Class MappingLdapAuthoritiesPopulator
- java.lang.Object
-
- com.im.df.security.mechanim.ldap.authorization.IJCAbstractLdapAuthoritiesPopulator
-
- com.im.df.security.mechanim.ldap.authorization.MappingLdapAuthoritiesPopulator
-
- All Implemented Interfaces:
org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator
public final class MappingLdapAuthoritiesPopulator extends IJCAbstractLdapAuthoritiesPopulator
This class is an implementation ofLdapAuthoritiesPopulator
which allows to configure LDAP groups to IJC role mappings.The following properties are supported:
- baseDN - [string, empty] The base Distinguished Name.
- defaultRole - [string, empty] The default IJC role that all authenticated users will receive.
- groupSearchBase - [string, empty] The part of the LDAP group DN relative to
baseDN
and common for all LDAP groups that this populator should search for. - groupToRoleMapping - [map, empty] The mapping between LDAP group names and IJC roles.
- ignorePartialResultException - [boolean, true] Ignore referrals in LDAP search results.
- memberOfAttributeName - [string, 'isMemberOf'] The LDAP attribute name that user entries have and that specifies a group DN where the user belongs to. Typically this is a virtual attribute determining the group membership for a user entry.
- objectClass - [string, 'inetorgperson'] The value of
objectClass
LDAP attribute for determining that an LDAP entry is a user entry. - searchSubtree - [boolean, false] The scope for the LDAP search.
false
means one-level search andtrue
means the whole subtree search. - useridAttributeName - [string, 'uid'] The LDAP user entry attribute containing the username.
groupToRoleMapping
this class performs an LDAP search with a filter that is composed the way shown below. ThegroupName
in the filter is the name of the group as it is specified in thegroupToRoleMapping
property. Theusername
identifies the authenticated user.(&(<useridAttributeName>=<username>)(&(objectClass=<objectClass>)(<memberOfAttributeName>=<groupName>,<groupSearchBae>,<baseDN>)))
Example:
This is part of the LDIF data defining a user entry for a username 'Administrator' ('cn' attribute), which belongs to a group 'IJC_ADMINS' identified by its DN 'CN=IJC_ADMINS,CN=Groups,DC=example,DC=com' ('memberOf' attribute).
dn: CN=Administrator,CN=Users,DC=example,DC=com objectClass: user cn: Administrator memberOf: CN=IJC_ADMINS,CN=Groups,DC=example,DC=com
Setting up an instance of MappingLdapAuthoritiesPopulator with the following properties will result in an LDAP search with a filter that correctly finds this user entry and detects its groups membership.<property name="baseDN"><value>DC=example,DC=com</value></property> <property name="groupSearchBase"><value>CN=Groups</value></property> <property name="groupToRoleMaping"><map> <entry key="CN=IJC_ADMINS"><list> <value>ROLE_EDIT_SCHEMA</value> <value>ROLE_EDIT_DATA</value> <value>ROLE_ADMIN</value> <value>ROLE_USER</value> </list></entry> </map></property> <property name="memberOfAttributeName"><value>memberOf</value></property> <property name="objectClass"><value>user</value></property> <property name="searchSubtree"><value>true</value></property> <property name="useridAttributeName"><value>CN</value></property>
The generated filter for the LDAP search is shown below.(&(CN=Administrator)(&(objectClass=user)(memberOf=CN=IJC_ADMINS,CN=Groups,DC=example,DC=com)))
- Author:
- Masoud Kalali
-
-
Field Summary
-
Fields inherited from class com.im.df.security.mechanim.ldap.authorization.IJCAbstractLdapAuthoritiesPopulator
convertToUpperCase, defaultRole, groupRoleAttribute, groupSearchBase, groupSearchFilter, ldapTemplate, rolePrefix, searchControls
-
-
Constructor Summary
Constructors Constructor Description MappingLdapAuthoritiesPopulator(org.springframework.ldap.core.ContextSource contextSource, String groupSearchBase)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected Set<org.springframework.security.core.GrantedAuthority>
getAdditionalRoles(org.springframework.ldap.core.DirContextOperations user, String username)
Collection<org.springframework.security.core.GrantedAuthority>
getGrantedAuthorities(org.springframework.ldap.core.DirContextOperations user, String username)
Set<org.springframework.security.core.GrantedAuthority>
getGroupMembershipRoles(String userDn, String username)
void
setBaseDN(String baseDN)
void
setGroupToRoleMapping(Map<String,List<String>> groupToRoleMapping)
void
setIgnorePartialResultException(boolean ignore)
void
setMemberOfAttributeName(String memberOfAttributeName)
void
setObjectClass(String objectClass)
void
setUseridAttributeName(String useridAttributeName)
-
Methods inherited from class com.im.df.security.mechanim.ldap.authorization.IJCAbstractLdapAuthoritiesPopulator
getContextSource, getGroupSearchBase, setConvertToUpperCase, setDefaultRole, setGroupRoleAttribute, setGroupSearchBase, setGroupSearchFilter, setRolePrefix, setSearchSubtree
-
-
-
-
Constructor Detail
-
MappingLdapAuthoritiesPopulator
public MappingLdapAuthoritiesPopulator(org.springframework.ldap.core.ContextSource contextSource, String groupSearchBase)
-
-
Method Detail
-
getAdditionalRoles
protected Set<org.springframework.security.core.GrantedAuthority> getAdditionalRoles(org.springframework.ldap.core.DirContextOperations user, String username)
-
getGrantedAuthorities
public Collection<org.springframework.security.core.GrantedAuthority> getGrantedAuthorities(org.springframework.ldap.core.DirContextOperations user, String username)
-
getGroupMembershipRoles
public Set<org.springframework.security.core.GrantedAuthority> getGroupMembershipRoles(String userDn, String username)
-
setIgnorePartialResultException
public void setIgnorePartialResultException(boolean ignore)
-
setGroupToRoleMapping
public void setGroupToRoleMapping(Map<String,List<String>> groupToRoleMapping)
-
setMemberOfAttributeName
public void setMemberOfAttributeName(String memberOfAttributeName)
-
setUseridAttributeName
public void setUseridAttributeName(String useridAttributeName)
-
setBaseDN
public void setBaseDN(String baseDN)
-
setObjectClass
public void setObjectClass(String objectClass)
-
-