Class LdapUserDetailsManager
- All Implemented Interfaces:
UserDetailsService
,UserDetailsManager
It is designed around a standard setup where users and groups/roles are stored under separate contexts, defined by the "userDnBase" and "groupSearchBase" properties respectively.
In this case, LDAP is being used purely to retrieve information and this class can be used in place of any other UserDetailsService for authentication. Authentication isn't performed directly against the directory, unlike with the LDAP authentication provider setup.
- Since:
- 2.0
-
Constructor Summary
ConstructorDescriptionLdapUserDetailsManager
(org.springframework.ldap.core.ContextSource contextSource) -
Method Summary
Modifier and TypeMethodDescriptionprotected void
addAuthorities
(org.springframework.ldap.core.DistinguishedName userDn, Collection<? extends GrantedAuthority> authorities) protected org.springframework.ldap.core.DistinguishedName
buildGroupDn
(String group) Creates a DN from a group name.void
changePassword
(String oldPassword, String newPassword) Changes the password for the current user.protected void
copyToContext
(UserDetails user, org.springframework.ldap.core.DirContextAdapter ctx) void
createUser
(UserDetails user) Create a new user with the supplied details.void
deleteUser
(String username) Remove the user with the given login name from the system.loadUserByUsername
(String username) Locates the user based on the username.protected void
removeAuthorities
(org.springframework.ldap.core.DistinguishedName userDn, Collection<? extends GrantedAuthority> authorities) void
setAttributesToRetrieve
(String[] attributesToRetrieve) void
setGroupMemberAttributeName
(String groupMemberAttributeName) Sets the name of the multi-valued attribute which holds the DNs of users who are members of a group.void
setGroupRoleAttributeName
(String groupRoleAttributeName) void
setGroupSearchBase
(String groupSearchBase) void
setPasswordAttributeName
(String passwordAttributeName) void
setRoleMapper
(org.springframework.ldap.core.AttributesMapper roleMapper) void
setRolePrefix
(String rolePrefix) Sets the role prefix used when converting authorities.void
setSecurityContextHolderStrategy
(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use.void
setUsePasswordModifyExtensionOperation
(boolean usePasswordModifyExtensionOperation) Sets the method by which a user's password gets modified.void
setUserDetailsMapper
(UserDetailsContextMapper userDetailsMapper) void
setUsernameMapper
(LdapUsernameToDnMapper usernameMapper) void
updateUser
(UserDetails user) Update the specified user.boolean
userExists
(String username) Check if a user with the supplied login name exists in the system.
-
Constructor Details
-
LdapUserDetailsManager
public LdapUserDetailsManager(org.springframework.ldap.core.ContextSource contextSource)
-
-
Method Details
-
loadUserByUsername
Description copied from interface:UserDetailsService
Locates the user based on the username. In the actual implementation, the search may possibly be case sensitive, or case insensitive depending on how the implementation instance is configured. In this case, theUserDetails
object that comes back may have a username that is of a different case than what was actually requested..- Specified by:
loadUserByUsername
in interfaceUserDetailsService
- Parameters:
username
- the username identifying the user whose data is required.- Returns:
- a fully populated user record (never
null
)
-
changePassword
Changes the password for the current user. The username is obtained from the security context. There are two supported strategies for modifying the user's password depending on the capabilities of the corresponding LDAP server.Configured one way, this method will modify the user's password via the LDAP Password Modify Extended Operation . See
setUsePasswordModifyExtensionOperation(boolean)
for details.By default, though, if the old password is supplied, the update will be made by rebinding as the user, thus modifying the password using the user's permissions. If
oldPassword
is null, the update will be attempted using a standard read/write context supplied by the context source.- Specified by:
changePassword
in interfaceUserDetailsManager
- Parameters:
oldPassword
- the old passwordnewPassword
- the new value of the password.
-
createUser
Description copied from interface:UserDetailsManager
Create a new user with the supplied details.- Specified by:
createUser
in interfaceUserDetailsManager
-
updateUser
Description copied from interface:UserDetailsManager
Update the specified user.- Specified by:
updateUser
in interfaceUserDetailsManager
-
deleteUser
Description copied from interface:UserDetailsManager
Remove the user with the given login name from the system.- Specified by:
deleteUser
in interfaceUserDetailsManager
-
userExists
Description copied from interface:UserDetailsManager
Check if a user with the supplied login name exists in the system.- Specified by:
userExists
in interfaceUserDetailsManager
-
buildGroupDn
Creates a DN from a group name.- Parameters:
group
- the name of the group- Returns:
- the DN of the corresponding group, including the groupSearchBase
-
copyToContext
-
addAuthorities
protected void addAuthorities(org.springframework.ldap.core.DistinguishedName userDn, Collection<? extends GrantedAuthority> authorities) -
removeAuthorities
protected void removeAuthorities(org.springframework.ldap.core.DistinguishedName userDn, Collection<? extends GrantedAuthority> authorities) -
setUsernameMapper
-
setPasswordAttributeName
-
setGroupSearchBase
-
setGroupRoleAttributeName
-
setAttributesToRetrieve
-
setUserDetailsMapper
-
setGroupMemberAttributeName
Sets the name of the multi-valued attribute which holds the DNs of users who are members of a group.Usually this will be uniquemember (the default value) or member.
- Parameters:
groupMemberAttributeName
- the name of the attribute used to store group members.
-
setRoleMapper
public void setRoleMapper(org.springframework.ldap.core.AttributesMapper roleMapper) -
setUsePasswordModifyExtensionOperation
public void setUsePasswordModifyExtensionOperation(boolean usePasswordModifyExtensionOperation) Sets the method by which a user's password gets modified. If set totrue
, thenchangePassword(java.lang.String, java.lang.String)
will modify the user's password by way of the Password Modify Extension Operation. If set tofalse
, thenchangePassword(java.lang.String, java.lang.String)
will modify the user's password by directly modifying attributes on the corresponding entry. Before using this setting, ensure that the corresponding LDAP server supports this extended operation. By default,usePasswordModifyExtensionOperation
is false.- Parameters:
usePasswordModifyExtensionOperation
-- Since:
- 4.2.9
-
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Since:
- 5.8
-
setRolePrefix
Sets the role prefix used when converting authorities. The default value is "ROLE_"- Parameters:
rolePrefix
- role prefix- Since:
- 6.3
-