OPEN - issue SEC-793: ldap-authentication-provider element parser ignores hash attribute.

http://jira.springframework.org/browse/SEC-793. Added support for hash attribute. password-encoder still takes precendence with a warning if both are present.
2008-04-23 12:50:09 +00:00 · 2008-04-23 12:50:09 +00:00 · 01185475a1
parent 7e63fe7357
commit 01185475a1
2 changed files with 38 additions and 7 deletions
--- a/core/src/main/java/org/springframework/security/config/LdapProviderBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/LdapProviderBeanDefinitionParser.java
@ -27,7 +27,8 @@ public class LdapProviderBeanDefinitionParser implements BeanDefinitionParser {
    private Log logger = LogFactory.getLog(getClass());
  
    private static final String ATT_USER_DN_PATTERN = "user-dn-pattern";
-    private static final String ATT_USER_PASSWORD= "password-attribute";
+    private static final String ATT_USER_PASSWORD = "password-attribute";
+    private static final String ATT_HASH = PasswordEncoderParser.ATT_HASH; 
    
    private static final String DEF_USER_SEARCH_FILTER="uid={0}";

@ -51,8 +52,9 @@ public class LdapProviderBeanDefinitionParser implements BeanDefinitionParser {
            searchBean.getConstructorArgumentValues().addIndexedArgumentValue(2, contextSource);
        }
        
-        RootBeanDefinition authenticator = new RootBeanDefinition(BindAuthenticator.class); 
+        RootBeanDefinition authenticator = new RootBeanDefinition(BindAuthenticator.class);
        Element passwordCompareElt = DomUtils.getChildElementByTagName(elt, Elements.LDAP_PASSWORD_COMPARE);
+        
        if (passwordCompareElt != null) {
            authenticator = new RootBeanDefinition(PasswordComparisonAuthenticator.class);
            
@ -62,16 +64,24 @@ public class LdapProviderBeanDefinitionParser implements BeanDefinitionParser {
            }
            
            Element passwordEncoderElement = DomUtils.getChildElementByTagName(passwordCompareElt, Elements.PASSWORD_ENCODER);
+            String hash = passwordCompareElt.getAttribute(ATT_HASH);
            
            if (passwordEncoderElement != null) {
+                if (StringUtils.hasText(hash)) {
+                    parserContext.getReaderContext().warning("Attribute 'hash' cannot be used with 'password-encoder' and " +
+                            "will be ignored.", parserContext.extractSource(elt));
+                }                
                PasswordEncoderParser pep = new PasswordEncoderParser(passwordEncoderElement, parserContext);
                authenticator.getPropertyValues().addPropertyValue("passwordEncoder", pep.getPasswordEncoder());
                
                if (pep.getSaltSource() != null) {
                    parserContext.getReaderContext().warning("Salt source information isn't valid when used with LDAP", passwordEncoderElement);
                }
+            } else if (StringUtils.hasText(hash)) {
+                Class encoderClass = (Class) PasswordEncoderParser.ENCODER_CLASSES.get(hash);
+                authenticator.getPropertyValues().addPropertyValue("passwordEncoder", new RootBeanDefinition(encoderClass));
            }
-        }
+        } 
        
        authenticator.getConstructorArgumentValues().addGenericArgumentValue(contextSource);
        authenticator.getPropertyValues().addPropertyValue("userDnPatterns", userDnPatternArray);
--- a/core/src/test/java/org/springframework/security/config/LdapProviderBeanDefinitionParserTests.java
+++ b/core/src/test/java/org/springframework/security/config/LdapProviderBeanDefinitionParserTests.java
@ -41,9 +41,31 @@ public class LdapProviderBeanDefinitionParserTests {
    public void missingServerEltCausesConfigException() {
        setContext("<ldap-authentication-provider />");
    }
+
    
    @Test
    public void supportsPasswordComparisonAuthentication() {
+        setContext("<ldap-server /> " +
+                "<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>" +
+                "    <password-compare />" +
+                "</ldap-authentication-provider>");
+        LdapAuthenticationProvider provider = getProvider();
+        provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword"));        
+    }    
+    
+    
+    @Test
+    public void supportsPasswordComparisonAuthenticationWithHashAttribute() {
+        setContext("<ldap-server /> " +
+                "<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>" +
+                "    <password-compare password-attribute='uid' hash='plaintext'/>" +
+                "</ldap-authentication-provider>");
+        LdapAuthenticationProvider provider = getProvider();
+        provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "ben"));        
+    }    
+    
+    @Test
+    public void supportsPasswordComparisonAuthenticationWithPasswordEncoder() {
        setContext("<ldap-server /> " +
        		"<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>" +
        		"    <password-compare password-attribute='uid'>" +
@ -52,12 +74,11 @@ public class LdapProviderBeanDefinitionParserTests {
        		"</ldap-authentication-provider>");
        LdapAuthenticationProvider provider = getProvider();
        provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "ben"));        
-    }
-
+    }    
+    
    private void setContext(String context) {
        appCtx = new InMemoryXmlApplicationContext(context);
-    }    
-
+    }

    private LdapAuthenticationProvider getProvider() {
        ProviderManager authManager = (ProviderManager) appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER);