Package com.im.df.security.mechanim.ldap.authorization

Class MappingLdapAuthoritiesPopulator

  • All Implemented Interfaces:
    org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator
    public final class MappingLdapAuthoritiesPopulator
extends IJCAbstractLdapAuthoritiesPopulator
    This class is an implementation of LdapAuthoritiesPopulator which allows to configure LDAP groups to IJC role mappings.

    The following properties are supported:

    • baseDN - [string, empty] The base Distinguished Name.
    • defaultRole - [string, empty] The default IJC role that all authenticated users will receive.
    • groupSearchBase - [string, empty] The part of the LDAP group DN relative to baseDN and common for all LDAP groups that this populator should search for.
    • groupToRoleMapping - [map, empty] The mapping between LDAP group names and IJC roles.
    • ignorePartialResultException - [boolean, true] Ignore referrals in LDAP search results.
    • memberOfAttributeName - [string, 'isMemberOf'] The LDAP attribute name that user entries have and that specifies a group DN where the user belongs to. Typically this is a virtual attribute determining the group membership for a user entry.
    • objectClass - [string, 'inetorgperson'] The value of objectClass LDAP attribute for determining that an LDAP entry is a user entry.
    • searchSubtree - [boolean, false] The scope for the LDAP search. false means one-level search and true means the whole subtree search.
    • useridAttributeName - [string, 'uid'] The LDAP user entry attribute containing the username.
    In order to determine if a user belongs to a group specified in groupToRoleMapping this class performs an LDAP search with a filter that is composed the way shown below. The groupName in the filter is the name of the group as it is specified in the groupToRoleMapping property. The username identifies the authenticated user. 
     (&(<useridAttributeName>=<username>)(&(objectClass=<objectClass>)(<memberOfAttributeName>=<groupName>,<groupSearchBae>,<baseDN>)))

    Example:

    This is part of the LDIF data defining a user entry for a username 'Administrator' ('cn' attribute), which belongs to a group 'IJC_ADMINS' identified by its DN 'CN=IJC_ADMINS,CN=Groups,DC=example,DC=com' ('memberOf' attribute). 

     dn: CN=Administrator,CN=Users,DC=example,DC=com
 objectClass: user
 cn: Administrator
 memberOf: CN=IJC_ADMINS,CN=Groups,DC=example,DC=com
    Setting up an instance of MappingLdapAuthoritiesPopulator with the following properties will result in an LDAP search with a filter that correctly finds this user entry and detects its groups membership. 
     <property name="baseDN"><value>DC=example,DC=com</value></property>
 <property name="groupSearchBase"><value>CN=Groups</value></property>
 <property name="groupToRoleMaping"><map>
     <entry key="CN=IJC_ADMINS"><list>
       <value>ROLE_EDIT_SCHEMA</value>
       <value>ROLE_EDIT_DATA</value>
       <value>ROLE_ADMIN</value>
       <value>ROLE_USER</value>
     </list></entry>
 </map></property>
 <property name="memberOfAttributeName"><value>memberOf</value></property>
 <property name="objectClass"><value>user</value></property>
 <property name="searchSubtree"><value>true</value></property>
 <property name="useridAttributeName"><value>CN</value></property>
    The generated filter for the LDAP search is shown below. 
     (&(CN=Administrator)(&(objectClass=user)(memberOf=CN=IJC_ADMINS,CN=Groups,DC=example,DC=com)))
    Author:
    Masoud Kalali

    • Constructor Detail

      • MappingLdapAuthoritiesPopulator

        public MappingLdapAuthoritiesPopulator​(org.springframework.ldap.core.ContextSource contextSource,
                                       String groupSearchBase)

    • Method Detail

      • getAdditionalRoles

        protected Set<org.springframework.security.core.GrantedAuthority> getAdditionalRoles​(org.springframework.ldap.core.DirContextOperations user,
                                                                                     String username)

      • getGrantedAuthorities

        public Collection<org.springframework.security.core.GrantedAuthority> getGrantedAuthorities​(org.springframework.ldap.core.DirContextOperations user,
                                                                                            String username)

      • getGroupMembershipRoles

        public Set<org.springframework.security.core.GrantedAuthority> getGroupMembershipRoles​(String userDn,
                                                                                       String username)

      • setIgnorePartialResultException

        public void setIgnorePartialResultException​(boolean ignore)

      • setGroupToRoleMapping

        public void setGroupToRoleMapping​(Map<String,​List<String>> groupToRoleMapping)

      • setMemberOfAttributeName

        public void setMemberOfAttributeName​(String memberOfAttributeName)

      • setUseridAttributeName

        public void setUseridAttributeName​(String useridAttributeName)

      • setBaseDN

        public void setBaseDN​(String baseDN)

      • setObjectClass

        public void setObjectClass​(String objectClass)