org.springframework.security.ldap.authentication
Class LdapAuthenticationProvider

java.lang.Object
  extended by org.springframework.security.ldap.authentication.LdapAuthenticationProvider
All Implemented Interfaces:
MessageSourceAware, AuthenticationProvider

public class LdapAuthenticationProvider
extends Object
implements AuthenticationProvider, MessageSourceAware

An AuthenticationProvider implementation that authenticates against an LDAP server.

There are many ways in which an LDAP directory can be configured so this class delegates most of its responsibilities to two separate strategy interfaces, LdapAuthenticator and LdapAuthoritiesPopulator.

LdapAuthenticator

This interface is responsible for performing the user authentication and retrieving the user's information from the directory. Example implementations are BindAuthenticator which authenticates the user by "binding" as that user, and PasswordComparisonAuthenticator which compares the supplied password with the value stored in the directory, using an LDAP "compare" operation.

The task of retrieving the user attributes is delegated to the authenticator because the permissions on the attributes may depend on the type of authentication being used; for example, if binding as the user, it may be necessary to read them with the user's own permissions (using the same context used for the bind operation).

LdapAuthoritiesPopulator

Once the user has been authenticated, this interface is called to obtain the set of granted authorities for the user. The DefaultLdapAuthoritiesPopulator can be configured to obtain user role information from the user's attributes and/or to perform a search for "groups" that the user is a member of and map these to roles.

A custom implementation could obtain the roles from a completely different source, for example from a database.

Configuration

A simple configuration might be as follows:
   <bean id="contextSource"
       class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
     <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
     <property name="userDn" value="cn=manager,dc=springframework,dc=org"/>
     <property name="password" value="password"/>
   </bean>

   <bean id="ldapAuthProvider"
       class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
           <constructor-arg ref="contextSource"/>
           <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property>
       </bean>
     </constructor-arg>
     <constructor-arg>
       <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
           <constructor-arg ref="contextSource"/>
           <constructor-arg value="ou=groups"/>
           <property name="groupRoleAttribute" value="ou"/>
       </bean>
     </constructor-arg>
   </bean>

This would set up the provider to access an LDAP server with URL ldap://monkeymachine:389/dc=springframework,dc=org. Authentication will be performed by attempting to bind with the DN uid=<user-login-name>,ou=people,dc=springframework,dc=org. After successful authentication, roles will be assigned to the user by searching under the DN ou=groups,dc=springframework,dc=org with the default filter (member=<user's-DN>). The role name will be taken from the "ou" attribute of each match.

The authenticate method will reject empty passwords outright. LDAP servers may allow an anonymous bind operation with an empty password, even if a DN is supplied. In practice this means that if the LDAP directory is configured to allow unauthenticated access, it might be possible to authenticate as any user just by supplying an empty password. More information on the misuse of unauthenticated access can be found in draft-ietf-ldapbis-authmeth-19.txt.

See Also:
BindAuthenticator, DefaultLdapAuthoritiesPopulator

Field Summary
protected  MessageSourceAccessor messages
           
 
Constructor Summary
LdapAuthenticationProvider(LdapAuthenticator authenticator)
          Creates an instance with the supplied authenticator and a null authorities populator.
LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator)
          Create an instance with the supplied authenticator and authorities populator implementations.
 
Method Summary
 Authentication authenticate(Authentication authentication)
          Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication).
protected  Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication, UserDetails user)
          Creates the final Authentication object which will be returned from the authenticate method.
protected  LdapAuthoritiesPopulator getAuthoritiesPopulator()
           
protected  UserDetailsContextMapper getUserDetailsContextMapper()
          Provides access to the injected UserDetailsContextMapper strategy for use by subclasses.
protected  Collection<GrantedAuthority> loadUserAuthorities(DirContextOperations userData, String username, String password)
           
 void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions)
           
 void setMessageSource(MessageSource messageSource)
           
