Examples of org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator

• org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator
  The default strategy for obtaining user role information from the directory.

  It obtains roles by performing a search for "groups" the user is a member of.

  A typical group search scenario would be where each group/role is specified using the groupOfNames (or groupOfUniqueNames) LDAP objectClass and the user's DN is listed in the member (or uniqueMember) attribute to indicate that they should be assigned that role. The following LDIF sample has the groups stored under the DN ou=groups,dc=springframework,dc=org and a group called "developers" with "ben" and "luke" as members:

   dn: ou=groups,dc=springframework,dc=org objectClass: top objectClass: organizationalUnit ou: groups dn: cn=developers,ou=groups,dc=springframework,dc=org objectClass: groupOfNames objectClass: top cn: developers description: Spring Security Developers member: uid=ben,ou=people,dc=springframework,dc=org member: uid=luke,ou=people,dc=springframework,dc=org ou: developer 

  The group search is performed within a DN specified by the groupSearchBase property, which should be relative to the root DN of its ContextSource. If the search base is null, group searching is disabled. The filter used in the search is defined by the groupSearchFilter property, with the filter argument {0} being the full DN of the user. You can also optionally use the parameter {1}, which will be substituted with the username. You can also specify which attribute defines the role name by setting the groupRoleAttribute property (the default is "cn").

  The configuration below shows how the group search might be performed with the above schema.

   <bean id="ldapAuthoritiesPopulator" class="org.springframework.security.authentication.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource"/> <constructor-arg value="ou=groups"/> <property name="groupRoleAttribute" value="ou"/> <!-- the following properties are shown with their default values --> <property name="searchSubTree" value="false"/> <property name="rolePrefix" value="ROLE_"/> <property name="convertToUpperCase" value="true"/> </bean> 

  A search for roles for user "uid=ben,ou=people,dc=springframework,dc=org" would return the single granted authority "ROLE_DEVELOPER".

  Note that case-conversion, use of the role prefix and setting a default role are better performed using a {@code GrantedAuthoritiesMapper} and are now deprecated.

  The single-level search is performed by default. Setting the searchSubTree property to true will enable a search of the entire subtree under groupSearchBase. @author Luke Taylor @author Filip Hanik

    private LdapAuthoritiesPopulator getLdapAuthoritiesPopulator() {
        if(ldapAuthoritiesPopulator != null) {
            return ldapAuthoritiesPopulator;
        }

        DefaultLdapAuthoritiesPopulator defaultAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(
                contextSource, groupSearchBase);
        defaultAuthoritiesPopulator.setGroupRoleAttribute(groupRoleAttribute);
        defaultAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter);

        this.ldapAuthoritiesPopulator = defaultAuthoritiesPopulator;
        return defaultAuthoritiesPopulator;
    }

    private LdapAuthenticationProvider build() throws Exception {
        BaseLdapPathContextSource contextSource = getContextSource();
        LdapAuthenticator ldapAuthenticator = createLdapAuthenticator(contextSource);

        DefaultLdapAuthoritiesPopulator authoritiesPopulator = new DefaultLdapAuthoritiesPopulator(
                contextSource, groupSearchBase);
        authoritiesPopulator.setGroupRoleAttribute(groupRoleAttribute);
        authoritiesPopulator.setGroupSearchFilter(groupSearchFilter);

        LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(
                ldapAuthenticator, authoritiesPopulator);
        SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
        simpleAuthorityMapper.setPrefix(rolePrefix);

                        return getAuthoritiesPopulator().getGrantedAuthorities(
                                userData, username + ":" + password);
                    }
                };
            } else {
                authPopulator = new DefaultLdapAuthoritiesPopulator(
                        ldapContext, ldapConfig.getGroupSearchBase());

                if (ldapConfig.getGroupSearchFilter() != null) {
                    ((DefaultLdapAuthoritiesPopulator) authPopulator)
                            .setGroupSearchFilter(ldapConfig