SEC-963: LDAP Group Search Root
http://jira.springframework.org/browse/SEC-963. Changed namespace instances of DefaultAuthoritiesPopulator to use the root as the default search location.
This commit is contained in:
Luke Taylor
parent
83868a7334
commit
a4e4120443
|
|
@ -14,22 +14,22 @@ import org.w3c.dom.Element;
|
||||||
* @since 2.0
|
* @since 2.0
|
||||||
*/
|
*/
|
||||||
public class LdapUserServiceBeanDefinitionParser extends AbstractUserDetailsServiceBeanDefinitionParser {
|
public class LdapUserServiceBeanDefinitionParser extends AbstractUserDetailsServiceBeanDefinitionParser {
|
||||||
public static final String ATT_SERVER = "server-ref";
|
public static final String ATT_SERVER = "server-ref";
|
||||||
public static final String ATT_USER_SEARCH_FILTER = "user-search-filter";
|
public static final String ATT_USER_SEARCH_FILTER = "user-search-filter";
|
||||||
public static final String ATT_USER_SEARCH_BASE = "user-search-base";
|
public static final String ATT_USER_SEARCH_BASE = "user-search-base";
|
||||||
public static final String DEF_USER_SEARCH_BASE = "";
|
public static final String DEF_USER_SEARCH_BASE = "";
|
||||||
|
|
||||||
public static final String ATT_GROUP_SEARCH_FILTER = "group-search-filter";
|
public static final String ATT_GROUP_SEARCH_FILTER = "group-search-filter";
|
||||||
public static final String ATT_GROUP_SEARCH_BASE = "group-search-base";
|
public static final String ATT_GROUP_SEARCH_BASE = "group-search-base";
|
||||||
public static final String ATT_GROUP_ROLE_ATTRIBUTE = "group-role-attribute";
|
public static final String ATT_GROUP_ROLE_ATTRIBUTE = "group-role-attribute";
|
||||||
public static final String DEF_GROUP_SEARCH_FILTER = "(uniqueMember={0})";
|
public static final String DEF_GROUP_SEARCH_FILTER = "(uniqueMember={0})";
|
||||||
public static final String DEF_GROUP_SEARCH_BASE = "ou=groups";
|
public static final String DEF_GROUP_SEARCH_BASE = "";
|
||||||
|
|
||||||
static final String ATT_ROLE_PREFIX = "role-prefix";
|
static final String ATT_ROLE_PREFIX = "role-prefix";
|
||||||
static final String ATT_USER_CLASS = "user-details-class";
|
static final String ATT_USER_CLASS = "user-details-class";
|
||||||
static final String OPT_PERSON = "person";
|
static final String OPT_PERSON = "person";
|
||||||
static final String OPT_INETORGPERSON = "inetOrgPerson";
|
static final String OPT_INETORGPERSON = "inetOrgPerson";
|
||||||
|
|
||||||
public static final String LDAP_SEARCH_CLASS = "org.springframework.security.ldap.search.FilterBasedLdapUserSearch";
|
public static final String LDAP_SEARCH_CLASS = "org.springframework.security.ldap.search.FilterBasedLdapUserSearch";
|
||||||
public static final String PERSON_MAPPER_CLASS = "org.springframework.security.userdetails.ldap.PersonContextMapper";
|
public static final String PERSON_MAPPER_CLASS = "org.springframework.security.userdetails.ldap.PersonContextMapper";
|
||||||
public static final String INET_ORG_PERSON_MAPPER_CLASS = "org.springframework.security.userdetails.ldap.InetOrgPersonContextMapper";
|
public static final String INET_ORG_PERSON_MAPPER_CLASS = "org.springframework.security.userdetails.ldap.InetOrgPersonContextMapper";
|
||||||
|
|
@ -45,42 +45,42 @@ public class LdapUserServiceBeanDefinitionParser extends AbstractUserDetailsServ
|
||||||
if (!StringUtils.hasText(elt.getAttribute(ATT_USER_SEARCH_FILTER))) {
