Class DefaultLdapAuthoritiesPopulator
- java.lang.Object
-
- org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator
-
- All Implemented Interfaces:
LdapAuthoritiesPopulator
- Direct Known Subclasses:
NestedLdapAuthoritiesPopulator
public class DefaultLdapAuthoritiesPopulator extends java.lang.Object implements LdapAuthoritiesPopulator
The default strategy for obtaining user role information from the directory.It obtains roles by performing a search for "groups" the user is a member of.
A typical group search scenario would be where each group/role is specified using the groupOfNames (or groupOfUniqueNames) LDAP objectClass and the user's DN is listed in the member (or uniqueMember) attribute to indicate that they should be assigned that role. The following LDIF sample has the groups stored under the DN ou=groups,dc=springframework,dc=org and a group called "developers" with "ben" and "luke" as members:
dn: ou=groups,dc=springframework,dc=org objectClass: top objectClass: organizationalUnit ou: groups dn: cn=developers,ou=groups,dc=springframework,dc=org objectClass: groupOfNames objectClass: top cn: developers description: Spring Security Developers member: uid=ben,ou=people,dc=springframework,dc=org member: uid=luke,ou=people,dc=springframework,dc=org ou: developer
The group search is performed within a DN specified by the groupSearchBase property, which should be relative to the root DN of its ContextSource. If the search base is null, group searching is disabled. The filter used in the search is defined by the groupSearchFilter property, with the filter argument {0} being the full DN of the user. You can also optionally use the parameter {1}, which will be substituted with the username. You can also specify which attribute defines the role name by setting the groupRoleAttribute property (the default is "cn").
The configuration below shows how the group search might be performed with the above schema.
<bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource"/> <constructor-arg value="ou=groups"/> <property name="groupRoleAttribute" value="ou"/> <!-- the following properties are shown with their default values --> <property name="searchSubtree" value="false"/> <property name="rolePrefix" value="ROLE_"/> <property name="convertToUpperCase" value="true"/> </bean>
A search for roles for user "uid=ben,ou=people,dc=springframework,dc=org" would return the single granted authority "ROLE_DEVELOPER".The single-level search is performed by default. Setting the searchSubTree property to true will enable a search of the entire subtree under groupSearchBase.
-
-
Constructor Summary
Constructors Constructor Description DefaultLdapAuthoritiesPopulator(org.springframework.ldap.core.ContextSource contextSource, java.lang.String groupSearchBase)
Constructor for group search scenarios.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected java.util.Set<GrantedAuthority>
getAdditionalRoles(org.springframework.ldap.core.DirContextOperations user, java.lang.String username)
This method should be overridden if required to obtain any additional roles for the given user (on top of those obtained from the standard search implemented by this class).protected org.springframework.ldap.core.ContextSource
getContextSource()
java.util.Collection<GrantedAuthority>
getGrantedAuthorities(org.springframework.ldap.core.DirContextOperations user, java.lang.String username)
Obtains the authorities for the user who's directory entry is represented by the supplied LdapUserDetails object.java.util.Set<GrantedAuthority>
getGroupMembershipRoles(java.lang.String userDn, java.lang.String username)
protected java.lang.String
getGroupRoleAttribute()
Returns the attribute name of the LDAP attribute that will be mapped to the role name Method available so that classes extending this can overrideprotected java.lang.String
getGroupSearchBase()
protected java.lang.String
getGroupSearchFilter()
Returns the search filter configured for this populator Method available so that classes extending this can overrideprotected SpringSecurityLdapTemplate
getLdapTemplate()
Returns the current LDAP template.protected java.lang.String
getRolePrefix()
Returns the role prefix used by this populator Method available so that classes extending this can overrideprotected boolean
isConvertToUpperCase()
Returns true if role names are converted to uppercase Method available so that classes extending this can overridevoid
setAuthorityMapper(java.util.function.Function<java.util.Map<java.lang.String,java.util.List<java.lang.String>>,GrantedAuthority> authorityMapper)
Sets the mapping function which will be used to create instances ofGrantedAuthority
given the context record.void
setConvertToUpperCase(boolean convertToUpperCase)
Convert the role to uppercasevoid
setDefaultRole(java.lang.String defaultRole)
The default role which will be assigned to all users.void
setGroupRoleAttribute(java.lang.String groupRoleAttribute)
void
setGroupSearchFilter(java.lang.String groupSearchFilter)
void
setIgnorePartialResultException(boolean ignore)
Sets the corresponding property on the underlying template, avoiding specific issues with Active Directory.void
setRolePrefix(java.lang.String rolePrefix)
Sets the prefix which will be prepended to the values loaded from the directory.void
setSearchSubtree(boolean searchSubtree)
If set to true, a subtree scope search will be performed.
