SEC-814: Added standard bean config to ldap example and updated doc to provide some pointers to DefaultLdapAuthoritiesPopulator
This commit is contained in:
parent
afc757e618
commit
5cf0c84e2f
|
@ -1,32 +1,65 @@
|
||||||
<beans:beans xmlns="http://www.springframework.org/schema/security"
|
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||||
xmlns:beans="http://www.springframework.org/schema/beans"
|
xmlns:s="http://www.springframework.org/schema/security"
|
||||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
|
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
|
||||||
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
|
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
|
||||||
|
|
||||||
<http>
|
<s:http>
|
||||||
<intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
|
<s:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
|
||||||
<intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
|
<s:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
|
||||||
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
<s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
||||||
|
|
||||||
<form-login />
|
<s:form-login />
|
||||||
<anonymous />
|
<s:anonymous />
|
||||||
<logout />
|
<s:logout />
|
||||||
</http>
|
</s:http>
|
||||||
|
|
||||||
<!--
|
|
||||||
Usernames/Passwords are
|
|
||||||
rod/koala
|
|
||||||
dianne/emu
|
|
||||||
scott/wombat
|
|
||||||
-->
|
|
||||||
<ldap-server ldif="classpath:users.ldif" />
|
|
||||||
|
|
||||||
<ldap-authentication-provider
|
<!-- Simple namespace-based configuration -->
|
||||||
group-search-filter="member={0}"
|
|
||||||
group-search-base="ou=groups"
|
|
||||||
user-search-base="ou=people"
|
|
||||||
user-search-filter="uid={0}"
|
|
||||||
/>
|
|
||||||
|
|
||||||
</beans:beans>
|
<s:ldap-server ldif="classpath:users.ldif" />
|
||||||
|
|
||||||
|
<s:ldap-authentication-provider
|
||||||
|
group-search-filter="member={0}"
|
||||||
|
group-search-base="ou=groups"
|
||||||
|
user-search-base="ou=people"
|
||||||
|
user-search-filter="uid={0}"
|
||||||
|
/>
|
||||||
|
|
||||||
|
<!-- Traditional Bean version of the same configuration -->
|
||||||
|
|
||||||
|
<!-- This bean points at the embedded directory server created by the ldap-server element above -->
|
||||||
|
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
|
||||||
|
<constructor-arg value="ldap://localhost:389/dc=springframework,dc=org"/>
|
||||||
|
</bean>
|
||||||
|
|
||||||
|
<bean id="secondLdapProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
|
||||||
|
<s:custom-authentication-provider />
|
||||||
|
<constructor-arg>
|
||||||
|
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
|
||||||
|
<constructor-arg ref="contextSource" />
|
||||||
|
<property name="userSearch">
|
||||||
|
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
|
||||||
|
<constructor-arg index="0" value="ou=people"/>
|
||||||
|
<constructor-arg index="1" value="(uid={0})"/>
|
||||||
|
<constructor-arg index="2" ref="contextSource" />
|
||||||
|
</bean>
|
||||||
|
</property>
|
||||||
|
</bean>
|
||||||
|
</constructor-arg>
|
||||||
|
<constructor-arg>
|
||||||
|
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
|
||||||
|
<constructor-arg ref="contextSource" />
|
||||||
|
<constructor-arg value="ou=groups" />
|
||||||
|
<property name="groupSearchFilter" value="member={0}"/>
|
||||||
|
<property name="groupRoleAttribute" value="ou" />
|
||||||
|
<property name="rolePrefix" value="ROLE_"/>
|
||||||
|
<property name="searchSubtree" value="true"/>
|
||||||
|
<property name="convertToUpperCase" value="true"/>
|
||||||
|
</bean>
|
||||||
|
</constructor-arg>
|
||||||
|
</bean>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</beans>
|
|
@ -239,7 +239,7 @@
|
||||||
is used, and the login name will be substituted for the parameter
|
is used, and the login name will be substituted for the parameter
|
||||||
<parameter>{0}</parameter>. The pattern should be relative to the DN that the
|
<parameter>{0}</parameter>. The pattern should be relative to the DN that the
|
||||||
configured
|
configured
|
||||||
<interfacename>InitialDirContextFactory</interfacename>
|
<interfacename>SpringSecurityContextSource</interfacename>
|
||||||
will bind to (see the section on
|
will bind to (see the section on
|
||||||
<link linkend="ldap-context-source">connecting to the LDAP server</link>
|
<link linkend="ldap-context-source">connecting to the LDAP server</link>
|
||||||
for more information on this). For example, if you are using an LDAP server with
|
for more information on this). For example, if you are using an LDAP server with
|
||||||
|
@ -323,6 +323,17 @@
|
||||||
which will be replaced with the user's login name.</para>
|
which will be replaced with the user's login name.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
<section xml:id="ldap-authorities">
|
||||||
|
<title>LdapAuthoritiesPopulator</title>
|
||||||
|
<para>
|
||||||
|
After authenticating the user successfully, the <classname>LdapAuthenticationProvider</classname>
|
||||||
|
will attempt to load a set of authorities for the user by calling the configured
|
||||||
|
<interfacename>LdapAuthoritiesPopulator</interfacename> bean. The <classname>DefaultLdapAuthoritiesPopulator</classname>
|
||||||
|
is an implementation which will load the authorities by searching the directory for groups of which the user is a member
|
||||||
|
(typically these will be <literal>groupOfNames</literal> or <literal>groupOfUniqueNames</literal> entries in the directory).
|
||||||
|
Consult the Javadoc for this class for more details on how it works.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
<section xml:id="ldap-bean-config">
|
<section xml:id="ldap-bean-config">
|
||||||
<info>
|
<info>
|
||||||
<title>Spring Bean Configuration</title>
|
<title>Spring Bean Configuration</title>
|
||||||
|
@ -367,7 +378,7 @@
|
||||||
<literal>(member=<user's-DN>)</literal>. The role name will be taken from the
|
<literal>(member=<user's-DN>)</literal>. The role name will be taken from the
|
||||||
<quote>ou</quote>
|
<quote>ou</quote>
|
||||||
attribute of each match.</para>
|
attribute of each match.</para>
|
||||||
<para>To configurae a user search object, which uses the filter
|
<para>To configure a user search object, which uses the filter
|
||||||
<literal>(uid=<user-login-name>)</literal>
|
<literal>(uid=<user-login-name>)</literal>
|
||||||
for use instead of the DN-pattern (or in addition to it), you would configure the
|
for use instead of the DN-pattern (or in addition to it), you would configure the
|
||||||
following bean
|
following bean
|
||||||
|
@ -403,7 +414,7 @@ public interface UserDetailsContextMapper {
|
||||||
void mapUserToContext(UserDetails user, DirContextAdapter ctx);
|
void mapUserToContext(UserDetails user, DirContextAdapter ctx);
|
||||||
}]]>
|
}]]>
|
||||||
</programlisting>
|
</programlisting>
|
||||||
Only the first method is relevant for authentication. If you provide an implememntation of this, you can
|
Only the first method is relevant for authentication. If you provide an implementation of this interface, you can
|
||||||
control exactly how the UserDetails object is created. The first parameter is an instance of Spring LDAP's
|
control exactly how the UserDetails object is created. The first parameter is an instance of Spring LDAP's
|
||||||
<interfacename>DirContextOperations</interfacename> which gives you access to the LDAP attributes which were loaded.
|
<interfacename>DirContextOperations</interfacename> which gives you access to the LDAP attributes which were loaded.
|
||||||
The <literal>username</literal> parameter is the name used to authenticate and the final parameter is the list of authorities
|
The <literal>username</literal> parameter is the name used to authenticate and the final parameter is the list of authorities
|
||||||
|
|
Loading…
Reference in New Issue