|
if (!StringUtils.hasText(elt.getAttribute(ATT_USER_SEARCH_FILTER))) {
|
||||||
parserContext.getReaderContext().error("User search filter must be supplied", elt);
|
parserContext.getReaderContext().error("User search filter must be supplied", elt);
|
||||||
}
|
}
|
||||||
|
|
||||||
builder.addConstructorArg(parseSearchBean(elt, parserContext));
|
builder.addConstructorArg(parseSearchBean(elt, parserContext));
|
||||||
builder.addConstructorArg(parseAuthoritiesPopulator(elt, parserContext));
|
builder.addConstructorArg(parseAuthoritiesPopulator(elt, parserContext));
|
||||||
builder.addPropertyValue("userDetailsMapper", parseUserDetailsClass(elt, parserContext));
|
builder.addPropertyValue("userDetailsMapper", parseUserDetailsClass(elt, parserContext));
|
||||||
}
|
}
|
||||||
|
|
||||||
static RootBeanDefinition parseSearchBean(Element elt, ParserContext parserContext) {
|
static RootBeanDefinition parseSearchBean(Element elt, ParserContext parserContext) {
|
||||||
String userSearchFilter = elt.getAttribute(ATT_USER_SEARCH_FILTER);
|
String userSearchFilter = elt.getAttribute(ATT_USER_SEARCH_FILTER);
|
||||||
String userSearchBase = elt.getAttribute(ATT_USER_SEARCH_BASE);
|
String userSearchBase = elt.getAttribute(ATT_USER_SEARCH_BASE);
|
||||||
Object source = parserContext.extractSource(elt);
|
Object source = parserContext.extractSource(elt);
|
||||||
|
|
||||||
if (StringUtils.hasText(userSearchBase)) {
|
if (StringUtils.hasText(userSearchBase)) {
|
||||||
if(!StringUtils.hasText(userSearchFilter)) {
|
if(!StringUtils.hasText(userSearchFilter)) {
|
||||||
parserContext.getReaderContext().error(ATT_USER_SEARCH_BASE + " cannot be used without a " + ATT_USER_SEARCH_FILTER, source);
|
parserContext.getReaderContext().error(ATT_USER_SEARCH_BASE + " cannot be used without a " + ATT_USER_SEARCH_FILTER, source);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
userSearchBase = DEF_USER_SEARCH_BASE;
|
userSearchBase = DEF_USER_SEARCH_BASE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!StringUtils.hasText(userSearchFilter)) {
|
if (!StringUtils.hasText(userSearchFilter)) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
BeanDefinitionBuilder searchBuilder = BeanDefinitionBuilder.rootBeanDefinition(LDAP_SEARCH_CLASS);
|
BeanDefinitionBuilder searchBuilder = BeanDefinitionBuilder.rootBeanDefinition(LDAP_SEARCH_CLASS);
|
||||||
searchBuilder.setSource(source);
|
searchBuilder.setSource(source);
|
||||||
searchBuilder.addConstructorArg(userSearchBase);
|
searchBuilder.addConstructorArg(userSearchBase);
|
||||||
searchBuilder.addConstructorArg(userSearchFilter);
|
searchBuilder.addConstructorArg(userSearchFilter);
|
||||||
searchBuilder.addConstructorArg(parseServerReference(elt, parserContext));
|
searchBuilder.addConstructorArg(parseServerReference(elt, parserContext));
|
||||||
|
|
||||||
return (RootBeanDefinition) searchBuilder.getBeanDefinition();
|
return (RootBeanDefinition) searchBuilder.getBeanDefinition();
|
||||||
}
|
}
|
||||||
|
|
||||||
static RuntimeBeanReference parseServerReference(Element elt, ParserContext parserContext) {
|
static RuntimeBeanReference parseServerReference(Element elt, ParserContext parserContext) {
|
||||||
String server = elt.getAttribute(ATT_SERVER);
|
String server = elt.getAttribute(ATT_SERVER);
|
||||||
boolean requiresDefaultName = false;
|
boolean requiresDefaultName = false;
