From a4e4120443e5523268a7033727e7c16a2006ff23 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 26 Aug 2008 13:51:01 +0000 Subject: [PATCH] SEC-963: LDAP Group Search Root http://jira.springframework.org/browse/SEC-963. Changed namespace instances of DefaultAuthoritiesPopulator to use the root as the default search location. --- .../LdapUserServiceBeanDefinitionParser.java | 60 +++++++++---------- .../security/config/spring-security-2.0.4.rnc | 2 +- .../security/config/spring-security-2.0.xsd | 2 +- 3 files changed, 32 insertions(+), 32 deletions(-) diff --git a/core/src/main/java/org/springframework/security/config/LdapUserServiceBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/LdapUserServiceBeanDefinitionParser.java index 27e8b9b1dd..a0f050fb68 100644 --- a/core/src/main/java/org/springframework/security/config/LdapUserServiceBeanDefinitionParser.java +++ b/core/src/main/java/org/springframework/security/config/LdapUserServiceBeanDefinitionParser.java @@ -14,22 +14,22 @@ import org.w3c.dom.Element; * @since 2.0 */ public class LdapUserServiceBeanDefinitionParser extends AbstractUserDetailsServiceBeanDefinitionParser { - public static final String ATT_SERVER = "server-ref"; + public static final String ATT_SERVER = "server-ref"; public static final String ATT_USER_SEARCH_FILTER = "user-search-filter"; public static final String ATT_USER_SEARCH_BASE = "user-search-base"; public static final String DEF_USER_SEARCH_BASE = ""; public static final String ATT_GROUP_SEARCH_FILTER = "group-search-filter"; public static final String ATT_GROUP_SEARCH_BASE = "group-search-base"; - public static final String ATT_GROUP_ROLE_ATTRIBUTE = "group-role-attribute"; + public static final String ATT_GROUP_ROLE_ATTRIBUTE = "group-role-attribute"; public static final String DEF_GROUP_SEARCH_FILTER = "(uniqueMember={0})"; - public static final String DEF_GROUP_SEARCH_BASE = "ou=groups"; - + public static final String DEF_GROUP_SEARCH_BASE = ""; + static final String ATT_ROLE_PREFIX = "role-prefix"; static final String ATT_USER_CLASS = "user-details-class"; static final String OPT_PERSON = "person"; static final String OPT_INETORGPERSON = "inetOrgPerson"; - + public static final String LDAP_SEARCH_CLASS = "org.springframework.security.ldap.search.FilterBasedLdapUserSearch"; public static final String PERSON_MAPPER_CLASS = "org.springframework.security.userdetails.ldap.PersonContextMapper"; public static final String INET_ORG_PERSON_MAPPER_CLASS = "org.springframework.security.userdetails.ldap.InetOrgPersonContextMapper"; @@ -45,42 +45,42 @@ public class LdapUserServiceBeanDefinitionParser extends AbstractUserDetailsServ if (!StringUtils.hasText(elt.getAttribute(ATT_USER_SEARCH_FILTER))) { parserContext.getReaderContext().error("User search filter must be supplied", elt); } - + builder.addConstructorArg(parseSearchBean(elt, parserContext)); builder.addConstructorArg(parseAuthoritiesPopulator(elt, parserContext)); builder.addPropertyValue("userDetailsMapper", parseUserDetailsClass(elt, parserContext)); } - + static RootBeanDefinition parseSearchBean(Element elt, ParserContext parserContext) { String userSearchFilter = elt.getAttribute(ATT_USER_SEARCH_FILTER); String userSearchBase = elt.getAttribute(ATT_USER_SEARCH_BASE); Object source = parserContext.extractSource(elt); - + if (StringUtils.hasText(userSearchBase)) { if(!StringUtils.hasText(userSearchFilter)) { parserContext.getReaderContext().error(ATT_USER_SEARCH_BASE + " cannot be used without a " + ATT_USER_SEARCH_FILTER, source); } } else { userSearchBase = DEF_USER_SEARCH_BASE; - } - + } + if (!StringUtils.hasText(userSearchFilter)) { return null; } - + BeanDefinitionBuilder searchBuilder = BeanDefinitionBuilder.rootBeanDefinition(LDAP_SEARCH_CLASS); searchBuilder.setSource(source); searchBuilder.addConstructorArg(userSearchBase); searchBuilder.addConstructorArg(userSearchFilter); searchBuilder.addConstructorArg(parseServerReference(elt, parserContext)); - + return (RootBeanDefinition) searchBuilder.getBeanDefinition(); } - + static RuntimeBeanReference