Improvements to LDAP namespace configuration - splitting "ldap" element into ldap-server and ldap-authentication-provider. Also some minor changes to authentication-provider.

core/src/main/java/org/springframework/security/config/AbstractUserDetailsServiceBeanDefinitionParser.java

@@ -21,6 +21,12 @@ public class AbstractUserDetailsServiceBeanDefinitionParser extends AbstractSing
             return id;
         }
 
+        // If it's nested in a parent auth-provider, generate an id automatically
+        if(Elements.AUTHENTICATION_PROVIDER.equals(element.getParentNode().getNodeName())) {
+            return parserContext.getReaderContext().generateBeanName(definition);
+        }
+
+        // If top level, use the default name or throw an exception if already used
         if (parserContext.getRegistry().containsBeanDefinition(BeanIds.USER_DETAILS_SERVICE)) {
             throw new SecurityConfigurationException("No id supplied in <" + element.getNodeName() + "> and another " +
                     "bean is already registered as " + BeanIds.USER_DETAILS_SERVICE);

core/src/main/java/org/springframework/security/config/ApacheDSContainer.java

@@ -28,7 +28,7 @@ import java.io.IOException;
 
 /**
  * Provides lifecycle services for the embedded apacheDS server defined by the supplied configuration.
- * Used by {@link LdapBeanDefinitionParser}. An instance will be stored in the application context for
+ * Used by {@link LdapServerBeanDefinitionParser}. An instance will be stored in the application context for
  * each embedded server instance. It will start the server when the context is initialized and shut it down when
  * it is closed. It is intended for temporary embedded use and will not retain changes across start/stop boundaries. The
  * working directory is deleted on shutdown.
@@ -40,8 +40,6 @@ import java.io.IOException;
  * prior to attempting to start it again.
  * </p>
  *
- *
- *
  * @author Luke Taylor
  * @version $Id$
  */
@@ -54,10 +52,12 @@ class ApacheDSContainer implements InitializingBean, DisposableBean, Lifecycle,
 
     private ContextSource contextSource;
     private boolean running;
+    private String ldifResources;
 
-    public ApacheDSContainer(MutableServerStartupConfiguration configuration, ContextSource contextSource) {
-        this.configuration = configuration;
+    public ApacheDSContainer(MutableServerStartupConfiguration config, ContextSource contextSource, String ldifs) {
+        this.configuration = config;
         this.contextSource = contextSource;
+        this.ldifResources = ldifs;
     }
 
     public void afterPropertiesSet() throws Exception {
@@ -98,7 +98,7 @@ class ApacheDSContainer implements InitializingBean, DisposableBean, Lifecycle,
     public void setWorkingDirectory(File workingDir) {
         Assert.notNull(workingDir);
 
-        logger.info("Setting working directory for LDAP: " + workingDir.getAbsolutePath());
+        logger.info("Setting working directory for LDAP_PROVIDER: " + workingDir.getAbsolutePath());
 
         if (workingDir.exists()) {
             throw new IllegalArgumentException("The specified working directory '" + workingDir.getAbsolutePath() +
@@ -151,7 +151,7 @@ class ApacheDSContainer implements InitializingBean, DisposableBean, Lifecycle,
 
     private void importLdifs() throws IOException, NamingException {
         // Import any ldif files
-        Resource[] ldifs = ctxt.getResources("classpath*:*.ldif");
+        Resource[] ldifs = ctxt.getResources(ldifResources);
 
         // Note that we can't just import using the ServerContext returned
         // from starting Apace DS, apparently because of the long-running issue DIRSERVER-169.

core/src/main/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParser.java

@@ -19,8 +19,7 @@ import org.w3c.dom.Element;
  * @version $Id$
  */
 class AuthenticationProviderBeanDefinitionParser implements BeanDefinitionParser {
-    private static String ATT_REF = "ref";
-    static final String ATT_DATA_SOURCE = "data-source";
+    private static String ATT_USER_DETAILS_REF = "user-service-ref";
 
     public BeanDefinition parse(Element element, ParserContext parserContext) {
         RootBeanDefinition authProvider = new RootBeanDefinition(DaoAuthenticationProvider.class);
@@ -28,12 +27,17 @@ class AuthenticationProviderBeanDefinitionParser implements BeanDefinitionParser
         Element passwordEncoderElt = DomUtils.getChildElementByTagName(element, Elements.PASSWORD_ENCODER);
 
         if (passwordEncoderElt != null) {
-            //TODO: Parse password encoder object and add to dao provider
+            PasswordEncoderParser pep = new PasswordEncoderParser(passwordEncoderElt, parserContext);
+            authProvider.getPropertyValues().addPropertyValue("passwordEncoder", pep.getPasswordEncoder());
+
+            if (pep.getSaltSource() != null) {
+                authProvider.getPropertyValues().addPropertyValue("saltSource", pep.getSaltSource());
+            }
         }
 
         ConfigUtils.getRegisteredProviders(parserContext).add(authProvider);
 
-        String ref = element.getAttribute(ATT_REF);
+        String ref = element.getAttribute(ATT_USER_DETAILS_REF);
         Element userServiceElt = DomUtils.getChildElementByTagName(element, Elements.USER_SERVICE);
         Element jdbcUserServiceElt = DomUtils.getChildElementByTagName(element, Elements.JDBC_USER_SERVICE);
 
@@ -57,7 +61,7 @@ class AuthenticationProviderBeanDefinitionParser implements BeanDefinitionParser
             userDetailsService = new UserServiceBeanDefinitionParser().parse(userServiceElt, parserContext);
         } else {
             throw new SecurityConfigurationException(Elements.AUTHENTICATION_PROVIDER
-                    + " requireds a UserDetailsService" );
+                    + " requires a UserDetailsService" );
         }
 
         authProvider.getPropertyValues().addPropertyValue("userDetailsService", userDetailsService);

core/src/main/java/org/springframework/security/config/BeanIds.java

@@ -10,8 +10,9 @@ public abstract class BeanIds {
 
 	/** Package protected as end users shouldn't really be using this BFPP directly */
 	static final String INTERCEPT_METHODS_BEAN_FACTORY_POST_PROCESSOR = "_interceptMethodsBeanfactoryPP";
+    static final String CONTEXT_SOURCE_SETTING_POST_PROCESSOR = "_contextSettingPostProcessor";
 
-	public static final String JDBC_USER_DETAILS_MANAGER = "_jdbcUserDetailsManager";
+    public static final String JDBC_USER_DETAILS_MANAGER = "_jdbcUserDetailsManager";
 	public static final String USER_DETAILS_SERVICE = "_userDetailsService";
 	public static final String ANONYMOUS_PROCESSING_FILTER = "_anonymousProcessingFilter";
 	public static final String ANONYMOUS_AUTHENTICATION_PROVIDER = "_anonymousAuthenticationProvider";
@@ -39,5 +40,6 @@ public abstract class BeanIds {
 	public static final String METHOD_DEFINITION_SOURCE_ADVISOR = "_methodDefinitionSourceAdvisor";
 	public static final String SECURITY_ANNOTATION_ATTRIBUTES = "_securityAnnotationAttributes";
 	public static final String METHOD_DEFINITION_ATTRIBUTES = "_methodDefinitionAttributes";
-
+    public static final String EMBEDDED_APACHE_DS = "_apacheDirectoryServerContainer";
+    public static final String CONTEXT_SOURCE = "_securityContextSource";
 }

core/src/main/java/org/springframework/security/config/Elements.java

@@ -14,8 +14,9 @@ abstract class Elements {
 	public static final String INTERCEPT_METHODS = "intercept-methods";
 	public static final String AUTHENTICATION_PROVIDER = "authentication-provider";
 	public static final String HTTP = "http";
-	public static final String LDAP = "ldap";
-	public static final String PROTECT = "protect";
+	public static final String LDAP_PROVIDER = "ldap-authentication-provider";
+	public static final String LDAP_SERVER = "ldap-server";
+    public static final String PROTECT = "protect";
 	public static final String CONCURRENT_SESSIONS = "concurrent-session-control";
 	public static final String LOGOUT = "logout";
 	public static final String FORM_LOGIN = "form-login";

core/src/main/java/org/springframework/security/config/LdapProviderBeanDefinitionParser.java

@@ -0,0 +1,103 @@
+package org.springframework.security.config;
+
+import org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator;
+import org.springframework.security.ldap.SpringSecurityContextSource;
+import org.springframework.security.providers.ldap.LdapAuthenticationProvider;
+import org.springframework.security.providers.ldap.authenticator.BindAuthenticator;
+import org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor;
+import org.springframework.security.ui.rememberme.RememberMeServices;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.beans.factory.config.RuntimeBeanReference;
+import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.beans.factory.support.BeanDefinitionRegistry;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.beans.BeansException;
+import org.springframework.core.Ordered;
+import org.springframework.ldap.core.ContextSource;
+import org.springframework.util.StringUtils;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.w3c.dom.Element;
+
+import java.util.Map;
+
+/**
+ * Experimental "security:ldap" namespace configuration.
+ *
+ *
+ * @author Luke Taylor
+ * @version $Id$
+ * @since 2.0
+ */
+public class LdapProviderBeanDefinitionParser implements BeanDefinitionParser {
+    private Log logger = LogFactory.getLog(getClass());
+
+    private static final String ATT_AUTH_TYPE = "auth-type";
+    private static final String ATT_SERVER = "server-ref";
+
+    private static final String OPT_DEFAULT_DN_PATTERN = "uid={0},ou=people";
+    private static final String DEFAULT_GROUP_CONTEXT = "ou=groups";
+
+
+    public BeanDefinition parse(Element elt, ParserContext parserContext) {
+        String server = elt.getAttribute(ATT_SERVER);
+
+        if (!StringUtils.hasText(server)) {
+            server = BeanIds.CONTEXT_SOURCE;
+        }
+
+        RuntimeBeanReference contextSource = new RuntimeBeanReference(server);
+
+        RootBeanDefinition bindAuthenticator = new RootBeanDefinition(BindAuthenticator.class);
+        bindAuthenticator.getConstructorArgumentValues().addGenericArgumentValue(contextSource);
+        bindAuthenticator.getPropertyValues().addPropertyValue("userDnPatterns", new String[] {OPT_DEFAULT_DN_PATTERN});
+        RootBeanDefinition authoritiesPopulator = new RootBeanDefinition(DefaultLdapAuthoritiesPopulator.class);
+        authoritiesPopulator.getConstructorArgumentValues().addGenericArgumentValue(contextSource);
+        authoritiesPopulator.getConstructorArgumentValues().addGenericArgumentValue(DEFAULT_GROUP_CONTEXT);
+
+        RootBeanDefinition ldapProvider = new RootBeanDefinition(LdapAuthenticationProvider.class);
+        ldapProvider.getConstructorArgumentValues().addGenericArgumentValue(bindAuthenticator);
+        ldapProvider.getConstructorArgumentValues().addGenericArgumentValue(authoritiesPopulator);
+
+        registerPostProcessorIfNecessary(parserContext.getRegistry());
+
+        ConfigUtils.getRegisteredProviders(parserContext).add(ldapProvider);
+
+        return null;
+    }
+
+    // Todo: Move to utility class when we add ldap-user-service, as this check will be needed even if no
+    // provider is added.
+    private static class ContextSourceSettingPostProcessor implements BeanFactoryPostProcessor, Ordered {
+
+        public void postProcessBeanFactory(ConfigurableListableBeanFactory bf) throws BeansException {
+            Map beans = bf.getBeansOfType(SpringSecurityContextSource.class);
+
+            if (beans.size() == 0) {
+                throw new SecurityConfigurationException("No SpringSecurityContextSource instances found. Have you " +
+                        "added an <" + Elements.LDAP_SERVER + " /> element to your application context?");
+            } else if (beans.size() > 1) {
+                throw new SecurityConfigurationException("More than one SpringSecurityContextSource instance found. " +
+                        "Please specify a specific server id when configuring your <" + Elements.LDAP_PROVIDER + ">");
+            }
+        }
+
+        public int getOrder() {
+            return LOWEST_PRECEDENCE;
+        }
+
+    }
+
+    public void registerPostProcessorIfNecessary(BeanDefinitionRegistry registry) {
+        if (registry.containsBeanDefinition(BeanIds.CONTEXT_SOURCE_SETTING_POST_PROCESSOR)) {
+            return;
+        }
+
+        registry.registerBeanDefinition(BeanIds.CONTEXT_SOURCE_SETTING_POST_PROCESSOR,
+                new RootBeanDefinition(LdapProviderBeanDefinitionParser.ContextSourceSettingPostProcessor.class));
+    }
+}

core/src/main/java/org/springframework/security/config/LdapServerBeanDefinitionParser.java

@@ -0,0 +1,166 @@
+package org.springframework.security.config;
+
+import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.beans.factory.xml.AbstractBeanDefinitionParser;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.ldap.core.DirContextAdapter;
+import org.springframework.util.StringUtils;
+import org.springframework.util.Assert;
+
+import org.w3c.dom.Element;
+import org.apache.directory.server.configuration.MutableServerStartupConfiguration;
+import org.apache.directory.server.core.partition.impl.btree.MutableBTreePartitionConfiguration;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import javax.naming.NamingException;
+import java.util.HashSet;
+
+/**
+ * @author Luke Taylor
+ * @version $Id$
+ */
+public class LdapServerBeanDefinitionParser implements BeanDefinitionParser {
+    private Log logger = LogFactory.getLog(getClass());
+
+    /** Defines the Url of the ldap server to use. If not specified, an embedded apache DS instance will be created */
+    private static final String ATT_URL = "url";
+
+    private static final String ATT_PRINCIPAL = "manager-dn";
+    private static final String ATT_PASSWORD = "manager-password";
+
+    // Properties which apply to embedded server only - when no Url is set
+
+    /** sets the configuration suffix (default is "dc=springframework,dc=org"). */
+    public static final String ATT_ROOT_SUFFIX = "root";
+    private static final String OPT_DEFAULT_ROOT_SUFFIX = "dc=springframework,dc=org";
+    /**
+     * Optionally defines an ldif resource to be loaded. Otherwise an attempt will be made to load all ldif files
+     * found on the classpath.
+     */
+    public static final String ATT_LDIF_FILE = "ldif";
+    private static final String OPT_DEFAULT_LDIF_FILE = "classpath*:*.ldif";
+
+    /** Defines the port the LDAP_PROVIDER server should run on */
+    public static final String ATT_PORT = "port";
+    public static final String OPT_DEFAULT_PORT = "33389";
+
+
+    public BeanDefinition parse(Element elt, ParserContext parserContext) {
+        String url = elt.getAttribute(ATT_URL);
+
+        RootBeanDefinition contextSource;
+
+        if (!StringUtils.hasText(url)) {
+            contextSource = createEmbeddedServer(elt, parserContext);
+        } else {
+            contextSource = new RootBeanDefinition(DefaultSpringSecurityContextSource.class);
+            contextSource.getConstructorArgumentValues().addIndexedArgumentValue(0, url);
+        }
+
+        String managerDn = elt.getAttribute(ATT_PRINCIPAL);
+        String managerPassword = elt.getAttribute(ATT_PASSWORD);
+
+        if (StringUtils.hasText(managerDn)) {
+            Assert.hasText(managerPassword, "You must specify the " + ATT_PASSWORD +
+                    " if you supply a " + managerDn);
+
+            contextSource.getPropertyValues().addPropertyValue("userDn", managerDn);
+            contextSource.getPropertyValues().addPropertyValue("password", managerPassword);
+        }
+
+        String id = elt.getAttribute(AbstractBeanDefinitionParser.ID_ATTRIBUTE);
+
+        String contextSourceId = StringUtils.hasText(id) ? id : BeanIds.CONTEXT_SOURCE;
+
+        parserContext.getRegistry().registerBeanDefinition(contextSourceId, contextSource);
+
+        return null;
+    }
+
+    /**
+     * Will be called if no url attribute is supplied.
+     *
+     * Registers beans to create an embedded apache directory server.
+     *
+     * @param element
+     * @param parserContext
+     *
+     * @return the BeanDefinition for the ContextSource for the embedded server.
+     *
+     * @see ApacheDSContainer
+     */
+    private RootBeanDefinition createEmbeddedServer(Element element, ParserContext parserContext) {
+        MutableServerStartupConfiguration configuration = new MutableServerStartupConfiguration();
+        MutableBTreePartitionConfiguration partition = new MutableBTreePartitionConfiguration();
+
+        partition.setName("springsecurity");
+
+        DirContextAdapter rootContext = new DirContextAdapter();
+        rootContext.setAttributeValues("objectClass", new String[] {"top", "domain", "extensibleObject"});
+        rootContext.setAttributeValue("dc", "springsecurity");
+
+        partition.setContextEntry(rootContext.getAttributes());
+
+        String suffix = element.getAttribute(ATT_ROOT_SUFFIX);
+
+        if (!StringUtils.hasText(suffix)) {
+            suffix = OPT_DEFAULT_ROOT_SUFFIX;
+        }
+
+        try {
+            partition.setSuffix(suffix);
+        } catch (NamingException e) {
+            parserContext.getReaderContext().error("Failed to set root name suffix to " + suffix, element, e);
+        }
+
+        HashSet partitions = new HashSet(1);
+        partitions.add(partition);
+
+        String port = element.getAttribute(ATT_PORT);
+
+        if (!StringUtils.hasText(port)) {
+            port = OPT_DEFAULT_PORT;
+        }
+
+        configuration.setLdapPort(Integer.parseInt(port));
+
+        // We shut down the server ourself when the app context is closed so we don't need
+        // the extra shutdown hook from apache DS itself.
+        configuration.setShutdownHookEnabled(false);
+        configuration.setExitVmOnShutdown(false);
+        configuration.setContextPartitionConfigurations(partitions);
+
+        String url = "ldap://127.0.0.1:" + port + "/" + suffix;
+
+        RootBeanDefinition contextSource = new RootBeanDefinition(DefaultSpringSecurityContextSource.class);
+        contextSource.getConstructorArgumentValues().addIndexedArgumentValue(0, url);
+        contextSource.getPropertyValues().addPropertyValue("userDn", "uid=admin,ou=system");
+        contextSource.getPropertyValues().addPropertyValue("password", "secret");
+
+        RootBeanDefinition apacheContainer = new RootBeanDefinition(ApacheDSContainer.class);
+        apacheContainer.getConstructorArgumentValues().addGenericArgumentValue(configuration);
+        apacheContainer.getConstructorArgumentValues().addGenericArgumentValue(contextSource);
+
+        String ldifs = element.getAttribute(ATT_LDIF_FILE);
+        if (!StringUtils.hasText(ldifs)) {
+            ldifs = OPT_DEFAULT_LDIF_FILE;
+        }
+
+        apacheContainer.getConstructorArgumentValues().addGenericArgumentValue(ldifs);
+
+        logger.info("Embedded LDAP server bean created for URL: " + url);
+
+        if (parserContext.getRegistry().containsBeanDefinition(BeanIds.EMBEDDED_APACHE_DS)) {
+            parserContext.getReaderContext().error("Only one embedded server bean is allowed per application context",
+                    element);
+        }
+
+        parserContext.getRegistry().registerBeanDefinition(BeanIds.EMBEDDED_APACHE_DS, apacheContainer);
+
+        return contextSource;
+    }
+}

core/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -13,7 +13,8 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
 
     public void init() {
         // Parsers
-    	registerBeanDefinitionParser(Elements.LDAP, new LdapBeanDefinitionParser());
+    	registerBeanDefinitionParser(Elements.LDAP_PROVIDER, new LdapProviderBeanDefinitionParser());
+    	registerBeanDefinitionParser(Elements.LDAP_SERVER, new LdapServerBeanDefinitionParser());
         registerBeanDefinitionParser(Elements.HTTP, new HttpSecurityBeanDefinitionParser());
         registerBeanDefinitionParser(Elements.USER_SERVICE, new UserServiceBeanDefinitionParser());
         registerBeanDefinitionParser(Elements.JDBC_USER_SERVICE, new JdbcUserServiceBeanDefinitionParser());

core/src/main/java/org/springframework/security/util/InMemoryResource.java

@@ -32,27 +32,31 @@ import java.io.InputStream;
 public class InMemoryResource extends AbstractResource {
     //~ Instance fields ================================================================================================
 
-    private ByteArrayInputStream in;
+    private byte[] source;
     private String description;
 
     //~ Constructors ===================================================================================================
 
+    public InMemoryResource(String source) {
+        this(source.getBytes());
+    }
+
     public InMemoryResource(byte[] source) {
         this(source, null);
     }
 
     public InMemoryResource(byte[] source, String description) {
-        in = new ByteArrayInputStream(source);
+        this.source = source;
         this.description = description;
     }
 
     //~ Methods ========================================================================================================
 
     public String getDescription() {
-        return (description == null) ? in.toString() : description;
+        return description;
     }
 
     public InputStream getInputStream() throws IOException {
-        return in;
+        return new ByteArrayInputStream(source);
     }
 }

core/src/main/java/org/springframework/security/util/InMemoryXmlApplicationContext.java

@@ -0,0 +1,38 @@
+package org.springframework.security.util;
+
+import org.springframework.context.support.AbstractXmlApplicationContext;
+import org.springframework.core.io.Resource;
+
+/**
+ * @author Luke Taylor
+ * @version $Id$
+ */
+public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext {
+    private static final String BEANS_OPENING =
+                    "<b:beans xmlns=\"http://www.springframework.org/schema/security\"\n" +
+                    "    xmlns:b=\"http://www.springframework.org/schema/beans\"\n" +
+                    "    xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n" +
+                    "    xsi:schemaLocation=\"http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd\n" +
+                    "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd\">\n";
+    private static final String BEANS_CLOSE = "</b:beans>\n";
+
+    Resource inMemoryXml;
+
+    public InMemoryXmlApplicationContext(String xml) {
+        this(xml, true);
+    }
+
+    public InMemoryXmlApplicationContext(String xml, boolean addBeansTags) {
+        String fullXml = addBeansTags ? BEANS_OPENING + xml + BEANS_CLOSE : xml;
+        inMemoryXml = new InMemoryResource(fullXml);
+        refresh();
+    }
+
+    protected Resource[] getConfigResources() {
+        return new Resource[] {inMemoryXml};
+    }
+
+    public static void main(String[] args) {
+        new InMemoryXmlApplicationContext("<ldap-server />");
+    }
+}

core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc

@@ -6,28 +6,23 @@ datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
 
 default namespace = "http://www.springframework.org/schema/security"
 
-start = http | ldap
+start = http | ldap-server | authentication-provider | ldap-authentication-provider | user-service
 
 hash =
     ## Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.
     attribute hash {"sha" | "md5" | "md4" | "{sha}" | "{ssha}"}
-
 base64 = 
     ## Whether a string should be base64 encoded
     attribute base64 {"true" | "false"}
-
 path-type =
     ## Defines the type of pattern used to specify URL paths (either JDK 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if unspecified.
     attribute path-type {"ant" | "regex"}
-
 port =
     ## Specifies an IP port number. Used to configure an embedded LDAP server, for example.
     attribute port { xsd:integer }
-
 url =
     ## Specifies a URL.
     attribute url { xsd:string }
-    
 id = 
     ## A bean identifier, used for referring to the bean elsewhere in the context.
     attribute id {xsd:ID}    
@@ -49,28 +44,41 @@ system-wide =
     attribute system-wide {xsd:string}
 
 
-ldap =
-    ## Sets up an ldap authentication provider, optionally with an embedded ldap server
-    element ldap {ldap.attlist, empty}
-ldap.attlist &=
-    ## The url indicates the server location. If omitted, an embedded server will be started, optionally with the configured port number.
-    (url | port)?
+ldap-server =
+    ## Defines an LDAP server location or starts an embedded server. The url indicates the location of a remote server. If no url is given, an embedded server will be started, listening on the supplied port number. The port is optional and defaults to 33389. A Spring LDAP ContextSource bean will be registered for the server with the id supplied. 
+    element ldap-server {ldap-server.attlist}
+ldap-server.attlist &= id?
+ldap-server.attlist &= (url | port)?
+ldap-server.attlist &=
+    ## Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. 
+    attribute manager-dn {xsd:string}?
+    ## The password for the manager DN.
+ldap-server.attlist &=
+    attribute manager-password {xsd:string}?     
+ldap-server.attlist &=
+    ## Explicitly specifies an ldif file resource to load into an embedded LDAP server
+    attribute ldif { xsd:string }?
+ldap-server.attlist &=
+    ## Optional root suffix for the embedded LDAP server. Default is "dc=springframework,dc=org"
+    attribute root { xsd:string }?
+
+
+ldap-authentication-provider =
+    ## Sets up an ldap authentication provider
+    element ldap-authentication-provider {ldap-ap.attlist, empty}
+ldap-ap.attlist &=
+    ## The server to authenticate against.  
+    attribute server-ref {xsd:IDREF}?
 
-ldap.attlist &=
-    ## Explicitly specify an ldif file resource to load into the embedded server
-    [ a:defaultValue = "classpath*:*.ldif" ] attribute ldif { xsd:string }?
 
 intercept-methods =
     ## Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods
     element intercept-methods {intercept-methods.attlist, protect+}
-
 intercept-methods.attlist = empty
 
-
 protect =
     ## Defines a protected method and the access control configuration attributes that apply to it
     element protect {protect.attlist, empty}
-
 protect.attlist &=
     ## A method name
     attribute method {xsd:string}
@@ -82,7 +90,6 @@ protect.attlist &=
 annotation-driven =
 	## Activates security annotation scanning. All beans registered in the Spring application context will be scanned for Spring Security annotations. Where found, the beans will automatically be proxied and security authorization applied to the methods accordingly. Please ensure you have the spring-security-tiger-XXX.jar on your classpath.
 	element annotation-driven {annotation-driven.attlist}
-
 annotation-driven.attlist = empty
 
 
@@ -106,7 +113,7 @@ http.attlist &=
     attribute servlet-api-provision {"true" | "false"}?
 http.attlist &=
     ## Optional attribute specifying the ID of the AccessDecisionManager implementation which should be used for authorizing HTTP requests.
-    attribute access-decision-manager {xsd:string}?
+    attribute access-decision-manager {xsd:IDREF}?
 http.attlist &=
     ## Optional attribute specifying the realm name that will be used for all authentication features that require a realm name (eg BASIC and Digest authentication). If unspecified, defaults to "Spring Security Application".
     attribute realm {xsd:string}?
@@ -189,7 +196,7 @@ concurrent-sessions.attlist &=
 remember-me =
     element remember-me {remember-me.attlist}
 remember-me.attlist &=
-    (attribute key {xsd:string} | (attribute token-repository {xsd:string} | attribute data-source {xsd:string}))
+    (attribute key {xsd:string} | (attribute token-repository {xsd:IDREF} | attribute data-source {xsd:string}))
 
 anonymous =
 	## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority.
@@ -205,16 +212,18 @@ anonymous.attlist &=
     attribute granted-authority {xsd:string}?
 
 authentication-provider =
-  ## Indicates that the contained user-service should be used as an authentication source. May either refer to an external UserDetailsService bean by id (using the "ref" attribute) or contain a child element which creates the service. 
-     element authentication-provider {(ref | (user-service | jdbc-user-service)) & password-encoder}
-ap.attlist &= 
-     attribute ref {xsd:IDREF} 
+  ## Indicates that the contained user-service should be used as an authentication source. 
+     element authentication-provider {ap.attlist & (user-service | jdbc-user-service) & password-encoder}
+ap.attlist &=
+  ## Specifies a reference to a separately configured UserDetailsService from which to obtain authentication data.  
+     attribute user-service-ref {xsd:IDREF}?
 
 user-service =
+  ## Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.
     element user-service {id? & (properties-file | (user*))}
 properties-file =
-    attribute properties {xsd:string}*
-
+    attribute properties {xsd:string}?
+    
 user =
 	## Represents a user in the application.
     element user {user.attlist, empty}
@@ -228,6 +237,7 @@ user.attlist &=
 	## One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
     attribute authorities {xsd:string}
 
+
 jdbc-user-service =
 	## Causes creation of a JDBC-based UserDetailsService.
     element jdbc-user-service {id? & jdbc-user-service.attlist} 

core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd

@@ -138,15 +138,20 @@
       </xs:annotation>
     </xs:attribute>
   </xs:attributeGroup>
-  <xs:element name="ldap">
+  <xs:element name="ldap-server">
     <xs:annotation>
-      <xs:documentation>Sets up an ldap authentication provider, optionally with an embedded ldap server</xs:documentation>
+      <xs:documentation>Defines an LDAP server location or starts an embedded server. The url indicates the location of a remote server. If no url is given, an embedded server will be started, listening on the supplied port number. The port is optional and defaults to 33389. A Spring LDAP ContextSource bean will be registered for the server with the id supplied. </xs:documentation>
     </xs:annotation>
     <xs:complexType>
-      <xs:attributeGroup ref="security:ldap.attlist"/>
+      <xs:attributeGroup ref="security:ldap-server.attlist"/>
     </xs:complexType>
   </xs:element>
-  <xs:attributeGroup name="ldap.attlist">
+  <xs:attributeGroup name="ldap-server.attlist">
+    <xs:attribute name="id" type="xs:ID">
+      <xs:annotation>
+        <xs:documentation>A bean identifier, used for referring to the bean elsewhere in the context.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
     <xs:attribute name="url" type="xs:string">
       <xs:annotation>
         <xs:documentation>Specifies a URL.</xs:documentation>
@@ -157,9 +162,35 @@
         <xs:documentation>Specifies an IP port number. Used to configure an embedded LDAP server, for example.</xs:documentation>
       </xs:annotation>
     </xs:attribute>
-    <xs:attribute name="ldif" default="classpath*:*.ldif" type="xs:string">
+    <xs:attribute name="manager-dn" type="xs:string">
       <xs:annotation>
-        <xs:documentation>Explicitly specify an ldif file resource to load into the embedded server</xs:documentation>
+        <xs:documentation>Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:attribute name="manager-password" type="xs:string"/>
+    <xs:attribute name="ldif" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>Explicitly specifies an ldif file resource to load into an embedded LDAP server</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:attribute name="root" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>Optional root suffix for the embedded LDAP server. Default is "dc=springframework,dc=org"</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+  </xs:attributeGroup>
+  <xs:element name="ldap-authentication-provider">
+    <xs:annotation>
+      <xs:documentation>Sets up an ldap authentication provider</xs:documentation>
+    </xs:annotation>
+    <xs:complexType>
+      <xs:attributeGroup ref="security:ldap-ap.attlist"/>
+    </xs:complexType>
+  </xs:element>
+  <xs:attributeGroup name="ldap-ap.attlist">
+    <xs:attribute name="server-ref" type="xs:IDREF">
+      <xs:annotation>
+        <xs:documentation>The server to authenticate against.  </xs:documentation>
       </xs:annotation>
     </xs:attribute>
   </xs:attributeGroup>
@@ -273,7 +304,7 @@
         </xs:restriction>
       </xs:simpleType>
     </xs:attribute>
-    <xs:attribute name="access-decision-manager" type="xs:string">
+    <xs:attribute name="access-decision-manager" type="xs:IDREF">
       <xs:annotation>
         <xs:documentation>Optional attribute specifying the ID of the AccessDecisionManager implementation which should be used for authorizing HTTP requests.</xs:documentation>
       </xs:annotation>
@@ -445,7 +476,7 @@
   </xs:element>
   <xs:attributeGroup name="remember-me.attlist">
     <xs:attribute name="key" type="xs:string"/>
-    <xs:attribute name="token-repository" type="xs:string"/>
+    <xs:attribute name="token-repository" type="xs:IDREF"/>
     <xs:attribute name="data-source" type="xs:string"/>
   </xs:attributeGroup>
   <xs:element name="anonymous">
@@ -475,7 +506,7 @@
   </xs:attributeGroup>
   <xs:element name="authentication-provider">
     <xs:annotation>
-      <xs:documentation>Indicates that the contained user-service should be used as an authentication source. May either refer to an external UserDetailsService bean by id (using the "ref" attribute) or contain a child element which creates the service. </xs:documentation>
+      <xs:documentation>Indicates that the contained user-service should be used as an authentication source. </xs:documentation>
     </xs:annotation>
     <xs:complexType>
       <xs:choice minOccurs="0" maxOccurs="unbounded">
@@ -485,17 +516,20 @@
         </xs:choice>
         <xs:element ref="security:password-encoder"/>
       </xs:choice>
-      <xs:attribute name="ref" type="xs:IDREF">
-        <xs:annotation>
-          <xs:documentation>Defines a reference to a Spring bean id.</xs:documentation>
-        </xs:annotation>
-      </xs:attribute>
+      <xs:attributeGroup ref="security:ap.attlist"/>
     </xs:complexType>
   </xs:element>
   <xs:attributeGroup name="ap.attlist">
-    <xs:attribute name="ref" use="required" type="xs:IDREF"/>
+    <xs:attribute name="user-service-ref" type="xs:IDREF">
+      <xs:annotation>
+        <xs:documentation>Specifies a reference to a separately configured UserDetailsService from which to obtain authentication data.  </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
   </xs:attributeGroup>
   <xs:element name="user-service">
+    <xs:annotation>
+      <xs:documentation>Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.</xs:documentation>
+    </xs:annotation>
     <xs:complexType>
       <xs:sequence>
         <xs:element minOccurs="0" maxOccurs="unbounded" ref="security:user"/>

core/src/test/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParserTests.java

@@ -0,0 +1,49 @@
+package org.springframework.security.config;
+
+import org.springframework.security.providers.ProviderManager;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.providers.AuthenticationProvider;
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+import org.springframework.beans.BeansException;
+
+import org.junit.BeforeClass;
+import org.junit.AfterClass;
+import org.junit.Test;
+
+import java.util.List;
+
+/**
+ * @author Luke Taylor
+ * @version $Id$
+ */
+public class AuthenticationProviderBeanDefinitionParserTests {
+    private static ClassPathXmlApplicationContext appContext;
+
+    @BeforeClass
+    public static void loadContext() {
+        try {
+            appContext = new ClassPathXmlApplicationContext("org/springframework/security/config/auth-provider.xml");
+        } catch (BeansException e) {
+            e.printStackTrace();
+        }
+    }
+
+    @AfterClass
+    public static void closeAppContext() {
+        if (appContext != null) {
+            appContext.close();
+        }
+    }
+
+    @Test
+    public void configuredProvidersAllAuthenticateUser() {
+        List<AuthenticationProvider> providers =
+                ((ProviderManager)appContext.getBean(BeanIds.AUTHENTICATION_MANAGER)).getProviders();
+
+        UsernamePasswordAuthenticationToken bob = new UsernamePasswordAuthenticationToken("bob", "bobspassword");
+
+        for (AuthenticationProvider provider : providers) {
+            provider.authenticate(bob);
+        }
+    }
+}

core/src/test/java/org/springframework/security/config/LdapProviderBeanDefinitionParserTests.java

@@ -0,0 +1,49 @@
+package org.springframework.security.config;
+
+import org.springframework.security.providers.ProviderManager;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.providers.ldap.LdapAuthenticationProvider;
+import org.springframework.security.Authentication;
+import org.springframework.security.util.InMemoryXmlApplicationContext;
+import org.springframework.security.userdetails.ldap.LdapUserDetailsImpl;
+import static org.junit.Assert.*;
+import org.junit.Test;
+import org.junit.After;
+
+
+/**
+ * @author luke
+ * @version $Id$
+ */
+public class LdapProviderBeanDefinitionParserTests {
+    InMemoryXmlApplicationContext appCtx;
+
+    @After
+    public void closeAppContext() {
+        if (appCtx != null) {
+            appCtx.close();
+            appCtx = null;
+        }
+    }
+
+    @Test
+    public void simpleProviderAuthenticatesCorrectly() {
+        appCtx = new InMemoryXmlApplicationContext("<ldap-server /> <ldap-authentication-provider />");
+
+        ProviderManager authManager = (ProviderManager) appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER);
+
+        assertEquals(1, authManager.getProviders().size());
+
+        LdapAuthenticationProvider provider = (LdapAuthenticationProvider) authManager.getProviders().get(0);
+        Authentication auth = provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword"));
+        LdapUserDetailsImpl ben = (LdapUserDetailsImpl) auth.getPrincipal();
+
+        assertEquals(2, ben.getAuthorities().length);
+    }
+
+    @Test(expected = SecurityConfigurationException.class)
+    public void missingServerEltCausesConfigException() {
+        appCtx = new InMemoryXmlApplicationContext("<ldap-authentication-provider />");
+    }
+
+}

core/src/test/java/org/springframework/security/config/LdapServerBeanDefinitionParserTests.java

@@ -0,0 +1,66 @@
+package org.springframework.security.config;
+
+import org.springframework.security.util.InMemoryXmlApplicationContext;
+import org.springframework.security.ldap.SpringSecurityContextSource;
+
+import org.springframework.ldap.core.support.BaseLdapPathContextSource;
+import org.springframework.ldap.core.LdapTemplate;
+
+import org.junit.Test;
+import org.junit.After;
+
+/**
+ * @author Luke Taylor
+ * @version $Id$
+ */
+public class LdapServerBeanDefinitionParserTests {
+    InMemoryXmlApplicationContext appCtx;
+
+    @After
+    public void closeAppContext() {
+        if (appCtx != null) {
+            appCtx.close();
+            appCtx = null;
+        }
+    }
+
+    @Test
+    public void embeddedServerCreationContainsExpectedContextSourceAndData() {
+        appCtx = new InMemoryXmlApplicationContext("<ldap-server />");
+
+        SpringSecurityContextSource contextSource = (SpringSecurityContextSource) appCtx.getBean(BeanIds.CONTEXT_SOURCE);
+
+        // Check data is loaded
+        LdapTemplate template = new LdapTemplate(contextSource);
+        template.lookup("uid=ben,ou=people");
+    }
+
+    @Test
+    public void useOfUrlAttributeCreatesCorrectContextSource() {
+        // Create second "server" with a url pointing at embedded one
+        appCtx = new InMemoryXmlApplicationContext("<ldap-server port=\"33388\"/>" +
+                "<ldap-server id=\"blah\" url=\"ldap://127.0.0.1:33388/dc=springframework,dc=org\" />");
+
+        // Check the default context source is still there.
+        appCtx.getBean(BeanIds.CONTEXT_SOURCE);
+
+        SpringSecurityContextSource contextSource = (SpringSecurityContextSource) appCtx.getBean("blah");
+
+        // Check data is loaded as before
+        LdapTemplate template = new LdapTemplate(contextSource);
+        template.lookup("uid=ben,ou=people");
+    }
+
+    @Test
+    public void loadingSpecificLdifFileIsSuccessful() {
+        appCtx = new InMemoryXmlApplicationContext(
+                "<ldap-server ldif=\"classpath*:test-server2.xldif\" root=\"dc=monkeymachine,dc=co,dc=uk\" />");
+        SpringSecurityContextSource contextSource = (SpringSecurityContextSource) appCtx.getBean(BeanIds.CONTEXT_SOURCE);
+
+        LdapTemplate template = new LdapTemplate(contextSource);
+        template.lookup("uid=pg,ou=gorillas");
+    }
+
+
+
+}

core/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java

@@ -14,6 +14,7 @@
  */
 package org.springframework.security.ldap;
 
+import org.springframework.security.config.BeanIds;
 import org.springframework.ldap.core.ContextSource;
 import org.springframework.ldap.core.DistinguishedName;
 import org.springframework.core.io.ClassPathResource;
@@ -42,7 +43,6 @@ import java.util.Set;
  */
 public abstract class AbstractLdapIntegrationTests {
     private static ClassPathXmlApplicationContext appContext;
-    private boolean dirty = false;
 
     protected AbstractLdapIntegrationTests() {
     }
@@ -77,19 +77,9 @@ public abstract class AbstractLdapIntegrationTests {
     public void onSetUp() throws Exception {
     }
 
-    /** Reloads the server data file */
-    protected void setDirty() {
-        dirty = true;
-    }
 
     @After
     public final void reloadServerDataIfDirty() throws Exception {
-//        if (!dirty) {
-//            return;
-//        }
-
-//        closeContext();
-//        loadContext();
         ClassPathResource ldifs = new ClassPathResource("test-server.ldif");
 
         if (!ldifs.getFile().exists()) {
@@ -111,7 +101,7 @@ public abstract class AbstractLdapIntegrationTests {
     }
 
     public SpringSecurityContextSource getContextSource() {
-        return (SpringSecurityContextSource) appContext.getBean("contextSource");
+        return (SpringSecurityContextSource) appContext.getBean(BeanIds.CONTEXT_SOURCE);
     }
 
     /**

core/src/test/resources/org/springframework/security/config/auth-provider.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:beans="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+
+    <!-- All combinations should authenticate as bob/password -->
+
+    <authentication-provider>
+        <user-service>
+            <user name="bob" password="bobspassword" authorities="ROLE_A" />
+        </user-service>
+    </authentication-provider>
+
+    <authentication-provider user-service-ref="myUserService" />
+
+    <user-service id="myUserService">
+        <user name="bob" password="bobspassword" authorities="ROLE_A" />
+    </user-service>
+
+    <authentication-provider>
+        <password-encoder hash="md5"/>
+        <user-service>
+            <user name="bob" password="12b141f35d58b8b3a46eea65e6ac179e" authorities="ROLE_A" />
+        </user-service>
+    </authentication-provider>
+
+    <authentication-provider>
+        <password-encoder hash="{sha}"/>
+        <user-service>
+            <user name="bob" password="{SSHA}PpuEwfdj7M1rs0C2W4ssSM2XEN/Y6S5U" authorities="ROLE_A" />
+        </user-service>
+    </authentication-provider>
+
+</beans:beans>

core/src/test/resources/org/springframework/security/config/http-security.xml

@@ -32,7 +32,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
         </user-service>
     </authentication-provider>
 
-    <beans:bean name="tokenRepo" class="org.springframework.security.ui.rememberme.InMemoryTokenRepositoryImpl"/>
+    <beans:bean id="tokenRepo" class="org.springframework.security.ui.rememberme.InMemoryTokenRepositoryImpl"/>
 
     <!-- bean name="rememberMeServices" class="org.springframework.security.ui.rememberme.NullRememberMeServices"/ -->
 

core/src/test/resources/org/springframework/security/config/ldap-embedded-default.xml

@@ -1,13 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:security="http://www.springframework.org/schema/security"
+<b:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:b="http://www.springframework.org/schema/beans"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
 
 
-    <security:ldap />
-    
+    <ldap-server ldif="classpath*:test-server2.xldif" root="dc=monkeymachine,dc=co,dc=uk" />
 
-</beans>
+
+</b:beans>

core/src/test/resources/org/springframework/security/ldap/ldapIntegrationTestContext.xml

@@ -5,7 +5,7 @@
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
 
-    <security:ldap port="53389" ldif="classpath:test-server.ldif"/>
+    <security:ldap-server port="53389" ldif="classpath:test-server.ldif"/>
 
     <!--<import resource="classpath:/org/springframework/security/ldap/apacheDsContext.xml"/>-->
 

core/src/test/resources/test-server2.xldif

@@ -0,0 +1,16 @@
+dn: ou=gorillas,dc=monkeymachine,dc=co,dc=uk
+objectclass: top
+objectclass: organizationalUnit
+ou: gorillas
+
+dn: uid=pg,ou=gorillas,dc=monkeymachine,dc=co,dc=uk
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Pierre
+sn: Gorille
+uid: pg
+userPassword: password
+
+