensionOperation)
      Sets the method by which a user's password gets modified.

      If set to true, then changePassword(java.lang.String, java.lang.String) will modify the user's password by way of the Password Modify Extension Operation.

      If set to false, then changePassword(java.lang.String, java.lang.String) will modify the user's password by directly modifying attributes on the corresponding entry.

      Before using this setting, ensure that the corresponding LDAP server supports this extended operation.

      By default, usePasswordModifyExtensionOperation is false.

      Parameters:
      usePasswordModifyExtensionOperation - whether to use the Password Modify Extension Operation to modify the password
      Since:
      4.2.9
    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Since:
      5.8
    • setRolePrefix

      public void setRolePrefix(String rolePrefix)
      Sets the role prefix used when converting authorities. The default value is "ROLE_"
      Parameters:
      rolePrefix - role prefix
      Since:
      6.3