public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLdapAuthenticationProvider
It will authenticate using the Active Directory
userPrincipalName
or a custom searchFilter
in the form username@domain
. If the username does not already end with the
domain name, the userPrincipalName
will be built by appending the configured
domain name to the username supplied in the authentication request. If no domain name
is configured, it is assumed that the username will always contain the domain name.
The user authorities are obtained from the data contained in the memberOf
attribute.
convertSubErrorCodesToExceptions
property to true
, the codes will also be used
to control the exception raised.logger, messages, userDetailsContextMapper
Constructor and Description |
---|
ActiveDirectoryLdapAuthenticationProvider(java.lang.String domain,
java.lang.String url) |
ActiveDirectoryLdapAuthenticationProvider(java.lang.String domain,
java.lang.String url,
java.lang.String rootDn) |
Modifier and Type | Method and Description |
---|---|
protected org.springframework.ldap.core.DirContextOperations |
doAuthentication(UsernamePasswordAuthenticationToken auth) |
protected java.util.Collection<? extends GrantedAuthority> |
loadUserAuthorities(org.springframework.ldap.core.DirContextOperations userData,
java.lang.String username,
java.lang.String password)
Creates the user authority list from the values of the
memberOf attribute
obtained from the user's Active Directory entry. |
void |
setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)
By default, a failed authentication (LDAP error 49) will result in a
BadCredentialsException . |
void |
setSearchFilter(java.lang.String searchFilter)
The LDAP filter string to search for the user being authenticated.
|
authenticate, createSuccessfulAuthentication, getUserDetailsContextMapper, setAuthoritiesMapper, setMessageSource, setUseAuthenticationRequestCredentials, setUserDetailsContextMapper, supports
public ActiveDirectoryLdapAuthenticationProvider(java.lang.String domain, java.lang.String url, java.lang.String rootDn)
domain
- the domain name (may be null or empty)url
- an LDAP url (or multiple URLs)rootDn
- the root DN (may be null or empty)public ActiveDirectoryLdapAuthenticationProvider(java.lang.String domain, java.lang.String url)
domain
- the domain name (may be null or empty)url
- an LDAP url (or multiple URLs)protected org.springframework.ldap.core.DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken auth)
doAuthentication
in class AbstractLdapAuthenticationProvider
protected java.util.Collection<? extends GrantedAuthority> loadUserAuthorities(org.springframework.ldap.core.DirContextOperations userData, java.lang.String username, java.lang.String password)
memberOf
attribute
obtained from the user's Active Directory entry.loadUserAuthorities
in class AbstractLdapAuthenticationProvider
public void setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)
BadCredentialsException
.
If this property is set to true
, the exception message from a failed bind
attempt will be parsed for the AD-specific error code and a
CredentialsExpiredException
, DisabledException
,
AccountExpiredException
or LockedException
will be thrown for the
corresponding codes. All other codes will result in the default
BadCredentialsException
.
convertSubErrorCodesToExceptions
- true
to raise an exception based on
the AD error code.public void setSearchFilter(java.lang.String searchFilter)
username@domain
. Occurrences of {1} are replaced
with the username
only.
Defaults to: (&(objectClass=user)(userPrincipalName= 0
))}
searchFilter
- the filter string