SEC-2490: LdapAuthenticationProviderConfigurer allows custom LdapAuthoritiesPopulator

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTests.groovy

@@ -26,6 +26,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.authentication.ldap.NamespaceLdapAuthenticationProviderTestsConfigs.LdapAuthenticationProviderConfig;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
 import org.springframework.security.ldap.authentication.PasswordComparisonAuthenticator;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.PersonContextMapper;
 import org.springframework.test.util.ReflectionTestUtils;
 
@@ -57,6 +58,17 @@ class NamespaceLdapAuthenticationProviderTests extends BaseSpringSpec {
             provider.authenticator.userSearch.searchFilter == "(uid={0})"
     }
 
+    def "SEC-2490: ldap-authentication-provider custom LdapAuthoritiesPopulator"() {
+        setup:
+            LdapAuthoritiesPopulator LAP = Mock()
+            CustomAuthoritiesPopulatorConfig.LAP = LAP
+        when:
+            loadConfig(CustomAuthoritiesPopulatorConfig)
+            LdapAuthenticationProvider provider = findAuthenticationProvider(LdapAuthenticationProvider)
+        then:
+            provider.authoritiesPopulator == LAP
+    }
+
     def "ldap-authentication-provider password compare"() {
         when:
             loadConfig(PasswordCompareLdapConfig)

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java

@@ -20,6 +20,7 @@ import org.springframework.security.authentication.encoding.PlaintextPasswordEnc
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.PersonContextMapper;
 
 /**
@@ -65,6 +66,18 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs {
         }
     }
 
+    @Configuration
+    @EnableWebSecurity
+    static class CustomAuthoritiesPopulatorConfig extends WebSecurityConfigurerAdapter {
+        static LdapAuthoritiesPopulator LAP;
+        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+            auth
+                .ldapAuthentication()
+                    .userSearchFilter("(uid={0})")
+                    .ldapAuthoritiesPopulator(LAP);
+        }
+    }
+
     @Configuration
     @EnableWebSecurity
     static class PasswordCompareLdapConfig extends WebSecurityConfigurerAdapter {

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java

@@ -36,6 +36,7 @@ import org.springframework.security.ldap.search.LdapUserSearch;
 import org.springframework.security.ldap.server.ApacheDSContainer;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
 import org.springframework.security.ldap.userdetails.PersonContextMapper;
 import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;
@@ -61,15 +62,13 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
     private UserDetailsContextMapper userDetailsContextMapper;
     private PasswordEncoder passwordEncoder;
     private String passwordAttribute;
+    private LdapAuthoritiesPopulator ldapAuthoritiesPopulator;
 
     private LdapAuthenticationProvider build() throws Exception {
         BaseLdapPathContextSource contextSource = getContextSource();
         LdapAuthenticator ldapAuthenticator = createLdapAuthenticator(contextSource);
 
-        DefaultLdapAuthoritiesPopulator authoritiesPopulator = new DefaultLdapAuthoritiesPopulator(
+        LdapAuthoritiesPopulator authoritiesPopulator = getLdapAuthoritiesPopulator();
-                contextSource, groupSearchBase);
-        authoritiesPopulator.setGroupRoleAttribute(groupRoleAttribute);
-        authoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
 
         LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(
                 ldapAuthenticator, authoritiesPopulator);
@@ -83,6 +82,17 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
         return ldapAuthenticationProvider;
     }
 
+    /**
+     * Specifies the {@link LdapAuthoritiesPopulator}.
+     *
+     * @param ldapAuthoritiesPopulator the {@link LdapAuthoritiesPopulator} the default is {@link DefaultLdapAuthoritiesPopulator}
+     * @return the {@link LdapAuthenticationProviderConfigurer} for further customizations
+     */
+    public LdapAuthenticationProviderConfigurer<B> ldapAuthoritiesPopulator(LdapAuthoritiesPopulator ldapAuthoritiesPopulator) {
+        this.ldapAuthoritiesPopulator = ldapAuthoritiesPopulator;
+        return this;
+    }
+
     /**
      * Adds an {@link ObjectPostProcessor} for this class.
      *
@@ -94,6 +104,25 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
         return this;
     }
 
+    /**
+     * Gets the {@link LdapAuthoritiesPopulator} and defaults to {@link DefaultLdapAuthoritiesPopulator}
+     *
+     * @return the {@link LdapAuthoritiesPopulator}
+     */
+    private LdapAuthoritiesPopulator getLdapAuthoritiesPopulator() {
+        if(ldapAuthoritiesPopulator != null) {
+            return ldapAuthoritiesPopulator;
+        }
+
+        DefaultLdapAuthoritiesPopulator defaultAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(
+                contextSource, groupSearchBase);
+        defaultAuthoritiesPopulator.setGroupRoleAttribute(groupRoleAttribute);
+        defaultAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
+
+        this.ldapAuthoritiesPopulator = defaultAuthoritiesPopulator;
+        return defaultAuthoritiesPopulator;
+    }
+
     /**
      * Creates the {@link LdapAuthenticator} to use
      *