Class ActiveDirectoryLdapAuthenticationProvider
- java.lang.Object
-
- org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
-
- org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider
-
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.context.MessageSourceAware
,AuthenticationProvider
public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLdapAuthenticationProvider
Specialized LDAP authentication provider which uses Active Directory configuration conventions.It will authenticate using the Active Directory
userPrincipalName
or a customsearchFilter
in the formusername@domain
. If the username does not already end with the domain name, theuserPrincipalName
will be built by appending the configured domain name to the username supplied in the authentication request. If no domain name is configured, it is assumed that the username will always contain the domain name.The user authorities are obtained from the data contained in the
memberOf
attribute.Active Directory Sub-Error Codes
When an authentication fails, resulting in a standard LDAP 49 error code, Active Directory also supplies its own sub-error codes within the error message. These will be used to provide additional log information on why an authentication has failed. Typical examples are- 525 - user not found
- 52e - invalid credentials
- 530 - not permitted to logon at this time
- 532 - password expired
- 533 - account disabled
- 701 - account expired
- 773 - user must reset password
- 775 - account locked
convertSubErrorCodesToExceptions
property totrue
, the codes will also be used to control the exception raised.- Since:
- 3.1
-
-
Field Summary
-
Fields inherited from class org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
logger, messages, userDetailsContextMapper
-
-
Constructor Summary
Constructors Constructor Description ActiveDirectoryLdapAuthenticationProvider(java.lang.String domain, java.lang.String url)
ActiveDirectoryLdapAuthenticationProvider(java.lang.String domain, java.lang.String url, java.lang.String rootDn)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected org.springframework.ldap.core.DirContextOperations
doAuthentication(UsernamePasswordAuthenticationToken auth)
protected java.util.Collection<? extends GrantedAuthority>
loadUserAuthorities(org.springframework.ldap.core.DirContextOperations userData, java.lang.String username, java.lang.String password)
Creates the user authority list from the values of thememberOf
attribute obtained from the user's Active Directory entry.void
setContextEnvironmentProperties(java.util.Map<java.lang.String,java.lang.Object> environment)
Allows a custom environment properties to be used to create initial LDAP context.void
setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)
By default, a failed authentication (LDAP error 49) will result in aBadCredentialsException
.void
setSearchFilter(java.lang.String searchFilter)
The LDAP filter string to search for the user being authenticated.-
Methods inherited from class org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
authenticate, createSuccessfulAuthentication, getUserDetailsContextMapper, setAuthoritiesMapper, setMessageSource, setUseAuthenticationRequestCredentials, setUserDetailsContextMapper, supports
-
-
-
-
Constructor Detail
-
ActiveDirectoryLdapAuthenticationProvider
public ActiveDirectoryLdapAuthenticationProvider(java.lang.String domain, java.lang.String url, java.lang.String rootDn)
- Parameters:
domain
- the domain name (may be null or empty)url
- an LDAP url (or multiple URLs)rootDn
- the root DN (may be null or empty)
-
ActiveDirectoryLdapAuthenticationProvider
public ActiveDirectoryLdapAuthenticationProvider(java.lang.String domain, java.lang.String url)
- Parameters:
domain
- the domain name (may be null or empty)url
- an LDAP url (or multiple URLs)
-
-
Method Detail
-
doAuthentication
protected org.springframework.ldap.core.DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken auth)
- Specified by:
doAuthentication
in classAbstractLdapAuthenticationProvider
-
loadUserAuthorities
protected java.util.Collection<? extends GrantedAuthority> loadUserAuthorities(org.springframework.ldap.core.DirContextOperations userData, java.lang.String username, java.lang.String password)
Creates the user authority list from the values of thememberOf
attribute obtained from the user's Active Directory entry.- Specified by:
loadUserAuthorities
in classAbstractLdapAuthenticationProvider
-
setConvertSubErrorCodesToExceptions
public void setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)
By default, a failed authentication (LDAP error 49) will result in aBadCredentialsException
.If this property is set to
true
, the exception message from a failed bind attempt will be parsed for the AD-specific error code and aCredentialsExpiredException
,DisabledException
,AccountExpiredException
orLockedException
will be thrown for the corresponding codes. All other codes will result in the defaultBadCredentialsException
.- Parameters:
convertSubErrorCodesToExceptions
-true
to raise an exception based on the AD error code.
-
setSearchFilter
public void setSearchFilter(java.lang.String searchFilter)
The LDAP filter string to search for the user being authenticated. Occurrences of {0} are replaced with theusername@domain
. Occurrences of {1} are replaced with theusername
only.Defaults to:
(&(objectClass=user)(userPrincipalName={0}))
- Parameters:
searchFilter
- the filter string- Since:
- 3.2.6
-
setContextEnvironmentProperties
public void setContextEnvironmentProperties(java.util.Map<java.lang.String,java.lang.Object> environment)
Allows a custom environment properties to be used to create initial LDAP context.- Parameters:
environment
- the additional environment parameters to use when creating the LDAP Context
-
-