|
||||||
|
|
||||||
if (!StringUtils.hasText(server)) {
|
if (!StringUtils.hasText(server)) {
|
||||||
server = BeanIds.CONTEXT_SOURCE;
|
server = BeanIds.CONTEXT_SOURCE;
|
||||||
requiresDefaultName = true;
|
requiresDefaultName = true;
|
||||||
|
|
@ -89,27 +89,27 @@ public class LdapUserServiceBeanDefinitionParser extends AbstractUserDetailsServ
|
||||||
RuntimeBeanReference contextSource = new RuntimeBeanReference(server);
|
RuntimeBeanReference contextSource = new RuntimeBeanReference(server);
|
||||||
contextSource.setSource(parserContext.extractSource(elt));
|
contextSource.setSource(parserContext.extractSource(elt));
|
||||||
LdapConfigUtils.registerPostProcessorIfNecessary(parserContext.getRegistry(), requiresDefaultName);
|
LdapConfigUtils.registerPostProcessorIfNecessary(parserContext.getRegistry(), requiresDefaultName);
|
||||||
|
|
||||||
return contextSource;
|
return contextSource;
|
||||||
}
|
}
|
||||||
|
|
||||||
static RootBeanDefinition parseUserDetailsClass(Element elt, ParserContext parserContext) {
|
static RootBeanDefinition parseUserDetailsClass(Element elt, ParserContext parserContext) {
|
||||||
String userDetailsClass = elt.getAttribute(ATT_USER_CLASS);
|
String userDetailsClass = elt.getAttribute(ATT_USER_CLASS);
|
||||||
|
|
||||||
if (OPT_PERSON.equals(userDetailsClass)) {
|
if (OPT_PERSON.equals(userDetailsClass)) {
|
||||||
return new RootBeanDefinition(PERSON_MAPPER_CLASS, null, null);
|
return new RootBeanDefinition(PERSON_MAPPER_CLASS, null, null);
|
||||||
} else if (OPT_INETORGPERSON.equals(userDetailsClass)) {
|
} else if (OPT_INETORGPERSON.equals(userDetailsClass)) {
|
||||||
return new RootBeanDefinition(INET_ORG_PERSON_MAPPER_CLASS, null, null);
|
return new RootBeanDefinition(INET_ORG_PERSON_MAPPER_CLASS, null, null);
|
||||||
}
|
}
|
||||||
return new RootBeanDefinition(LDAP_USER_MAPPER_CLASS, null, null);
|
return new RootBeanDefinition(LDAP_USER_MAPPER_CLASS, null, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
static RootBeanDefinition parseAuthoritiesPopulator(Element elt, ParserContext parserContext) {
|
static RootBeanDefinition parseAuthoritiesPopulator(Element elt, ParserContext parserContext) {
|
||||||
String groupSearchFilter = elt.getAttribute(ATT_GROUP_SEARCH_FILTER);
|
String groupSearchFilter = elt.getAttribute(ATT_GROUP_SEARCH_FILTER);
|
||||||
String groupSearchBase = elt.getAttribute(ATT_GROUP_SEARCH_BASE);
|
String groupSearchBase = elt.getAttribute(ATT_GROUP_SEARCH_BASE);
|
||||||
String groupRoleAttribute = elt.getAttribute(ATT_GROUP_ROLE_ATTRIBUTE);
|
String groupRoleAttribute = elt.getAttribute(ATT_GROUP_ROLE_ATTRIBUTE);
|
||||||
String rolePrefix = elt.getAttribute(ATT_ROLE_PREFIX);
|
String rolePrefix = elt.getAttribute(ATT_ROLE_PREFIX);
|
||||||
|
|
||||||
if (!StringUtils.hasText(groupSearchFilter)) {
|
if (!StringUtils.hasText(groupSearchFilter)) {
|
||||||
groupSearchFilter = DEF_GROUP_SEARCH_FILTER;
|
groupSearchFilter = DEF_GROUP_SEARCH_FILTER;
|
||||||
}
|
}
|
||||||
|
|
@ -117,25 +117,25 @@ public class LdapUserServiceBeanDefinitionParser extends AbstractUserDetailsServ
|
||||||
if (!StringUtils.hasText(groupSearchBase)) {
|
if (!StringUtils.hasText(groupSearchBase)) {
|
||||||
groupSearchBase = DEF_GROUP_SEARCH_BASE;
|
groupSearchBase = DEF_GROUP_SEARCH_BASE;
|
||||||
}
|
}
|
||||||
|
|
||||||