 void setUseAuthenticationRequestCredentials(boolean useAuthenticationRequestCredentials)
          Determines whether the supplied password will be used as the credentials in the successful authentication token.
 void setUserDetailsContextMapper(UserDetailsContextMapper userDetailsContextMapper)
          Allows a custom strategy to be used for creating the UserDetails which will be stored as the principal in the Authentication returned by the createSuccessfulAuthentication(UsernamePasswordAuthenticationToken, UserDetails) method.
 boolean supports(Class<? extends Object> authentication)
          Returns true if this AuthenticationProvider supports the indicated Authentication object.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

messages

protected MessageSourceAccessor messages
Constructor Detail

LdapAuthenticationProvider

public LdapAuthenticationProvider(LdapAuthenticator authenticator,
                                  LdapAuthoritiesPopulator authoritiesPopulator)
Create an instance with the supplied authenticator and authorities populator implementations.

Parameters:
authenticator - the authentication strategy (bind, password comparison, etc) to be used by this provider for authenticating users.
authoritiesPopulator - the strategy for obtaining the authorities for a given user after they've been authenticated.

LdapAuthenticationProvider

public LdapAuthenticationProvider(LdapAuthenticator authenticator)
Creates an instance with the supplied authenticator and a null authorities populator. In this case, the authorities must be mapped from the user context.

Parameters:
authenticator - the authenticator strategy.
Method Detail

getAuthoritiesPopulator

protected LdapAuthoritiesPopulator getAuthoritiesPopulator()

setUserDetailsContextMapper

public void setUserDetailsContextMapper(UserDetailsContextMapper userDetailsContextMapper)
Allows a custom strategy to be used for creating the UserDetails which will be stored as the principal in the Authentication returned by the createSuccessfulAuthentication(UsernamePasswordAuthenticationToken, UserDetails) method.

Parameters:
userDetailsContextMapper - the strategy instance. If not set, defaults to a simple LdapUserDetailsMapper.

getUserDetailsContextMapper

protected UserDetailsContextMapper getUserDetailsContextMapper()
Provides access to the injected UserDetailsContextMapper strategy for use by subclasses.


setHideUserNotFoundExceptions

public void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions)

setUseAuthenticationRequestCredentials

public void setUseAuthenticationRequestCredentials(boolean useAuthenticationRequestCredentials)
Determines whether the supplied password will be used as the credentials in the successful authentication token. If set to false, then the password will be obtained from the UserDetails object created by the configured UserDetailsContextMapper. Often it will not be possible to read the password from the directory, so defaults to true.

Parameters:
useAuthenticationRequestCredentials -

setMessageSource

public void setMessageSource(MessageSource messageSource)
Specified by:
setMessageSource in interface MessageSourceAware

authenticate

public Authentication authenticate(Authentication authentication)
                            throws AuthenticationException
Description copied from interface: AuthenticationProvider
Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication).

Specified by:
authenticate in interface AuthenticationProvider
Parameters:
authentication - the authentication request object.
Returns:
a fully authenticated object including credentials. May return null if the AuthenticationProvider is unable to support authentication of the passed Authentication object. In such a case, the next AuthenticationProvider that supports the presented Authentication class will be tried.
Throws:
AuthenticationException - if authentication fails.

loadUserAuthorities

protected Collection<GrantedAuthority> loadUserAuthorities(DirContextOperations userData,
                                                           String username,
                                                           String password)

createSuccessfulAuthentication

protected Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication,
                                                        UserDetails user)
Creates the final Authentication object which will be returned from the authenticate method.

Parameters:
authentication - the original authentication request token
user - the UserDetails instance returned by the configured UserDetailsContextMapper.
Returns:
the Authentication object for the fully authenticated user.

supports

public boolean supports(Class<? extends Object> authentication)
Description copied from interface: AuthenticationProvider
Returns true if this AuthenticationProvider supports the indicated Authentication object.

Returning true does not guarantee an AuthenticationProvider will be able to authenticate the presented instance of the Authentication class. It simply indicates it can support closer evaluation of it. An AuthenticationProvider can still return null from the AuthenticationProvider.authenticate(Authentication) method to indicate another AuthenticationProvider should be tried.

Selection of an AuthenticationProvider capable of performing authentication is conducted at runtime the ProviderManager.

Specified by:
supports in interface AuthenticationProvider
Returns:
true if the implementation can more closely evaluate the Authentication class presented