parseServerReference(Element elt, ParserContext parserContext) { String server = elt.getAttribute(ATT_SERVER); boolean requiresDefaultName = false; - + if (!StringUtils.hasText(server)) { server = BeanIds.CONTEXT_SOURCE; requiresDefaultName = true; @@ -89,27 +89,27 @@ public class LdapUserServiceBeanDefinitionParser extends AbstractUserDetailsServ RuntimeBeanReference contextSource = new RuntimeBeanReference(server); contextSource.setSource(parserContext.extractSource(elt)); LdapConfigUtils.registerPostProcessorIfNecessary(parserContext.getRegistry(), requiresDefaultName); - + return contextSource; } - + static RootBeanDefinition parseUserDetailsClass(Element elt, ParserContext parserContext) { - String userDetailsClass = elt.getAttribute(ATT_USER_CLASS); - - if (OPT_PERSON.equals(userDetailsClass)) { - return new RootBeanDefinition(PERSON_MAPPER_CLASS, null, null); - } else if (OPT_INETORGPERSON.equals(userDetailsClass)) { - return new RootBeanDefinition(INET_ORG_PERSON_MAPPER_CLASS, null, null); - } - return new RootBeanDefinition(LDAP_USER_MAPPER_CLASS, null, null); + String userDetailsClass = elt.getAttribute(ATT_USER_CLASS); + + if (OPT_PERSON.equals(userDetailsClass)) { + return new RootBeanDefinition(PERSON_MAPPER_CLASS, null, null); + } else if (OPT_INETORGPERSON.equals(userDetailsClass)) { + return new RootBeanDefinition(INET_ORG_PERSON_MAPPER_CLASS, null, null); + } + return new RootBeanDefinition(LDAP_USER_MAPPER_CLASS, null, null); } - + static RootBeanDefinition parseAuthoritiesPopulator(Element elt, ParserContext parserContext) { String groupSearchFilter = elt.getAttribute(ATT_GROUP_SEARCH_FILTER); String groupSearchBase = elt.getAttribute(ATT_GROUP_SEARCH_BASE); String groupRoleAttribute = elt.getAttribute(ATT_GROUP_ROLE_ATTRIBUTE); String rolePrefix = elt.getAttribute(ATT_ROLE_PREFIX); - + if (!StringUtils.hasText(groupSearchFilter)) { groupSearchFilter = DEF_GROUP_SEARCH_FILTER; } @@ -117,25 +117,25 @@ public class LdapUserServiceBeanDefinitionParser extends AbstractUserDetailsServ if (!StringUtils.hasText(groupSearchBase)) { groupSearchBase = DEF_GROUP_SEARCH_BASE; } - + BeanDefinitionBuilder populator = BeanDefinitionBuilder.rootBeanDefinition(LDAP_AUTHORITIES_POPULATOR_CLASS); populator.setSource(parserContext.extractSource(elt)); populator.addConstructorArg(parseServerReference(elt, parserContext)); populator.addConstructorArg(groupSearchBase); populator.addPropertyValue("groupSearchFilter", groupSearchFilter); populator.addPropertyValue("searchSubtree", Boolean.TRUE); - + if (StringUtils.hasText(rolePrefix)) { if ("none".equals(rolePrefix)) { rolePrefix = ""; } populator.addPropertyValue("rolePrefix", rolePrefix); } - + if (StringUtils.hasLength(groupRoleAttribute)) { populator.addPropertyValue("groupRoleAttribute", groupRoleAttribute); } - + return (RootBeanDefinition) populator.getBeanDefinition(); } } diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.rnc b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.rnc index 124798d334..ba53ea0f10 100644 --- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.rnc +++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.rnc @@ -89,7 +89,7 @@ group-search-filter-attribute = ## Group search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user. attribute group-search-filter {xsd:string} group-search-base-attribute = - ## Search base for group membership searches. Defaults to "ou=groups". + ## Search base for group membership searches. Defaults to "" (searching from the root). attribute group-search-base {xsd:string} user-search-filter-attribute = ## The LDAP filter used to search for users (optional). For example "(uid={0})". The substituted parameter is the user's login name. diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd index 09cfb1b52f..1106f7a78a 100644 --- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd +++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd @@ -222,7 +222,7 @@ Search base for group membership searches. Defaults to - "ou=groups". + "" (searching from the root).