BeanDefinitionBuilder populator = BeanDefinitionBuilder.rootBeanDefinition(LDAP_AUTHORITIES_POPULATOR_CLASS);
|
BeanDefinitionBuilder populator = BeanDefinitionBuilder.rootBeanDefinition(LDAP_AUTHORITIES_POPULATOR_CLASS);
|
||||||
populator.setSource(parserContext.extractSource(elt));
|
populator.setSource(parserContext.extractSource(elt));
|
||||||
populator.addConstructorArg(parseServerReference(elt, parserContext));
|
populator.addConstructorArg(parseServerReference(elt, parserContext));
|
||||||
populator.addConstructorArg(groupSearchBase);
|
populator.addConstructorArg(groupSearchBase);
|
||||||
populator.addPropertyValue("groupSearchFilter", groupSearchFilter);
|
populator.addPropertyValue("groupSearchFilter", groupSearchFilter);
|
||||||
populator.addPropertyValue("searchSubtree", Boolean.TRUE);
|
populator.addPropertyValue("searchSubtree", Boolean.TRUE);
|
||||||
|
|
||||||
if (StringUtils.hasText(rolePrefix)) {
|
if (StringUtils.hasText(rolePrefix)) {
|
||||||
if ("none".equals(rolePrefix)) {
|
if ("none".equals(rolePrefix)) {
|
||||||
rolePrefix = "";
|
rolePrefix = "";
|
||||||
}
|
}
|
||||||
populator.addPropertyValue("rolePrefix", rolePrefix);
|
populator.addPropertyValue("rolePrefix", rolePrefix);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (StringUtils.hasLength(groupRoleAttribute)) {
|
if (StringUtils.hasLength(groupRoleAttribute)) {
|
||||||
populator.addPropertyValue("groupRoleAttribute", groupRoleAttribute);
|
populator.addPropertyValue("groupRoleAttribute", groupRoleAttribute);
|
||||||
}
|
}
|
||||||
|
|
||||||
return (RootBeanDefinition) populator.getBeanDefinition();
|
return (RootBeanDefinition) populator.getBeanDefinition();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -89,7 +89,7 @@ group-search-filter-attribute =
|
||||||
## Group search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user.
|
## Group search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user.
|
||||||
attribute group-search-filter {xsd:string}
|
attribute group-search-filter {xsd:string}
|
||||||
group-search-base-attribute =
|
group-search-base-attribute =
|
||||||
## Search base for group membership searches. Defaults to "ou=groups".
|
## Search base for group membership searches. Defaults to "" (searching from the root).
|
||||||
attribute group-search-base {xsd:string}
|
attribute group-search-base {xsd:string}
|
||||||
user-search-filter-attribute =
|
user-search-filter-attribute =
|
||||||
## The LDAP filter used to search for users (optional). For example "(uid={0})". The substituted parameter is the user's login name.
|
## The LDAP filter used to search for users (optional). For example "(uid={0})". The substituted parameter is the user's login name.
|
||||||
|
|
|
||||||
|
|
@ -222,7 +222,7 @@
|
||||||
<xs:attribute name="group-search-base" use="required" type="xs:string">
|
<xs:attribute name="group-search-base" use="required" type="xs:string">
|
||||||
<xs:annotation>
|
<xs:annotation>
|
||||||
<xs:documentation>Search base for group membership searches. Defaults to
|
<xs:documentation>Search base for group membership searches. Defaults to
|
||||||
"ou=groups".</xs:documentation>
|
"" (searching from the root).</xs:documentation>
|
||||||
</xs:annotation>
|
</xs:annotation>
|
||||||
</xs:attribute>
|
</xs:attribute>
|
||||||
</xs:attributeGroup>
|
</xs:attributeGroup>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue