public class DefaultLdapAuthoritiesPopulator extends Object implements LdapAuthoritiesPopulator
It obtains roles by performing a search for "groups" the user is a member of.
A typical group search scenario would be where each group/role is specified using the groupOfNames (or groupOfUniqueNames) LDAP objectClass and the user's DN is listed in the member (or uniqueMember) attribute to indicate that they should be assigned that role. The following LDIF sample has the groups stored under the DN ou=groups,dc=springframework,dc=org and a group called "developers" with "ben" and "luke" as members:
dn: ou=groups,dc=springframework,dc=org objectClass: top objectClass: organizationalUnit ou: groups dn: cn=developers,ou=groups,dc=springframework,dc=org objectClass: groupOfNames objectClass: top cn: developers description: Spring Security Developers member: uid=ben,ou=people,dc=springframework,dc=org member: uid=luke,ou=people,dc=springframework,dc=org ou: developer
The group search is performed within a DN specified by the groupSearchBase property, which should be relative to the root DN of its ContextSource. If the search base is null, group searching is disabled. The filter used in the search is defined by the groupSearchFilter property, with the filter argument {0} being the full DN of the user. You can also optionally use the parameter {1}, which will be substituted with the username. You can also specify which attribute defines the role name by setting the groupRoleAttribute property (the default is "cn").
The configuration below shows how the group search might be performed with the above schema.
<bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource"/> <constructor-arg value="ou=groups"/> <property name="groupRoleAttribute" value="ou"/> <!-- the following properties are shown with their default values --> <property name="searchSubtree" value="false"/> <property name="rolePrefix" value="ROLE_"/> <property name="convertToUpperCase" value="true"/> </bean>A search for roles for user "uid=ben,ou=people,dc=springframework,dc=org" would return the single granted authority "ROLE_DEVELOPER".
The single-level search is performed by default. Setting the searchSubTree property to true will enable a search of the entire subtree under groupSearchBase.
Constructor and Description |
---|
DefaultLdapAuthoritiesPopulator(ContextSource contextSource,
String groupSearchBase)
Constructor for group search scenarios.
|
Modifier and Type | Method and Description |
---|---|
protected Set<GrantedAuthority> |
getAdditionalRoles(DirContextOperations user,
String username)
This method should be overridden if required to obtain any additional roles for the
given user (on top of those obtained from the standard search implemented by this
class).
|
protected ContextSource |
getContextSource() |
Collection<GrantedAuthority> |
getGrantedAuthorities(DirContextOperations user,
String username)
Obtains the authorities for the user who's directory entry is represented by the
supplied LdapUserDetails object.
|
Set<GrantedAuthority> |
getGroupMembershipRoles(String userDn,
String username) |
protected String |
getGroupRoleAttribute()
Returns the attribute name of the LDAP attribute that will be mapped to the role
name Method available so that classes extending this can override
|
protected String |
getGroupSearchBase() |
protected String |
getGroupSearchFilter()
Returns the search filter configured for this populator Method available so that
classes extending this can override
|
protected SpringSecurityLdapTemplate |
getLdapTemplate()
Returns the current LDAP template.
|
protected String |
getRolePrefix()
Returns the role prefix used by this populator Method available so that classes
extending this can override
|
protected boolean |
isConvertToUpperCase()
Returns true if role names are converted to uppercase Method available so that
classes extending this can override
|
void |
setConvertToUpperCase(boolean convertToUpperCase)
Convert the role to uppercase
|
void |
setDefaultRole(String defaultRole)
The default role which will be assigned to all users.
|
void |
setGroupRoleAttribute(String groupRoleAttribute) |
void |
setGroupSearchFilter(String groupSearchFilter) |
void |
setIgnorePartialResultException(boolean ignore)
Sets the corresponding property on the underlying template, avoiding specific
issues with Active Directory.
|
void |
setRolePrefix(String rolePrefix)
Sets the prefix which will be prepended to the values loaded from the directory.
|
void |
setSearchSubtree(boolean searchSubtree)
If set to true, a subtree scope search will be performed.
|
public DefaultLdapAuthoritiesPopulator(ContextSource contextSource, String groupSearchBase)
contextSource
- supplies the contexts used to search for user roles.groupSearchBase
- if this is an empty string the search will be performed from
the root DN of the context factory. If null, no search will be performed.protected Set<GrantedAuthority> getAdditionalRoles(DirContextOperations user, String username)
user
- the context representing the user who's roles are requiredpublic final Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations user, String username)
getGrantedAuthorities
in interface LdapAuthoritiesPopulator
user
- the user who's authorities are requiredpublic Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username)
protected ContextSource getContextSource()
protected String getGroupSearchBase()
public void setConvertToUpperCase(boolean convertToUpperCase)
public void setDefaultRole(String defaultRole)
defaultRole
- the role name, including any desired prefix.public void setGroupRoleAttribute(String groupRoleAttribute)
public void setGroupSearchFilter(String groupSearchFilter)
public void setRolePrefix(String rolePrefix)
public void setSearchSubtree(boolean searchSubtree)
searchSubtree
- set to true to enable searching of the entire tree below the
groupSearchBase.public void setIgnorePartialResultException(boolean ignore)
protected SpringSecurityLdapTemplate getLdapTemplate()
SpringSecurityLdapTemplate
protected final String getGroupRoleAttribute()
setGroupRoleAttribute(String)
protected final String getGroupSearchFilter()
setGroupSearchFilter(String)
protected final String getRolePrefix()
setRolePrefix(String)
protected final boolean isConvertToUpperCase()
setConvertToUpperCase(boolean)