-
-
-
Constructor Detail
-
DefaultLdapAuthoritiesPopulator
public DefaultLdapAuthoritiesPopulator(org.springframework.ldap.core.ContextSource contextSource, java.lang.String groupSearchBase)
Constructor for group search scenarios. userRoleAttributes may still be set as a property.- Parameters:
contextSource
- supplies the contexts used to search for user roles.groupSearchBase
- if this is an empty string the search will be performed from the root DN of the context factory. If null, no search will be performed.
-
-
Method Detail
-
getAdditionalRoles
protected java.util.Set<GrantedAuthority> getAdditionalRoles(org.springframework.ldap.core.DirContextOperations user, java.lang.String username)
This method should be overridden if required to obtain any additional roles for the given user (on top of those obtained from the standard search implemented by this class).- Parameters:
user
- the context representing the user who's roles are required- Returns:
- the extra roles which will be merged with those returned by the group search
-
getGrantedAuthorities
public final java.util.Collection<GrantedAuthority> getGrantedAuthorities(org.springframework.ldap.core.DirContextOperations user, java.lang.String username)
Obtains the authorities for the user who's directory entry is represented by the supplied LdapUserDetails object.- Specified by:
getGrantedAuthorities
in interfaceLdapAuthoritiesPopulator
- Parameters:
user
- the user who's authorities are required- Returns:
- the set of roles granted to the user.
-
getGroupMembershipRoles
public java.util.Set<GrantedAuthority> getGroupMembershipRoles(java.lang.String userDn, java.lang.String username)
-
getContextSource
protected org.springframework.ldap.core.ContextSource getContextSource()
-
getGroupSearchBase
protected java.lang.String getGroupSearchBase()
-
setConvertToUpperCase
public void setConvertToUpperCase(boolean convertToUpperCase)
Convert the role to uppercase
-
setDefaultRole
public void setDefaultRole(java.lang.String defaultRole)
The default role which will be assigned to all users.- Parameters:
defaultRole
- the role name, including any desired prefix.
-
setGroupRoleAttribute
public void setGroupRoleAttribute(java.lang.String groupRoleAttribute)
-
setGroupSearchFilter
public void setGroupSearchFilter(java.lang.String groupSearchFilter)
-
setRolePrefix
public void setRolePrefix(java.lang.String rolePrefix)
Sets the prefix which will be prepended to the values loaded from the directory. Defaults to "ROLE_" for compatibility with RoleVoter.
-
setSearchSubtree
public void setSearchSubtree(boolean searchSubtree)
If set to true, a subtree scope search will be performed. If false a single-level search is used.- Parameters:
searchSubtree
- set to true to enable searching of the entire tree below the groupSearchBase.
-
setIgnorePartialResultException
public void setIgnorePartialResultException(boolean ignore)
Sets the corresponding property on the underlying template, avoiding specific issues with Active Directory.- See Also:
LdapTemplate.setIgnoreNameNotFoundException(boolean)
-
setAuthorityMapper
public void setAuthorityMapper(java.util.function.Function<java.util.Map<java.lang.String,java.util.List<java.lang.String>>,GrantedAuthority> authorityMapper)
Sets the mapping function which will be used to create instances ofGrantedAuthority
given the context record.- Parameters:
authorityMapper
- the mapping function
-
getLdapTemplate
protected SpringSecurityLdapTemplate getLdapTemplate()
Returns the current LDAP template. Method available so that classes extending this can override the template used- Returns:
- the LDAP template
- See Also:
SpringSecurityLdapTemplate
-
getGroupRoleAttribute
protected final java.lang.String getGroupRoleAttribute()
Returns the attribute name of the LDAP attribute that will be mapped to the role name Method available so that classes extending this can override- Returns:
- the attribute name used for role mapping
- See Also:
setGroupRoleAttribute(String)
-
getGroupSearchFilter
protected final java.lang.String getGroupSearchFilter()
Returns the search filter configured for this populator Method available so that classes extending this can override- Returns:
- the search filter
- See Also:
setGroupSearchFilter(String)
-
getRolePrefix
protected final java.lang.String getRolePrefix()
Returns the role prefix used by this populator Method available so that classes extending this can override- Returns:
- the role prefix
- See Also:
setRolePrefix(String)
-
isConvertToUpperCase
protected final boolean isConvertToUpperCase()
Returns true if role names are converted to uppercase Method available so that classes extending this can override- Returns:
- true if role names are converted to uppercase.
- See Also:
setConvertToUpperCase(boolean)
-
-