SEC-2308: DefaultSpringSecurityContextSource allow empty baseUrl

ldap/src/integration-test/java/org/springframework/security/ldap/DefaultSpringSecurityContextSourceTests.java

@@ -95,6 +95,20 @@ public class DefaultSpringSecurityContextSourceTests extends AbstractLdapIntegra
         assertTrue(ctxSrc.isPooled());
     }
 
+    // SEC-2308
+    @Test
+    public void instantiationSuceedsWithEmtpyBaseDn() throws Exception {
+        String baseDn = "";
+        List<String> serverUrls = new ArrayList<String>();
+        serverUrls.add("ldap://foo:789");
+        serverUrls.add("ldap://bar:389");
+        serverUrls.add("ldaps://blah:636");
+        DefaultSpringSecurityContextSource ctxSrc = new DefaultSpringSecurityContextSource(serverUrls, baseDn);
+
+        assertFalse(ctxSrc.isAnonymousReadOnly());
+        assertTrue(ctxSrc.isPooled());
+    }
+
     @Test(expected=IllegalArgumentException.class)
     public void instantiationFailsWithIncorrectServerUrl() throws Exception {
         List<String> serverUrls = new ArrayList<String>();

ldap/src/main/java/org/springframework/security/ldap/DefaultSpringSecurityContextSource.java

@@ -123,9 +123,6 @@ public class DefaultSpringSecurityContextSource extends LdapContextSource {
             if ("".equals(trimmedUrl)) {
                 continue;
             }
-            if (trimmedUrl.contains(trimmedBaseDn)) {
-                throw new IllegalArgumentException("LDAP URL string must not include the base DN! '" + trimmedUrl + "'");
-            }
 
             providerUrl.append(trimmedUrl);
             if (! trimmedUrl.endsWith("/")) {