OPEN - issue SEC-793: ldap-authentication-provider element parser ignores hash attribute.

http://jira.springframework.org/browse/SEC-793. Added support for hash attribute. password-encoder still takes precendence with a warning if both are present.

core/src/main/java/org/springframework/security/config/LdapProviderBeanDefinitionParser.java

@@ -27,7 +27,8 @@ public class LdapProviderBeanDefinitionParser implements BeanDefinitionParser {
     private Log logger = LogFactory.getLog(getClass());
   
     private static final String ATT_USER_DN_PATTERN = "user-dn-pattern";
-    private static final String ATT_USER_PASSWORD= "password-attribute";
+    private static final String ATT_USER_PASSWORD = "password-attribute";
+    private static final String ATT_HASH = PasswordEncoderParser.ATT_HASH; 
     
     private static final String DEF_USER_SEARCH_FILTER="uid={0}";
 
@@ -51,8 +52,9 @@ public class LdapProviderBeanDefinitionParser implements BeanDefinitionParser {
             searchBean.getConstructorArgumentValues().addIndexedArgumentValue(2, contextSource);
         }
         
-        RootBeanDefinition authenticator = new RootBeanDefinition(BindAuthenticator.class); 
+        RootBeanDefinition authenticator = new RootBeanDefinition(BindAuthenticator.class);
         Element passwordCompareElt = DomUtils.getChildElementByTagName(elt, Elements.LDAP_PASSWORD_COMPARE);
+        
         if (passwordCompareElt != null) {
             authenticator = new RootBeanDefinition(PasswordComparisonAuthenticator.class);
             
@@ -62,16 +64,24 @@ public class LdapProviderBeanDefinitionParser implements BeanDefinitionParser {
             }
             
             Element passwordEncoderElement = DomUtils.getChildElementByTagName(passwordCompareElt, Elements.PASSWORD_ENCODER);
+            String hash = passwordCompareElt.getAttribute(ATT_HASH);
             
             if (passwordEncoderElement != null) {
+                if (StringUtils.hasText(hash)) {
+                    parserContext.getReaderContext().warning("Attribute 'hash' cannot be used with 'password-encoder' and " +
+                            "will be ignored.", parserContext.extractSource(elt));
+                }                
                 PasswordEncoderParser pep = new PasswordEncoderParser(passwordEncoderElement, parserContext);
                 authenticator.getPropertyValues().addPropertyValue("passwordEncoder", pep.getPasswordEncoder());
                 
                 if (pep.getSaltSource() != null) {
                     parserContext.getReaderContext().warning("Salt source information isn't valid when used with LDAP", passwordEncoderElement);
                 }
+            } else if (StringUtils.hasText(hash)) {
+                Class encoderClass = (Class) PasswordEncoderParser.ENCODER_CLASSES.get(hash);
+                authenticator.getPropertyValues().addPropertyValue("passwordEncoder", new RootBeanDefinition(encoderClass));
             }
-        }
+        } 
         
         authenticator.getConstructorArgumentValues().addGenericArgumentValue(contextSource);
         authenticator.getPropertyValues().addPropertyValue("userDnPatterns", userDnPatternArray);

core/src/test/java/org/springframework/security/config/LdapProviderBeanDefinitionParserTests.java

@@ -41,9 +41,31 @@ public class LdapProviderBeanDefinitionParserTests {
     public void missingServerEltCausesConfigException() {
         setContext("<ldap-authentication-provider />");
     }
+
     
     @Test
     public void supportsPasswordComparisonAuthentication() {
+        setContext("<ldap-server /> " +
+                "<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>" +
+                "    <password-compare />" +
+                "</ldap-authentication-provider>");
+        LdapAuthenticationProvider provider = getProvider();
+        provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword"));        
+    }    
+    
+    
+    @Test
+    public void supportsPasswordComparisonAuthenticationWithHashAttribute() {
+        setContext("<ldap-server /> " +
+                "<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>" +
+                "    <password-compare password-attribute='uid' hash='plaintext'/>" +
+                "</ldap-authentication-provider>");
+        LdapAuthenticationProvider provider = getProvider();
+        provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "ben"));        
+    }    
+    
+    @Test
+    public void supportsPasswordComparisonAuthenticationWithPasswordEncoder() {
         setContext("<ldap-server /> " +
         		"<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>" +
         		"    <password-compare password-attribute='uid'>" +
@@ -52,12 +74,11 @@ public class LdapProviderBeanDefinitionParserTests {
         		"</ldap-authentication-provider>");
         LdapAuthenticationProvider provider = getProvider();
         provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "ben"));        
-    }
-
+    }    
+    
     private void setContext(String context) {
         appCtx = new InMemoryXmlApplicationContext(context);
-    }    
-
+    }
 
     private LdapAuthenticationProvider getProvider() {
         ProviderManager authManager = (ProviderManager) appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER);