Spring security custom ldap authentication provider

Question

I currently have my ldap authentication context set up like this:

    <ldap-server url="ldap://host/dn"
        manager-dn="cn=someuser"
        manager-password="somepass" />
    <authentication-manager>
        <ldap-authentication-provider user-search-filter="(samaccountname={0})"/>
    </authentication-manager> 

Now, I need to be able to set up a custom authorities mapper (it uses a different ldap server) - so I am assuming I need to set up my ldap-server similar to ( http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ldap.html ):

<bean id="ldapAuthProvider"
        class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
  <constructor-arg>
    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
      <constructor-arg ref="contextSource"/>
      <property name="userDnPatterns">
        <list><value>uid={0},ou=people</value></list>
      </property>
    </bean>
  </constructor-arg>
  <constructor-arg>
    <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
      <constructor-arg ref="contextSource"/>
      <constructor-arg value="ou=groups"/>
      <property name="groupRoleAttribute" value="ou"/>
    </bean>
  </constructor-arg>
</bean>

But, how do I reference that 'ldapAuthProvider' to the ldap-server in the security context?

I am also using spring-security 3, so '' does not exist...

Answer 1

For the record spring configuration is simpler if you use a custom LdapUserDetailsMapper as there's a dedicated parameter user-context-mapper-ref exposed on <ldap-authentication-provider/> which allows you to use the short config style:

  <authentication-manager>
      <ldap-authentication-provider
         user-search-filter="sAMAccountName={0}" 
         user-search-base="OU=Users"
         group-search-filter="(&amp;(objectclass=group)(member={0}))"
         group-search-base="OU=Groups"  
         user-context-mapper-ref="customUserContextMapper" />
  </authentication-manager>

  <ldap-server url="ldap://url:389/DC=mock,DC=com"
         manager-dn="manager" 
         manager-password="pass" />

Source: http://forum.springsource.org/showthread.php?118845-How-to-modify-Authority-after-loading-it-from-LDAP

On a side note, going the LdapAuthoritiesPopulator route you can also extend DeafultLdapAuthoritiesPopulator and override getAdditionalRoles() rather than implementing the interface directly.

public class MyCustomAuthoritiesPopulator extends
        DefaultLdapAuthoritiesPopulator {

    @Override
    protected Set<GrantedAuthority> getAdditionalRoles(
            DirContextOperations user, String username) {
        Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
                authorities.add((new SimpleGrantedAuthority("ROLE_USER"));
        return authorities;
    }

Answer 2

What I have done to make it work was simply to add this into the security context:

<authentication-manager>
     <authentication-provider ref='ldapAuthProvider'/>
</authentication-manager>

And then, configuring the 'ldapAuthProvider' bean like this:

<bean id="contextSource"
    class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldaps://url/dc=mock,dc=com" />
    <property name="userDn" value="cn=username,ou=People,dc=mock,dc=com" />
    <property name="password" value="password" />
</bean>

<bean id="ldapAuthProvider"
    class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg>
        <bean
            class="org.springframework.security.ldap.authentication.BindAuthenticator">
            <constructor-arg ref="contextSource" />
            <property name="userDnPatterns">
                <list>
                    <value>uid={0},ou=People</value>
                </list>
            </property>
        </bean>
    </constructor-arg>
    <constructor-arg>
        <bean
            class="com.mock.MyCustomAuthoritiesPopulator">
        </bean>
    </constructor-arg>
</bean>

With the implementation of MyCustomAuthoritiesPopulator as follows:

public class MyCustomAuthoritiesPopulator implements LdapAuthoritiesPopulator {
    public Collection<GrantedAuthority> getGrantedAuthorities(
            DirContextOperations arg0, String arg1) {       
           ArrayList<GrantedAuthority> list = new ArrayList<GrantedAuthority>();
            list.add((new SimpleGrantedAuthority("ROLE_USER"));
        return list;        
    }
}

Answer 3

If you want to avoid ugly bean definitions (DefaultSpringSecurityContextSource, LdapAuthenticationProvider, BindAuthenticator,...+100) and use "cool" xml definitions like

<authentication-manager>
    <ldap-authentication-provider... />
</authentication-manager>

You can use a BeanPostProcessor . The following example is a costumization of the GrantedAuthoritiesMapper in the AuthenticationProvider:

[context.xml]

<ldap-server id="ldapServer" url="${ldap.url}" manager-dn="${ldap.manager.dn}"  manager-password="${ldap.manager.password}"/>

<authentication-manager>
    <ldap-authentication-provider user-search-filter="${ldap.userSearch.filter}" user-search-base="${ldap.searchBase}" 
        group-search-base="${ldap.groupSearchBase}"/>
</authentication-manager>

[UserGrantedAuthoritiesMapper.java]

package com.example.access.ldap;

import java.util.Collection;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.stereotype.Component;

@Component
public class UserGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper{

    public Collection<? extends GrantedAuthority> mapAuthorities(final Collection<? extends GrantedAuthority> authorities) {
        ...
        return roles;
    }
}

[AuthenticationProviderPostProcessor.java]

package com.example.access.ldap;

import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.stereotype.Component;

@Component
public class AuthenticationProviderPostProcessor implements BeanPostProcessor{

    @Autowired
    private GrantedAuthoritiesMapper grantedAuthoritiesMapper;

    @Override
    public Object postProcessBeforeInitialization(Object bean, String beanName)
        throws BeansException {
        return bean;
    }

    @Override
    public Object postProcessAfterInitialization(Object bean, String beanName)
        throws BeansException {
        if(bean != null && bean instanceof AbstractLdapAuthenticationProvider){
            setProviderAuthoritiesMapper((AbstractLdapAuthenticationProvider)bean);
        }
        return bean;
    }

    protected void setProviderAuthoritiesMapper(AbstractLdapAuthenticationProvider authenticationProvider){
        if(authenticationProvider != null){
            authenticationProvider.setAuthoritiesMapper(grantedAuthoritiesMapper);
        }
    }
}