public class LdapAuthenticationProvider extends AbstractLdapAuthenticationProvider
AuthenticationProvider
implementation that authenticates against an LDAP server.
There are many ways in which an LDAP directory can be configured so this class
delegates most of its responsibilities to two separate strategy interfaces,
LdapAuthenticator
and LdapAuthoritiesPopulator
.
BindAuthenticator
which authenticates the user by "binding" as that user, and
PasswordComparisonAuthenticator
which compares the supplied password with the value
stored in the directory, using an LDAP "compare" operation.
The task of retrieving the user attributes is delegated to the authenticator because the permissions on the attributes may depend on the type of authentication being used; for example, if binding as the user, it may be necessary to read them with the user's own permissions (using the same context used for the bind operation).
DefaultLdapAuthoritiesPopulator
can be
configured to obtain user role information from the user's attributes and/or to perform
a search for "groups" that the user is a member of and map these to roles.
A custom implementation could obtain the roles from a completely different source, for example from a database.
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/> <property name="userDn" value="cn=manager,dc=springframework,dc=org"/> <property name="password" value="password"/> </bean> <bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> <constructor-arg ref="contextSource"/> <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource"/> <constructor-arg value="ou=groups"/> <property name="groupRoleAttribute" value="ou"/> </bean> </constructor-arg> </bean>
This would set up the provider to access an LDAP server with URL ldap://monkeymachine:389/dc=springframework,dc=org. Authentication will be performed by attempting to bind with the DN uid=<user-login-name>,ou=people,dc=springframework,dc=org. After successful authentication, roles will be assigned to the user by searching under the DN ou=groups,dc=springframework,dc=org with the default filter (member=<user's-DN>). The role name will be taken from the "ou" attribute of each match.
The authenticate method will reject empty passwords outright. LDAP servers may allow an anonymous bind operation with an empty password, even if a DN is supplied. In practice this means that if the LDAP directory is configured to allow unauthenticated access, it might be possible to authenticate as any user just by supplying an empty password. More information on the misuse of unauthenticated access can be found in draft -ietf-ldapbis-authmeth-19.txt.
BindAuthenticator
,
DefaultLdapAuthoritiesPopulator
logger, messages, userDetailsContextMapper
Constructor and Description |
---|
LdapAuthenticationProvider(LdapAuthenticator authenticator)
Creates an instance with the supplied authenticator and a null authorities
populator.
|
LdapAuthenticationProvider(LdapAuthenticator authenticator,
LdapAuthoritiesPopulator authoritiesPopulator)
Create an instance with the supplied authenticator and authorities populator
implementations.
|
Modifier and Type | Method and Description |
---|---|
protected DirContextOperations |
doAuthentication(UsernamePasswordAuthenticationToken authentication) |
protected LdapAuthoritiesPopulator |
getAuthoritiesPopulator() |
protected Collection<? extends GrantedAuthority> |
loadUserAuthorities(DirContextOperations userData,
String username,
String password) |
void |
setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions) |
authenticate, createSuccessfulAuthentication, getUserDetailsContextMapper, setAuthoritiesMapper, setMessageSource, setUseAuthenticationRequestCredentials, setUserDetailsContextMapper, supports
public LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator)
authenticator
- the authentication strategy (bind, password comparison, etc)
to be used by this provider for authenticating users.authoritiesPopulator
- the strategy for obtaining the authorities for a given
user after they've been authenticated.public LdapAuthenticationProvider(LdapAuthenticator authenticator)
authenticator
- the authenticator strategy.protected LdapAuthoritiesPopulator getAuthoritiesPopulator()
public void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions)
protected DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken authentication)
doAuthentication
in class AbstractLdapAuthenticationProvider
protected Collection<? extends GrantedAuthority> loadUserAuthorities(DirContextOperations userData, String username, String password)
loadUserAuthorities
in class AbstractLdapAuthenticationProvider