Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

SEC-814: Added standard bean config to ldap example and updated doc to provide some pointers to DefaultLdapAuthoritiesPopulator

Luke Taylor 17 years ago
parent
afc757e618
commit
5cf0c84e2f
2 changed files with 75 additions and 31 deletions
Split View Show Diff Stats
  1. 61 28
      samples/ldap/src/main/webapp/WEB-INF/applicationContext-security.xml
  2. 14 3
      src/docbkx/ldap-auth-provider.xml

+ 61 - 28
samples/ldap/src/main/webapp/WEB-INF/applicationContext-security.xml
View File 

@@ -1,32 +1,65 @@
 
-<beans:beans xmlns="http://www.springframework.org/schema/security"
 
-    xmlns:beans="http://www.springframework.org/schema/beans"
 
+<beans xmlns="http://www.springframework.org/schema/beans"
 
+    xmlns:s="http://www.springframework.org/schema/security"
 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
 
     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
 
     
-    <http>
 
-        <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
 
-        <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
 
-        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
 
-
 
-        <form-login />
 
-        <anonymous />
 
-        <logout />
 
-    </http>
 
-
 
-    <!--
 
-        Usernames/Passwords are
 
-        rod/koala
 
-        dianne/emu
 
-        scott/wombat
 
-    -->
 
-        <ldap-server ldif="classpath:users.ldif" />
 
-
 
-        <ldap-authentication-provider 
-            group-search-filter="member={0}" 
-            group-search-base="ou=groups"
 
-            user-search-base="ou=people"
 
-            user-search-filter="uid={0}"
 
-        />
 
-
 
-</beans:beans>
 
+    <s:http>
 
+        <s:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
 
+        <s:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
 
+        <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
 
+
 
+        <s:form-login />
 
+        <s:anonymous />
 
+        <s:logout />
 
+    </s:http>
 
+
 
+
 
+    <!-- Simple namespace-based configuration -->
 
+
 
+    <s:ldap-server ldif="classpath:users.ldif" />
 
+
 
+    <s:ldap-authentication-provider 
+        group-search-filter="member={0}" 
+        group-search-base="ou=groups"
 
+        user-search-base="ou=people"
 
+        user-search-filter="uid={0}"
 
+    />
 
+    
+    <!-- Traditional Bean version of the same configuration -->
 
+    
+    <!-- This bean points at the embedded directory server created by the ldap-server element above  -->
 
+    <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
 
+        <constructor-arg value="ldap://localhost:389/dc=springframework,dc=org"/>
 
+    </bean>
 
+
 
+    <bean id="secondLdapProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
 
+        <s:custom-authentication-provider />
 
+		<constructor-arg>
 
+			<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
 
+				<constructor-arg ref="contextSource" />
 
+				<property name="userSearch">
 
+					<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
 
+					  <constructor-arg index="0" value="ou=people"/>
 
+					  <constructor-arg index="1" value="(uid={0})"/>
 
+					  <constructor-arg index="2" ref="contextSource" />
 
+					</bean>				
+				</property>
 
+			</bean>
 
+		</constructor-arg>
 
+		<constructor-arg>
 
+			<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
 
+				<constructor-arg ref="contextSource" />
 
+				<constructor-arg value="ou=groups" />
 
+				<property name="groupSearchFilter" value="member={0}"/>
 
+				<property name="groupRoleAttribute" value="ou" />
 
+				<property name="rolePrefix" value="ROLE_"/>
 
+				<property name="searchSubtree" value="true"/>
 
+				<property name="convertToUpperCase" value="true"/>
 
+			</bean>
 
+		</constructor-arg>
 
+    </bean>
 
+
 
+
 
+
 
+</beans>

+ 14 - 3
src/docbkx/ldap-auth-provider.xml
View File 

@@ -239,7 +239,7 @@
 
                     is used, and the login name will be substituted for the parameter
 
                     <parameter>{0}</parameter>. The pattern should be relative to the DN that the
 
                     configured
 
-                    <interfacename>InitialDirContextFactory</interfacename>
 
+                    <interfacename>SpringSecurityContextSource</interfacename>
 
                     will bind to (see the section on
 
                     <link linkend="ldap-context-source">connecting to the LDAP server</link>
 
                     for more information on this). For example, if you are using an LDAP server with
 
@@ -323,6 +323,17 @@
 
                     which will be replaced with the user's login name.</para>
 
             </section>
 
         </section>
 
+        <section xml:id="ldap-authorities">
 
+            <title>LdapAuthoritiesPopulator</title>
 
+            <para>
 
+                After authenticating the user successfully, the <classname>LdapAuthenticationProvider</classname>
 
+                will attempt to load a set of authorities for the user by calling the configured 
+                <interfacename>LdapAuthoritiesPopulator</interfacename> bean. The <classname>DefaultLdapAuthoritiesPopulator</classname>
 
+                is an implementation which will load the authorities by searching the directory for groups of which the user is a member
 
+                (typically these will be <literal>groupOfNames</literal> or <literal>groupOfUniqueNames</literal> entries in the directory).
 
+                Consult the Javadoc for this class for more details on how it works.
 
+            </para>
 
+        </section>
 
         <section xml:id="ldap-bean-config">
 
             <info>
 
                 <title>Spring Bean Configuration</title>
 
@@ -367,7 +378,7 @@
 
                 <literal>(member=&lt;user's-DN&gt;)</literal>. The role name will be taken from the
 
                 <quote>ou</quote>
 
                 attribute of each match.</para>
 
-            <para>To configurae a user search object, which uses the filter
 
+            <para>To configure a user search object, which uses the filter
 
                 <literal>(uid=&lt;user-login-name&gt;)</literal>
 
                 for use instead of the DN-pattern (or in addition to it), you would configure the
 
                 following bean
 
@@ -403,7 +414,7 @@ public interface UserDetailsContextMapper {
 
     void mapUserToContext(UserDetails user, DirContextAdapter ctx);
 
 }]]>                    
                 </programlisting>
 
-                Only the first method is relevant for authentication. If you provide an implememntation of this, you can
 
+                Only the first method is relevant for authentication. If you provide an implementation of this interface, you can
 
                 control exactly how the UserDetails object is created. The first parameter is an instance of Spring LDAP's
 
                 <interfacename>DirContextOperations</interfacename> which gives you access to the LDAP attributes which were loaded.
 
                 The <literal>username</literal> parameter is the name used to authenticate and the final parameter is the list of authorities