|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.security.ldap.authentication.LdapAuthenticationProvider
public class LdapAuthenticationProvider
An AuthenticationProvider
implementation that authenticates
against an LDAP server.
There are many ways in which an LDAP directory can be configured so this class delegates most of
its responsibilities to two separate strategy interfaces, LdapAuthenticator
and LdapAuthoritiesPopulator
.
BindAuthenticator
which authenticates
the user by "binding" as that user, and
PasswordComparisonAuthenticator
which compares the supplied password with the value stored in the directory, using an LDAP "compare"
operation.
The task of retrieving the user attributes is delegated to the authenticator because the permissions on the attributes may depend on the type of authentication being used; for example, if binding as the user, it may be necessary to read them with the user's own permissions (using the same context used for the bind operation).
DefaultLdapAuthoritiesPopulator
can be configured to obtain user role information from the user's attributes and/or to perform a search for
"groups" that the user is a member of and map these to roles.
A custom implementation could obtain the roles from a completely different source, for example from a database.
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/> <property name="userDn" value="cn=manager,dc=springframework,dc=org"/> <property name="password" value="password"/> </bean> <bean id="ldapAuthProvider" class="org.springframework.security.authentication.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.authentication.ldap.authenticator.BindAuthenticator"> <constructor-arg ref="contextSource"/> <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource"/> <constructor-arg value="ou=groups"/> <property name="groupRoleAttribute" value="ou"/> </bean> </constructor-arg> </bean>
This would set up the provider to access an LDAP server with URL ldap://monkeymachine:389/dc=springframework,dc=org. Authentication will be performed by attempting to bind with the DN uid=<user-login-name>,ou=people,dc=springframework,dc=org. After successful authentication, roles will be assigned to the user by searching under the DN ou=groups,dc=springframework,dc=org with the default filter (member=<user's-DN>). The role name will be taken from the "ou" attribute of each match.
The authenticate method will reject empty passwords outright. LDAP servers may allow an anonymous bind operation with an empty password, even if a DN is supplied. In practice this means that if the LDAP directory is configured to allow unauthenticated access, it might be possible to authenticate as any user just by supplying an empty password. More information on the misuse of unauthenticated access can be found in draft-ietf-ldapbis-authmeth-19.txt.
BindAuthenticator
,
DefaultLdapAuthoritiesPopulator
Field Summary | |
---|---|
protected MessageSourceAccessor |
messages
|
Constructor Summary | |
---|---|
LdapAuthenticationProvider(LdapAuthenticator authenticator)
Creates an instance with the supplied authenticator and a null authorities populator. |
|
LdapAuthenticationProvider(LdapAuthenticator authenticator,
LdapAuthoritiesPopulator authoritiesPopulator)
Create an instance with the supplied authenticator and authorities populator implementations. |
Method Summary | |
---|---|
Authentication |
authenticate(Authentication authentication)
Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication) . |
protected Authentication |
createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication,
UserDetails user)
Creates the final Authentication object which will be returned from the authenticate method. |
protected LdapAuthoritiesPopulator |
getAuthoritiesPopulator()
|
protected UserDetailsContextMapper |
getUserDetailsContextMapper()
Provides access to the injected UserDetailsContextMapper strategy for use by subclasses. |
protected Collection<GrantedAuthority> |
loadUserAuthorities(org.springframework.ldap.core.DirContextOperations userData,
String username,
String password)
|
void |
setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions)
|
void |
setMessageSource(MessageSource messageSource)
|
void |
setUseAuthenticationRequestCredentials(boolean useAuthenticationRequestCredentials)
Determines whether the supplied password will be used as the credentials in the successful authentication token. |
void |
setUserDetailsContextMapper(UserDetailsContextMapper userDetailsContextMapper)
Allows a custom strategy to be used for creating the UserDetails which will be stored as the principal in the Authentication returned by the createSuccessfulAuthentication(UsernamePasswordAuthenticationToken, UserDetails) method. |
boolean |
supports(Class<? extends Object> authentication)
Returns true if this AuthenticationProvider supports the indicated
Authentication object. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
protected MessageSourceAccessor messages
Constructor Detail |
---|
public LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator)
authenticator
- the authentication strategy (bind, password comparison, etc)
to be used by this provider for authenticating users.authoritiesPopulator
- the strategy for obtaining the authorities for a given user after they've been
authenticated.public LdapAuthenticationProvider(LdapAuthenticator authenticator)
authenticator
- the authenticator strategy.Method Detail |
---|
protected LdapAuthoritiesPopulator getAuthoritiesPopulator()
public void setUserDetailsContextMapper(UserDetailsContextMapper userDetailsContextMapper)
createSuccessfulAuthentication(UsernamePasswordAuthenticationToken, UserDetails)
method.
userDetailsContextMapper
- the strategy instance. If not set, defaults to a simple
LdapUserDetailsMapper.protected UserDetailsContextMapper getUserDetailsContextMapper()
public void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions)
public void setUseAuthenticationRequestCredentials(boolean useAuthenticationRequestCredentials)
useAuthenticationRequestCredentials
- public void setMessageSource(MessageSource messageSource)
setMessageSource
in interface MessageSourceAware
public Authentication authenticate(Authentication authentication) throws AuthenticationException
AuthenticationProvider
AuthenticationManager.authenticate(Authentication)
.
authenticate
in interface AuthenticationProvider
authentication
- the authentication request object.
null
if the
AuthenticationProvider
is unable to support authentication of the passed
Authentication
object. In such a case, the next AuthenticationProvider
that
supports the presented Authentication
class will be tried.
AuthenticationException
- if authentication fails.protected Collection<GrantedAuthority> loadUserAuthorities(org.springframework.ldap.core.DirContextOperations userData, String username, String password)
protected Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication, UserDetails user)
authentication
- the original authentication request tokenuser
- the UserDetails instance returned by the configured UserDetailsContextMapper.
public boolean supports(Class<? extends Object> authentication)
AuthenticationProvider
true
if this AuthenticationProvider
supports the indicated
Authentication
object.
Returning true
does not guarantee an AuthenticationProvider
will be able to
authenticate the presented instance of the Authentication
class. It simply indicates it can support
closer evaluation of it. An AuthenticationProvider
can still return null
from the
AuthenticationProvider.authenticate(Authentication)
method to indicate another AuthenticationProvider
should be
tried.
Selection of an AuthenticationProvider
capable of performing authentication is
conducted at runtime the ProviderManager
.
supports
in interface AuthenticationProvider
authentication
- DOCUMENT ME!
true
if the implementation can more closely evaluate the Authentication
class
presented
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |