Class LdapUserDetailsManager
- java.lang.Object
-
- org.springframework.security.ldap.userdetails.LdapUserDetailsManager
-
- All Implemented Interfaces:
UserDetailsService
,UserDetailsManager
public class LdapUserDetailsManager extends java.lang.Object implements UserDetailsManager
An Ldap implementation of UserDetailsManager.It is designed around a standard setup where users and groups/roles are stored under separate contexts, defined by the "userDnBase" and "groupSearchBase" properties respectively.
In this case, LDAP is being used purely to retrieve information and this class can be used in place of any other UserDetailsService for authentication. Authentication isn't performed directly against the directory, unlike with the LDAP authentication provider setup.
- Since:
- 2.0
-
-
Constructor Summary
Constructors Constructor Description LdapUserDetailsManager(org.springframework.ldap.core.ContextSource contextSource)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
addAuthorities(org.springframework.ldap.core.DistinguishedName userDn, java.util.Collection<? extends GrantedAuthority> authorities)
protected org.springframework.ldap.core.DistinguishedName
buildGroupDn(java.lang.String group)
Creates a DN from a group name.void
changePassword(java.lang.String oldPassword, java.lang.String newPassword)
Changes the password for the current user.protected void
copyToContext(UserDetails user, org.springframework.ldap.core.DirContextAdapter ctx)
void
createUser(UserDetails user)
Create a new user with the supplied details.void
deleteUser(java.lang.String username)
Remove the user with the given login name from the system.UserDetails
loadUserByUsername(java.lang.String username)
Locates the user based on the username.protected void
removeAuthorities(org.springframework.ldap.core.DistinguishedName userDn, java.util.Collection<? extends GrantedAuthority> authorities)
void
setAttributesToRetrieve(java.lang.String[] attributesToRetrieve)
void
setGroupMemberAttributeName(java.lang.String groupMemberAttributeName)
Sets the name of the multi-valued attribute which holds the DNs of users who are members of a group.void
setGroupRoleAttributeName(java.lang.String groupRoleAttributeName)
void
setGroupSearchBase(java.lang.String groupSearchBase)
void
setPasswordAttributeName(java.lang.String passwordAttributeName)
void
setRoleMapper(org.springframework.ldap.core.AttributesMapper roleMapper)
void
setUsePasswordModifyExtensionOperation(boolean usePasswordModifyExtensionOperation)
Sets the method by which a user's password gets modified.void
setUserDetailsMapper(UserDetailsContextMapper userDetailsMapper)
void
setUsernameMapper(LdapUsernameToDnMapper usernameMapper)
void
updateUser(UserDetails user)
Update the specified user.boolean
userExists(java.lang.String username)
Check if a user with the supplied login name exists in the system.
-
-
-
Method Detail
-
loadUserByUsername
public UserDetails loadUserByUsername(java.lang.String username)
Description copied from interface:UserDetailsService
Locates the user based on the username. In the actual implementation, the search may possibly be case sensitive, or case insensitive depending on how the implementation instance is configured. In this case, theUserDetails
object that comes back may have a username that is of a different case than what was actually requested..- Specified by:
loadUserByUsername
in interfaceUserDetailsService
- Parameters:
username
- the username identifying the user whose data is required.- Returns:
- a fully populated user record (never
null
)
-
changePassword
public void changePassword(java.lang.String oldPassword, java.lang.String newPassword)
Changes the password for the current user. The username is obtained from the security context. There are two supported strategies for modifying the user's password depending on the capabilities of the corresponding LDAP server.Configured one way, this method will modify the user's password via the LDAP Password Modify Extended Operation . See
setUsePasswordModifyExtensionOperation(boolean)
for details.By default, though, if the old password is supplied, the update will be made by rebinding as the user, thus modifying the password using the user's permissions. If
oldPassword
is null, the update will be attempted using a standard read/write context supplied by the context source.- Specified by:
changePassword
in interfaceUserDetailsManager
- Parameters:
oldPassword
- the old passwordnewPassword
- the new value of the password.
-
createUser
public void createUser(UserDetails user)
Description copied from interface:UserDetailsManager
Create a new user with the supplied details.- Specified by:
createUser
in interfaceUserDetailsManager
-
updateUser
public void updateUser(UserDetails user)
Description copied from interface:UserDetailsManager
Update the specified user.- Specified by:
updateUser
in interfaceUserDetailsManager
-
deleteUser
public void deleteUser(java.lang.String username)
Description copied from interface:UserDetailsManager
Remove the user with the given login name from the system.- Specified by:
deleteUser
in interfaceUserDetailsManager
-
userExists
public boolean userExists(java.lang.String username)
Description copied from interface:UserDetailsManager
Check if a user with the supplied login name exists in the system.- Specified by:
userExists
in interfaceUserDetailsManager
-
buildGroupDn
protected org.springframework.ldap.core.DistinguishedName buildGroupDn(java.lang.String group)
Creates a DN from a group name.- Parameters:
group
- the name of the group- Returns:
- the DN of the corresponding group, including the groupSearchBase
-
copyToContext
protected void copyToContext(UserDetails user, org.springframework.ldap.core.DirContextAdapter ctx)
-
addAuthorities
protected void addAuthorities(org.springframework.ldap.core.DistinguishedName userDn, java.util.Collection<? extends GrantedAuthority> authorities)
-
removeAuthorities
protected void removeAuthorities(org.springframework.ldap.core.DistinguishedName userDn, java.util.Collection<? extends GrantedAuthority> authorities)
-
setUsernameMapper
public void setUsernameMapper(LdapUsernameToDnMapper usernameMapper)
-
setPasswordAttributeName
public void setPasswordAttributeName(java.lang.String passwordAttributeName)
-
setGroupSearchBase
public void setGroupSearchBase(java.lang.String groupSearchBase)
-
setGroupRoleAttributeName
public void setGroupRoleAttributeName(java.lang.String groupRoleAttributeName)
-
setAttributesToRetrieve
public void setAttributesToRetrieve(java.lang.String[] attributesToRetrieve)
-
setUserDetailsMapper
public void setUserDetailsMapper(UserDetailsContextMapper userDetailsMapper)
-
setGroupMemberAttributeName
public void setGroupMemberAttributeName(java.lang.String groupMemberAttributeName)
Sets the name of the multi-valued attribute which holds the DNs of users who are members of a group.Usually this will be uniquemember (the default value) or member.
- Parameters:
groupMemberAttributeName
- the name of the attribute used to store group members.
-
setRoleMapper
public void setRoleMapper(org.springframework.ldap.core.AttributesMapper roleMapper)
-
setUsePasswordModifyExtensionOperation
public void setUsePasswordModifyExtensionOperation(boolean usePasswordModifyExtensionOperation)
Sets the method by which a user's password gets modified. If set totrue
, thenchangePassword(java.lang.String, java.lang.String)
will modify the user's password by way of the Password Modify Extension Operation. If set tofalse
, thenchangePassword(java.lang.String, java.lang.String)
will modify the user's password by directly modifying attributes on the corresponding entry. Before using this setting, ensure that the corresponding LDAP server supports this extended operation. By default,usePasswordModifyExtensionOperation
is false.- Parameters:
usePasswordModifyExtensionOperation
-- Since:
- 4.2.9
-
-