org.springframework.security.ldap.authentication.ad

Class ActiveDirectoryLdapAuthenticationProvider

java.lang.Object

org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider

org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider

All Implemented Interfaces:

Aware, MessageSourceAware, AuthenticationProvider

public final class ActiveDirectoryLdapAuthenticationProvider
extends AbstractLdapAuthenticationProvider

Specialized LDAP authentication provider which uses Active Directory configuration conventions.

It will authenticate using the Active Directory userPrincipalName or sAMAccountName (or a custom searchFilter) in the form [email protected]. If the username does not already end with the domain name, the userPrincipalName will be built by appending the configured domain name to the username supplied in the authentication request. If no domain name is configured, it is assumed that the username will always contain the domain name.

The user authorities are obtained from the data contained in the memberOf attribute.

Active Directory Sub-Error Codes

When an authentication fails, resulting in a standard LDAP 49 error code, Active Directory also supplies its own sub-error codes within the error message. These will be used to provide additional log information on why an authentication has failed. Typical examples are

• 525 - user not found
• 52e - invalid credentials
• 530 - not permitted to logon at this time
• 532 - password expired
• 533 - account disabled
• 701 - account expired
• 773 - user must reset password
• 775 - account locked

If you set the convertSubErrorCodesToExceptions property to true, the codes will also be used to control the exception raised.

Since:

3.1

Field Summary

Fields inherited from class org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider

logger, messages, userDetailsContextMapper

Constructor Summary

Constructors

Constructor and Description
ActiveDirectoryLdapAuthenticationProvider(String domain, String url)

Method Summary

Methods

Modifier and Type	Method and Description
protected DirContextOperations	doAuthentication(UsernamePasswordAuthenticationToken auth)
protected Collection<? extends GrantedAuthority>	loadUserAuthorities(DirContextOperations userData, String username, String password) Creates the user authority list from the values of the memberOf attribute obtained from the user's Active Directory entry.
void	setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions) By default, a failed authentication (LDAP error 49) will result in a BadCredentialsException.
void	setSearchFilter(String searchFilter) The LDAP filter string to search for the user being authenticated.

Methods inherited from class org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider

authenticate, createSuccessfulAuthentication, getUserDetailsContextMapper, setAuthoritiesMapper, setMessageSource, setUseAuthenticationRequestCredentials, setUserDetailsContextMapper, supports

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ActiveDirectoryLdapAuthenticationProvider

public ActiveDirectoryLdapAuthenticationProvider(String domain,
                                         String url)

Parameters:

domain - the domain name (may be null or empty)

url - an LDAP url (or multiple URLs)

Method Detail

doAuthentication

protected DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken auth)

Specified by:

doAuthentication in class AbstractLdapAuthenticationProvider

loadUserAuthorities

protected Collection<? extends GrantedAuthority> loadUserAuthorities(DirContextOperations userData,
                                                         String username,
                                                         String password)

Creates the user authority list from the values of the memberOf attribute obtained from the user's Active Directory entry.

Specified by:

loadUserAuthorities in class AbstractLdapAuthenticationProvider

setConvertSubErrorCodesToExceptions

public void setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)

By default, a failed authentication (LDAP error 49) will result in a BadCredentialsException.

If this property is set to true, the exception message from a failed bind attempt will be parsed for the AD-specific error code and a CredentialsExpiredException, DisabledException, AccountExpiredException or LockedException will be thrown for the corresponding codes. All other codes will result in the default BadCredentialsException.

Parameters:

convertSubErrorCodesToExceptions - true to raise an exception based on the AD error code.

setSearchFilter

public void setSearchFilter(String searchFilter)

The LDAP filter string to search for the user being authenticated. Occurrences of {0} are replaced with the [email protected].

Defaults to: (&(objectClass=user)(userPrincipalName={0}))

Parameters:

searchFilter - the filter string

Since:

3.2.6