SEC-814: Added standard bean config to ldap example and updated doc to provide some pointers to DefaultLdapAuthoritiesPopulator

This commit is contained in:
Luke Taylor 2008-05-06 14:50:14 +00:00
parent afc757e618
commit 5cf0c84e2f
2 changed files with 71 additions and 27 deletions

View File

@ -1,32 +1,65 @@
<beans:beans xmlns="http://www.springframework.org/schema/security" <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:s="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"> http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http> <s:http>
<intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/> <s:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" /> <s:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login /> <s:form-login />
<anonymous /> <s:anonymous />
<logout /> <s:logout />
</http> </s:http>
<!--
Usernames/Passwords are
rod/koala
dianne/emu
scott/wombat
-->
<ldap-server ldif="classpath:users.ldif" />
<ldap-authentication-provider <!-- Simple namespace-based configuration -->
<s:ldap-server ldif="classpath:users.ldif" />
<s:ldap-authentication-provider
group-search-filter="member={0}" group-search-filter="member={0}"
group-search-base="ou=groups" group-search-base="ou=groups"
user-search-base="ou=people" user-search-base="ou=people"
user-search-filter="uid={0}" user-search-filter="uid={0}"
/> />
</beans:beans> <!-- Traditional Bean version of the same configuration -->
<!-- This bean points at the embedded directory server created by the ldap-server element above -->
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://localhost:389/dc=springframework,dc=org"/>
</bean>
<bean id="secondLdapProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<s:custom-authentication-provider />
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch">
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="ou=people"/>
<constructor-arg index="1" value="(uid={0})"/>
<constructor-arg index="2" ref="contextSource" />
</bean>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource" />
<constructor-arg value="ou=groups" />
<property name="groupSearchFilter" value="member={0}"/>
<property name="groupRoleAttribute" value="ou" />
<property name="rolePrefix" value="ROLE_"/>
<property name="searchSubtree" value="true"/>
<property name="convertToUpperCase" value="true"/>
</bean>
</constructor-arg>
</bean>
</beans>

View File

@ -239,7 +239,7 @@
is used, and the login name will be substituted for the parameter is used, and the login name will be substituted for the parameter
<parameter>{0}</parameter>. The pattern should be relative to the DN that the <parameter>{0}</parameter>. The pattern should be relative to the DN that the
configured configured
<interfacename>InitialDirContextFactory</interfacename> <interfacename>SpringSecurityContextSource</interfacename>
will bind to (see the section on will bind to (see the section on
<link linkend="ldap-context-source">connecting to the LDAP server</link> <link linkend="ldap-context-source">connecting to the LDAP server</link>
for more information on this). For example, if you are using an LDAP server with for more information on this). For example, if you are using an LDAP server with
@ -323,6 +323,17 @@
which will be replaced with the user's login name.</para> which will be replaced with the user's login name.</para>
</section> </section>
</section> </section>
<section xml:id="ldap-authorities">
<title>LdapAuthoritiesPopulator</title>
<para>
After authenticating the user successfully, the <classname>LdapAuthenticationProvider</classname>
will attempt to load a set of authorities for the user by calling the configured
<interfacename>LdapAuthoritiesPopulator</interfacename> bean. The <classname>DefaultLdapAuthoritiesPopulator</classname>
is an implementation which will load the authorities by searching the directory for groups of which the user is a member
(typically these will be <literal>groupOfNames</literal> or <literal>groupOfUniqueNames</literal> entries in the directory).
Consult the Javadoc for this class for more details on how it works.
</para>
</section>
<section xml:id="ldap-bean-config"> <section xml:id="ldap-bean-config">
<info> <info>
<title>Spring Bean Configuration</title> <title>Spring Bean Configuration</title>
@ -367,7 +378,7 @@
<literal>(member=&lt;user's-DN&gt;)</literal>. The role name will be taken from the <literal>(member=&lt;user's-DN&gt;)</literal>. The role name will be taken from the
<quote>ou</quote> <quote>ou</quote>
attribute of each match.</para> attribute of each match.</para>
<para>To configurae a user search object, which uses the filter <para>To configure a user search object, which uses the filter
<literal>(uid=&lt;user-login-name&gt;)</literal> <literal>(uid=&lt;user-login-name&gt;)</literal>
for use instead of the DN-pattern (or in addition to it), you would configure the for use instead of the DN-pattern (or in addition to it), you would configure the
following bean following bean
@ -403,7 +414,7 @@ public interface UserDetailsContextMapper {
void mapUserToContext(UserDetails user, DirContextAdapter ctx); void mapUserToContext(UserDetails user, DirContextAdapter ctx);
}]]> }]]>
</programlisting> </programlisting>
Only the first method is relevant for authentication. If you provide an implememntation of this, you can Only the first method is relevant for authentication. If you provide an implementation of this interface, you can
control exactly how the UserDetails object is created. The first parameter is an instance of Spring LDAP's control exactly how the UserDetails object is created. The first parameter is an instance of Spring LDAP's
<interfacename>DirContextOperations</interfacename> which gives you access to the LDAP attributes which were loaded. <interfacename>DirContextOperations</interfacename> which gives you access to the LDAP attributes which were loaded.
The <literal>username</literal> parameter is the name used to authenticate and the final parameter is the list of authorities The <literal>username</literal> parameter is the name used to authenticate and the final parameter is the list of authorities