SEC-2490: LdapAuthenticationProviderConfigurer allows custom LdapAuthoritiesPopulator

2014-02-13 16:37:33 -06:00 · 2014-02-13 16:37:33 -06:00 · bf2df220ca
parent 152f41f61e
commit bf2df220ca
3 changed files with 58 additions and 4 deletions
--- a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTests.groovy
+++ b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTests.groovy
@ -26,6 +26,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.authentication.ldap.NamespaceLdapAuthenticationProviderTestsConfigs.LdapAuthenticationProviderConfig;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
 import org.springframework.security.ldap.authentication.PasswordComparisonAuthenticator;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.PersonContextMapper;
 import org.springframework.test.util.ReflectionTestUtils;

@ -57,6 +58,17 @@ class NamespaceLdapAuthenticationProviderTests extends BaseSpringSpec {
            provider.authenticator.userSearch.searchFilter == "(uid={0})"
    }

+    def "SEC-2490: ldap-authentication-provider custom LdapAuthoritiesPopulator"() {
+        setup:
+            LdapAuthoritiesPopulator LAP = Mock()
+            CustomAuthoritiesPopulatorConfig.LAP = LAP
+        when:
+            loadConfig(CustomAuthoritiesPopulatorConfig)
+            LdapAuthenticationProvider provider = findAuthenticationProvider(LdapAuthenticationProvider)
+        then:
+            provider.authoritiesPopulator == LAP
+    }
+
    def "ldap-authentication-provider password compare"() {
        when:
            loadConfig(PasswordCompareLdapConfig)
--- a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java
+++ b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java
@ -20,6 +20,7 @@ import org.springframework.security.authentication.encoding.PlaintextPasswordEnc
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.PersonContextMapper;

 /**
@ -65,6 +66,18 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs {
        }
    }

+    @Configuration
+    @EnableWebSecurity
+    static class CustomAuthoritiesPopulatorConfig extends WebSecurityConfigurerAdapter {
+        static LdapAuthoritiesPopulator LAP;
+        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+            auth
+                .ldapAuthentication()
+                    .userSearchFilter("(uid={0})")
+                    .ldapAuthoritiesPopulator(LAP);
+        }
+    }
+
    @Configuration
    @EnableWebSecurity
    static class PasswordCompareLdapConfig extends WebSecurityConfigurerAdapter {
--- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java
@ -36,6 +36,7 @@ import org.springframework.security.ldap.search.LdapUserSearch;
 import org.springframework.security.ldap.server.ApacheDSContainer;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
 import org.springframework.security.ldap.userdetails.PersonContextMapper;
 import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;
@ -61,15 +62,13 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
    private UserDetailsContextMapper userDetailsContextMapper;
    private PasswordEncoder passwordEncoder;
    private String passwordAttribute;
+    private LdapAuthoritiesPopulator ldapAuthoritiesPopulator;

    private LdapAuthenticationProvider build() throws Exception {
        BaseLdapPathContextSource contextSource = getContextSource();
        LdapAuthenticator ldapAuthenticator = createLdapAuthenticator(contextSource);

-        DefaultLdapAuthoritiesPopulator authoritiesPopulator = new DefaultLdapAuthoritiesPopulator(
-                contextSource, groupSearchBase);
-        authoritiesPopulator.setGroupRoleAttribute(groupRoleAttribute);
-        authoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
+        LdapAuthoritiesPopulator authoritiesPopulator = getLdapAuthoritiesPopulator();

        LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(
                ldapAuthenticator, authoritiesPopulator);
@ -83,6 +82,17 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
        return ldapAuthenticationProvider;
    }

+    /**
+     * Specifies the {@link LdapAuthoritiesPopulator}.
+     *
+     * @param ldapAuthoritiesPopulator the {@link LdapAuthoritiesPopulator} the default is {@link DefaultLdapAuthoritiesPopulator}
+     * @return the {@link LdapAuthenticationProviderConfigurer} for further customizations
+     */
+    public LdapAuthenticationProviderConfigurer<B> ldapAuthoritiesPopulator(LdapAuthoritiesPopulator ldapAuthoritiesPopulator) {
+        this.ldapAuthoritiesPopulator = ldapAuthoritiesPopulator;
+        return this;
+    }
+
    /**
     * Adds an {@link ObjectPostProcessor} for this class.
     *
@ -94,6 +104,25 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
        return this;
    }

+    /**
+     * Gets the {@link LdapAuthoritiesPopulator} and defaults to {@link DefaultLdapAuthoritiesPopulator}
+     *
+     * @return the {@link LdapAuthoritiesPopulator}
+     */
+    private LdapAuthoritiesPopulator getLdapAuthoritiesPopulator() {
+        if(ldapAuthoritiesPopulator != null) {
+            return ldapAuthoritiesPopulator;
+        }
+
+        DefaultLdapAuthoritiesPopulator defaultAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(
+                contextSource, groupSearchBase);
+        defaultAuthoritiesPopulator.setGroupRoleAttribute(groupRoleAttribute);
+        defaultAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
+
+        this.ldapAuthoritiesPopulator = defaultAuthoritiesPopulator;
+        return defaultAuthoritiesPopulator;
+    }
+
    /**
     * Creates the {@link LdapAuthenticator} to use
     *