Add unbounid support in xml

Currently, spring-security provides apacheds integration by default. This
commit introduces a new `mode` in the `ldap-server` tag which allows to choose
beetween `apacheds` and `unboundid`. In order to keep backward compatibility
if `mode` is not set and apacheds jars are in the classpath apacheds is used
as a embedded ldap.

Fixes gh-6011
Currently, unboundid was added as a support for embbeded LDAP and it
is used on the Java Config. This commit introduces support from XML side.
Also, give the chance to users to move from apacheds to unboundid using
a new attribute `mode`.

Fixes gh-6011

config/spring-security-config.gradle

@@ -71,6 +71,7 @@ dependencies {
 
 	testRuntime 'cglib:cglib-nodep'
 	testRuntime 'org.hsqldb:hsqldb'
+    testCompile "com.unboundid:unboundid-ldapsdk"
 }
 
 

config/src/main/java/org/springframework/security/config/BeanIds.java

@@ -53,6 +53,8 @@ public abstract class BeanIds {
 			+ "methodSecurityMetadataSourceAdvisor";
 	public static final String EMBEDDED_APACHE_DS = PREFIX
 			+ "apacheDirectoryServerContainer";
+	public static final String EMBEDDED_UNBOUNDID = PREFIX
+			+ "unboundidServerContainer";
 	public static final String CONTEXT_SOURCE = PREFIX + "securityContextSource";
 
 	public static final String DEBUG_FILTER = PREFIX + "debugFilter";

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -86,7 +86,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 		if (!namespaceMatchesVersion(element)) {
 			pc.getReaderContext()
 					.fatal("You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or spring-security-3.1.xsd schema or spring-security-3.2.xsd schema or spring-security-4.0.xsd schema "
-							+ "with Spring Security 4.2. Please update your schema declarations to the 4.2 schema.",
+							+ "with Spring Security 5.2. Please update your schema declarations to the 5.2 schema.",
 							element);
 		}
 		String name = pc.getDelegate().getLocalName(element);
@@ -221,7 +221,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 	private boolean matchesVersionInternal(Element element) {
 		String schemaLocation = element.getAttributeNS(
 				"http://www.w3.org/2001/XMLSchema-instance", "schemaLocation");
-		return schemaLocation.matches("(?m).*spring-security-4\\.2.*.xsd.*")
+		return schemaLocation.matches("(?m).*spring-security-5\\.2.*.xsd.*")
 				|| schemaLocation.matches("(?m).*spring-security.xsd.*")
 				|| !schemaLocation.matches("(?m).*spring-security.*");
 	}

config/src/main/java/org/springframework/security/config/ldap/LdapServerBeanDefinitionParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,9 +17,13 @@ package org.springframework.security.config.ldap;
 
 import java.io.IOException;
 import java.net.ServerSocket;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.RootBeanDefinition;
@@ -28,11 +32,14 @@ import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
+import org.springframework.util.ClassUtils;
 import org.springframework.util.StringUtils;
 import org.w3c.dom.Element;
 
 /**
  * @author Luke Taylor
+ * @author Eddú Meléndez
  */
 public class LdapServerBeanDefinitionParser implements BeanDefinitionParser {
 	private static final String CONTEXT_SOURCE_CLASS = "org.springframework.security.ldap.DefaultSpringSecurityContextSource";
@@ -65,6 +72,22 @@ public class LdapServerBeanDefinitionParser implements BeanDefinitionParser {
 	private static final int DEFAULT_PORT = 33389;
 	public static final String OPT_DEFAULT_PORT = String.valueOf(DEFAULT_PORT);
 
+	private static final String APACHEDS_CLASSNAME = "org.apache.directory.server.core.DefaultDirectoryService";
+	private static final String UNBOUNID_CLASSNAME = "com.unboundid.ldap.listener.InMemoryDirectoryServer";
+
+	private static final String APACHEDS_CONTAINER_CLASSNAME = "org.springframework.security.ldap.server.ApacheDSContainer";
+	private static final String UNBOUNDID_CONTAINER_CLASSNAME = "org.springframework.security.ldap.server.UnboundIdContainer";
+
+	private Map<String, EmbeddedLdapServer> embeddedServers;
+
+	public LdapServerBeanDefinitionParser() {
+		Map<String, EmbeddedLdapServer> embeddedLdapServers = new HashMap<>();
+		embeddedLdapServers.put("apacheds", new EmbeddedLdapServer(BeanIds.EMBEDDED_APACHE_DS, APACHEDS_CLASSNAME, APACHEDS_CONTAINER_CLASSNAME));
+		embeddedLdapServers.put("unboundid", new EmbeddedLdapServer(BeanIds.EMBEDDED_UNBOUNDID, UNBOUNID_CLASSNAME, UNBOUNDID_CONTAINER_CLASSNAME));
+
+		this.embeddedServers = Collections.unmodifiableMap(embeddedLdapServers);
+	}
+
 	public BeanDefinition parse(Element elt, ParserContext parserContext) {
 		String url = elt.getAttribute(ATT_URL);
 
@@ -114,6 +137,7 @@ public class LdapServerBeanDefinitionParser implements BeanDefinitionParser {
 	 * @return the BeanDefinition for the ContextSource for the embedded server.
 	 *
 	 * @see ApacheDSContainer
+	 * @see UnboundIdContainer
 	 */
 	private RootBeanDefinition createEmbeddedServer(Element element,
 			ParserContext parserContext) {
@@ -142,34 +166,78 @@ public class LdapServerBeanDefinitionParser implements BeanDefinitionParser {
 		contextSource.addPropertyValue("userDn", "uid=admin,ou=system");
 		contextSource.addPropertyValue("password", "secret");
 
-		RootBeanDefinition apacheContainer = new RootBeanDefinition(
-				"org.springframework.security.ldap.server.ApacheDSContainer", null, null);
-		apacheContainer.setSource(source);
-		apacheContainer.getConstructorArgumentValues().addGenericArgumentValue(suffix);
+		String mode = element.getAttribute("mode");
+		RootBeanDefinition ldapContainer = getRootBeanDefinition(mode);
+		ldapContainer.setSource(source);
+		ldapContainer.getConstructorArgumentValues().addGenericArgumentValue(suffix);
 
 		String ldifs = element.getAttribute(ATT_LDIF_FILE);
 		if (!StringUtils.hasText(ldifs)) {
 			ldifs = OPT_DEFAULT_LDIF_FILE;
 		}
 
-		apacheContainer.getConstructorArgumentValues().addGenericArgumentValue(ldifs);
-		apacheContainer.getPropertyValues().addPropertyValue("port", port);
+		ldapContainer.getConstructorArgumentValues().addGenericArgumentValue(ldifs);
+		ldapContainer.getPropertyValues().addPropertyValue("port", port);
 
 		logger.info("Embedded LDAP server bean definition created for URL: " + url);
 
 		if (parserContext.getRegistry()
-				.containsBeanDefinition(BeanIds.EMBEDDED_APACHE_DS)) {
+				.containsBeanDefinition(BeanIds.EMBEDDED_APACHE_DS) ||
+				parserContext.getRegistry().containsBeanDefinition(BeanIds.EMBEDDED_UNBOUNDID)) {
 			parserContext.getReaderContext().error(
 					"Only one embedded server bean is allowed per application context",
 					element);
 		}
 
-		parserContext.getRegistry().registerBeanDefinition(BeanIds.EMBEDDED_APACHE_DS,
-				apacheContainer);
+		EmbeddedLdapServer embeddedLdapServer = resolveEmbeddedLdapServer(mode);
+		if (embeddedLdapServer != null) {
+			parserContext.getRegistry().registerBeanDefinition(embeddedLdapServer.getBeanId(),
+					ldapContainer);
+		}
 
 		return (RootBeanDefinition) contextSource.getBeanDefinition();
 	}
 
+	private RootBeanDefinition getRootBeanDefinition(String mode) {
+		if (StringUtils.hasLength(mode)) {
+			if (isEmbeddedServerEnabled(mode)) {
+				return new RootBeanDefinition(this.embeddedServers.get(mode).getContainerClass(), null, null);
+			}
+		}
+		else {
+			for (Map.Entry<String, EmbeddedLdapServer> entry : this.embeddedServers.entrySet()) {
+				EmbeddedLdapServer ldapServer = entry.getValue();
+				if (ClassUtils.isPresent(ldapServer.getClassName(), getClass().getClassLoader())) {
+					return new RootBeanDefinition(ldapServer.getContainerClass(), null, null);
+				}
+			}
+		}
+		throw new IllegalStateException("Embedded LDAP server is not provided");
+	}
+
+	private boolean isEmbeddedServerEnabled(String mode) {
+		EmbeddedLdapServer server = resolveEmbeddedLdapServer(mode);
+		return server != null;
+	}
+
+	private EmbeddedLdapServer resolveEmbeddedLdapServer(String mode) {
+		if (StringUtils.hasLength(mode)) {
+			if (this.embeddedServers.containsKey(mode) ||
+					ClassUtils.isPresent(this.embeddedServers.get(mode).getClassName(), getClass().getClassLoader())) {
+				return this.embeddedServers.get(mode);
+			}
+		}
+		else {
+			for (Map.Entry<String, EmbeddedLdapServer> entry : this.embeddedServers.entrySet()) {
+				EmbeddedLdapServer ldapServer = entry.getValue();
+				if (ClassUtils.isPresent(ldapServer.getClassName(), getClass().getClassLoader())) {
+					return ldapServer;
+				}
+			}
+		}
+		return null;
+	}
+
 	private String getDefaultPort() {
 		ServerSocket serverSocket = null;
 		try {
@@ -196,4 +264,31 @@ public class LdapServerBeanDefinitionParser implements BeanDefinitionParser {
 			}
 		}
 	}
+
+	private class EmbeddedLdapServer {
+
+		private String beanId;
+
+		private String className;
+
+		private String containerClass;
+
+		public EmbeddedLdapServer(String beanId, String className, String containerClass) {
+			this.beanId = beanId;
+			this.className = className;
+			this.containerClass = containerClass;
+		}
+
+		public String getBeanId() {
+			return this.beanId;
+		}
+
+		public String getClassName() {
+			return this.className;
+		}
+
+		public String getContainerClass() {
+			return this.containerClass;
+		}
+	}
 }

config/src/main/resources/org/springframework/security/config/spring-security-5.2.rnc

@@ -83,6 +83,9 @@ ldap-server.attlist &=
 ldap-server.attlist &=
 	## Optional root suffix for the embedded LDAP server. Default is "dc=springframework,dc=org"
 	attribute root { xsd:string }?
+ldap-server.attlist &=
+	## Explicitly specifies which embedded ldap server should use. Values are `apacheds` and `unboundid`. By default, it will depends if the library is available in the classpath.
+	attribute mode { "apacheds" | "unboundid" }?
 
 ldap-server-ref-attribute =
 	## The optional server to use. If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.

config/src/main/resources/org/springframework/security/config/spring-security-5.2.xsd

@@ -124,7 +124,7 @@
       </xs:annotation>
       <xs:complexType/>
    </xs:element>
-  
+
   <xs:attributeGroup name="password-encoder.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -222,6 +222,19 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
+      <xs:attribute name="mode">
+         <xs:annotation>
+            <xs:documentation>Explicitly specifies which embedded ldap server should use. Values are `apacheds` and
+                `unboundid`. By default, it will depends if the library is available in the classpath.
+                </xs:documentation>
+         </xs:annotation>
+         <xs:simpleType>
+            <xs:restriction base="xs:token">
+               <xs:enumeration value="apacheds"/>
+               <xs:enumeration value="unboundid"/>
+            </xs:restriction>
+         </xs:simpleType>
+      </xs:attribute>
   </xs:attributeGroup>
   <xs:attributeGroup name="ldap-server-ref-attribute">
       <xs:attribute name="server-ref" use="required" type="xs:token">
@@ -395,7 +408,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="ldap-ap.attlist">
       <xs:attribute name="server-ref" type="xs:token">
          <xs:annotation>
@@ -475,7 +488,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="password-compare.attlist">
       <xs:attribute name="password-attribute" type="xs:token">
          <xs:annotation>
@@ -528,7 +541,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="protect.attlist">
       <xs:attribute name="method" use="required" type="xs:token">
          <xs:annotation>
@@ -772,13 +785,13 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
-  
-  
-  
-  
-  
-  
+
+
+
+
+
+
+
   <xs:attributeGroup name="protect-pointcut.attlist">
       <xs:attribute name="expression" use="required" type="xs:string">
          <xs:annotation>
@@ -1220,7 +1233,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="access-denied-handler.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -1245,7 +1258,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="intercept-url.attlist">
       <xs:attribute name="pattern" type="xs:token">
          <xs:annotation>
@@ -1302,7 +1315,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="logout.attlist">
       <xs:attribute name="logout-url" type="xs:token">
          <xs:annotation>
@@ -1349,7 +1362,7 @@
          <xs:attributeGroup ref="security:ref"/>
       </xs:complexType>
    </xs:element>
-  
+
   <xs:attributeGroup name="form-login.attlist">
       <xs:attribute name="login-processing-url" type="xs:token">
          <xs:annotation>
@@ -1437,7 +1450,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:element name="attribute-exchange">
       <xs:annotation>
          <xs:documentation>Sets up an attribute exchange configuration to request specified attributes from the
@@ -1636,7 +1649,7 @@
          </xs:simpleType>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="http-basic.attlist">
       <xs:attribute name="entry-point-ref" type="xs:token">
          <xs:annotation>
@@ -1652,7 +1665,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="session-management.attlist">
       <xs:attribute name="session-fixation-protection">
          <xs:annotation>
@@ -1708,7 +1721,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="concurrency-control.attlist">
       <xs:attribute name="max-sessions" type="xs:integer">
          <xs:annotation>
@@ -1755,7 +1768,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="remember-me.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -1853,7 +1866,7 @@
   <xs:attributeGroup name="remember-me-data-source-ref">
       <xs:attributeGroup ref="security:data-source-ref"/>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="anonymous.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -1886,8 +1899,8 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
-  
+
+
   <xs:attributeGroup name="http-port">
       <xs:attribute name="http" use="required" type="xs:token">
          <xs:annotation>
@@ -1904,7 +1917,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="x509.attlist">
       <xs:attribute name="subject-principal-regex" type="xs:token">
          <xs:annotation>
@@ -2041,7 +2054,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="ap.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -2093,7 +2106,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="user.attlist">
       <xs:attribute name="name" use="required" type="xs:token">
          <xs:annotation>
@@ -2730,4 +2743,4 @@
          <xs:enumeration value="LAST"/>
       </xs:restriction>
   </xs:simpleType>
-</xs:schema>
+</xs:schema>

config/src/test/java/org/springframework/security/config/ldap/LdapServerBeanDefinitionParserTest.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.ldap;
+
+import org.junit.After;
+import org.junit.Test;
+
+import org.springframework.security.config.BeanIds;
+import org.springframework.security.config.util.InMemoryXmlApplicationContext;
+import org.springframework.security.ldap.server.ApacheDSContainer;
+import org.springframework.security.ldap.server.UnboundIdContainer;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Eddú Meléndez
+ */
+public class LdapServerBeanDefinitionParserTest {
+
+	private InMemoryXmlApplicationContext context;
+
+	@After
+	public void closeAppContext() {
+		if (this.context != null) {
+			this.context.close();
+			this.context = null;
+		}
+	}
+
+	@Test
+	public void apacheDirectoryServerIsStartedByDefault() {
+		this.context = new InMemoryXmlApplicationContext("<ldap-user-service user-search-filter='(uid={0})'/><ldap-server/>", "5.2", null);
+		String[] beanNames = this.context.getBeanNamesForType(ApacheDSContainer.class);
+		assertThat(beanNames).hasSize(1);
+		assertThat(beanNames[0]).isEqualTo(BeanIds.EMBEDDED_APACHE_DS);
+	}
+
+	@Test
+	public void apacheDirectoryServerIsStartedWhenIsSet() {
+		this.context = new InMemoryXmlApplicationContext("<ldap-user-service user-search-filter='(uid={0})' /><ldap-server mode='apacheds'/>", "5.2", null);
+		String[] beanNames = this.context.getBeanNamesForType(ApacheDSContainer.class);
+		assertThat(beanNames).hasSize(1);
+		assertThat(beanNames[0]).isEqualTo(BeanIds.EMBEDDED_APACHE_DS);
+	}
+
+	@Test
+	public void unboundidIsStartedWhenModeIsSet() {
+		this.context = new InMemoryXmlApplicationContext("<ldap-user-service user-search-filter='(uid={0})' /><ldap-server mode='unboundid'/>", "5.2", null);
+		String[] beanNames = this.context.getBeanNamesForType(UnboundIdContainer.class);
+		assertThat(beanNames).hasSize(1);
+		assertThat(beanNames[0]).isEqualTo(BeanIds.EMBEDDED_UNBOUNDID);
+	}
+}

config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2009-2013 the original author or authors.
+ * Copyright 2009-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@ import org.springframework.security.util.InMemoryResource;
 
 /**
  * @author Luke Taylor
+ * @author Eddú Meléndez
  */
 public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext {
 	static final String BEANS_OPENING = "<b:beans xmlns='http://www.springframework.org/schema/security'\n"
@@ -40,7 +41,7 @@ public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext
 			+ "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-";
 	static final String BEANS_CLOSE = "</b:beans>\n";
 
-	static final String SPRING_SECURITY_VERSION = "4.2";
+	static final String SPRING_SECURITY_VERSION = "5.2";
 
 	Resource inMemoryXml;
 

docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/ldap.adoc

@@ -47,6 +47,8 @@ This can be configured to point at an external LDAP server, using the `url` attr
 <ldap-server url="ldap://springframework.org:389/dc=springframework,dc=org" />
 ----
 
+NOTE: `spring-security` provides integration with `apacheds` and `unboundid` as a embedded ldap servers. You can choose between them using the attribute `mode` in `ldap-server`.
+
 ==== Using an Embedded Test Server
 The `<ldap-server>` element can also be used to create an embedded server, which can be very useful for testing and demonstrations.
 In this case you use it without the `url` attribute:

docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc

@@ -2360,6 +2360,9 @@ This is actually the bean `id` of the `ContextSource` instance, if you want to u
 [[nsa-ldap-server-attributes]]
 ===== <ldap-server> Attributes
 
+[[nsa-ldap-server-mode]]
+* **mode**
+Explicitly specifies which embedded ldap server should use. Values are `apacheds` and `unboundid`. By default, it will depends if the library is available in the classpath.
 
 [[nsa-ldap-server-id]]
 * **id**

docs/manual/src/docs/asciidoc/index.adoc

@@ -1,5 +1,5 @@
 = Spring Security Reference
-Ben Alex; Luke Taylor; Rob Winch; Gunnar Hillert; Joe Grandja; Jay Bryant
+Ben Alex; Luke Taylor; Rob Winch; Gunnar Hillert; Joe Grandja; Jay Bryant; Eddú Meléndez
 :include-dir: _includes
 :security-api-url: https://docs.spring.io/spring-security/site/docs/current/api/
 :source-indent: 0