org.springframework.security.ldap.authentication.ad
Class ActiveDirectoryLdapAuthenticationProvider
java.lang.Object
org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider
- All Implemented Interfaces:
- MessageSourceAware, AuthenticationProvider
public final class ActiveDirectoryLdapAuthenticationProvider
- extends AbstractLdapAuthenticationProvider
Specialized LDAP authentication provider which uses Active Directory configuration conventions.
It will authenticate using the Active Directory
userPrincipalName
(in the form username@domain
). If the username does not already end with the domain name, the
userPrincipalName
will be built by appending the configured domain name to the username supplied in the
authentication request. If no domain name is configured, it is assumed that the username will always contain the
domain name.
The user authorities are obtained from the data contained in the memberOf
attribute.
Active Directory Sub-Error Codes
When an authentication fails, resulting in a standard LDAP 49 error code, Active Directory also supplies its own
sub-error codes within the error message. These will be used to provide additional log information on why an
authentication has failed. Typical examples are
- 525 - user not found
- 52e - invalid credentials
- 530 - not permitted to logon at this time
- 532 - password expired
- 533 - account disabled
- 701 - account expired
- 773 - user must reset password
- 775 - account locked
If you set the convertSubErrorCodesToExceptions
property to
true
, the codes will also be used to control the exception raised.
- Since:
- 3.1
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
ActiveDirectoryLdapAuthenticationProvider
public ActiveDirectoryLdapAuthenticationProvider(String domain,
String url)
- Parameters:
domain
- the domain name (may be null or empty)url
- an LDAP url (or multiple URLs)
doAuthentication
protected DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken auth)
- Specified by:
doAuthentication
in class AbstractLdapAuthenticationProvider
loadUserAuthorities
protected Collection<? extends GrantedAuthority> loadUserAuthorities(DirContextOperations userData,
String username,
String password)
- Creates the user authority list from the values of the
memberOf
attribute obtained from the user's
Active Directory entry.
- Specified by:
loadUserAuthorities
in class AbstractLdapAuthenticationProvider
setConvertSubErrorCodesToExceptions
public void setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)
- By default, a failed authentication (LDAP error 49) will result in a
BadCredentialsException
.
If this property is set to true
, the exception message from a failed bind attempt will be parsed
for the AD-specific error code and a CredentialsExpiredException
, DisabledException
,
AccountExpiredException
or LockedException
will be thrown for the corresponding codes. All
other codes will result in the default BadCredentialsException
.
- Parameters:
convertSubErrorCodesToExceptions
- true
to raise an exception based on the AD error code.