SEC-1641: Remove the private setGroupSearchBase method and allowed a null value to be set for the group search base in the constructor.

ldap/src/main/java/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.java

@@ -124,12 +124,6 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
      * The pattern to be used for the user search. {0} is the user's DN
      */
     private String groupSearchFilter = "(member={0})";
-
-    /**
-     * Attributes of the User's LDAP Object that contain role name information.
-     */
-
-//    private String[] userRoleAttributes = null;
     private String rolePrefix = "ROLE_";
     private boolean convertToUpperCase = true;
 
@@ -141,13 +135,17 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
      *
      * @param contextSource supplies the contexts used to search for user roles.
      * @param groupSearchBase          if this is an empty string the search will be performed from the root DN of the
-     *                                 context factory.
+     *                                 context factory. If null, no search will be performed.
      */
     public DefaultLdapAuthoritiesPopulator(ContextSource contextSource, String groupSearchBase) {
         Assert.notNull(contextSource, "contextSource must not be null");
         ldapTemplate = new SpringSecurityLdapTemplate(contextSource);
         ldapTemplate.setSearchControls(searchControls);
-        setGroupSearchBase(groupSearchBase);
+        this.groupSearchBase = groupSearchBase;
+
+        if (groupSearchBase.length() == 0) {
+            logger.info("groupSearchBase is empty. Searches will be performed from the context source base");
+        }
     }
 
     //~ Methods ========================================================================================================
@@ -232,20 +230,6 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
         return ldapTemplate.getContextSource();
     }
 
-    /**
-     * Set the group search base (name to search under)
-     *
-     * @param groupSearchBase if this is an empty string the search will be performed from the root DN of the context
-     *                        factory.
-     */
-    private void setGroupSearchBase(String groupSearchBase) {
-        Assert.notNull(groupSearchBase, "The groupSearchBase (name to search under), must not be null.");
-        this.groupSearchBase = groupSearchBase;
-        if (groupSearchBase.length() == 0) {
-            logger.info("groupSearchBase is empty. Searches will be performed from the context source base");
-        }
-    }
-
     protected String getGroupSearchBase() {
         return groupSearchBase;
     }

ldap/src/test/java/org/springframework/security/ldap/populator/DefaultLdapAuthoritiesPopulatorTests.java

@@ -56,6 +56,17 @@ public class DefaultLdapAuthoritiesPopulatorTests extends AbstractLdapIntegratio
         assertTrue(AuthorityUtils.authorityListToSet(authorities).contains("ROLE_USER"));
     }
 
+    @Test
+    public void nullSearchBaseIsAccepted() throws Exception {
+        populator = new DefaultLdapAuthoritiesPopulator(getContextSource(), "ou=groups");
+        populator.setDefaultRole("ROLE_USER");
+
+        Collection<GrantedAuthority> authorities = populator.getGrantedAuthorities(
+                new DirContextAdapter(new DistinguishedName("cn=notfound")), "notfound");
+        assertEquals(1, authorities.size());
+        assertTrue(AuthorityUtils.authorityListToSet(authorities).contains("ROLE_USER"));
+    }
+
     @Test
     public void groupSearchReturnsExpectedRoles() {
         populator.setRolePrefix("ROLE_");