|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator
public class DefaultLdapAuthoritiesPopulator
The default strategy for obtaining user role information from the directory.
It obtains roles by performing a search for "groups" the user is a member of.
A typical group search scenario would be where each group/role is specified using the groupOfNames (or groupOfUniqueNames) LDAP objectClass and the user's DN is listed in the member (or uniqueMember) attribute to indicate that they should be assigned that role. The following LDIF sample has the groups stored under the DN ou=groups,dc=acegisecurity,dc=org and a group called "developers" with "ben" and "marissa" as members:dn: ou=groups,dc=acegisecurity,dc=orgobjectClass: top objectClass: organizationalUnitou: groupsdn: cn=developers,ou=groups,dc=acegisecurity,dc=org objectClass: groupOfNamesobjectClass: topcn: developersdescription: Acegi Security Developers member: uid=ben,ou=people,dc=acegisecurity,dc=orgmember: uid=marissa,ou=people,dc=acegisecurity,dc=orgou: developerThe group search is performed within a DN specified by the groupSearchBase property, which should be relative to the root DN of its InitialDirContextFactory. If the search base is null, group searching is disabled. The filter used in the search is defined by the groupSearchFilter property, with the filter argument {0} being the full DN of the user. You can also optionally use the parameter {1}, which will be substituted with the username. You can also specify which attribute defines the role name by setting the groupRoleAttribute property (the default is "cn").
The configuration below shows how the group search might be performed with the above schema.
<bean id="ldapAuthoritiesPopulator" class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <constructor-arg><value>ou=groups</value></constructor-arg> <property name="groupRoleAttribute"><value>ou</value></property> <!-- the following properties are shown with their default values --> <property name="searchSubTree"><value>false</value></property> <property name="rolePrefix"><value>ROLE_</value></property> <property name="convertToUpperCase"><value>true</value></property> </bean>A search for roles for user "uid=ben,ou=people,dc=acegisecurity,dc=org" would return the single granted authority "ROLE_DEVELOPER". The single-level search is performed by default. Setting the searchSubTree property to true will enable a search of the entire subtree under groupSearchBase.
Constructor Summary | |
---|---|
DefaultLdapAuthoritiesPopulator(InitialDirContextFactory initialDirContextFactory,
java.lang.String groupSearchBase)
Constructor for group search scenarios. |
Method Summary | |
---|---|
protected java.util.Set |
getAdditionalRoles(LdapUserDetails ldapUser)
This method should be overridden if required to obtain any additional roles for the given user (on top of those obtained from the standard search implemented by this class). |
GrantedAuthority[] |
getGrantedAuthorities(LdapUserDetails userDetails)
Obtains the authorities for the user who's directory entry is represented by the supplied LdapUserDetails object. |
protected java.util.Set |
getGroupMembershipRoles(java.lang.String userDn,
javax.naming.directory.Attributes userAttributes)
Deprecated. Subclasses should implement getAdditionalRoles instead. |
java.util.Set |
getGroupMembershipRoles(java.lang.String userDn,
java.lang.String username)
|
protected java.lang.String |
getGroupSearchBase()
|
protected InitialDirContextFactory |
getInitialDirContextFactory()
|
void |
setConvertToUpperCase(boolean convertToUpperCase)
|
void |
setDefaultRole(java.lang.String defaultRole)
The default role which will be assigned to all users. |
void |
setGroupRoleAttribute(java.lang.String groupRoleAttribute)
|
void |
setGroupSearchFilter(java.lang.String groupSearchFilter)
|
void |
setRolePrefix(java.lang.String rolePrefix)
|
void |
setSearchSubtree(boolean searchSubtree)
If set to true, a subtree scope search will be performed. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public DefaultLdapAuthoritiesPopulator(InitialDirContextFactory initialDirContextFactory, java.lang.String groupSearchBase)
initialDirContextFactory
- supplies the contexts used to search for user roles.groupSearchBase
- if this is an empty string the search will be performed from the root DN of the
context factory.Method Detail |
---|
protected java.util.Set getAdditionalRoles(LdapUserDetails ldapUser)
ldapUser
- the user who's roles are required
public final GrantedAuthority[] getGrantedAuthorities(LdapUserDetails userDetails)
getGrantedAuthorities
in interface LdapAuthoritiesPopulator
userDetails
- the user who's authorities are required
public java.util.Set getGroupMembershipRoles(java.lang.String userDn, java.lang.String username)
protected java.util.Set getGroupMembershipRoles(java.lang.String userDn, javax.naming.directory.Attributes userAttributes)
userDn
- the user's distinguished name.userAttributes
- the retrieved user's attributes (unused by default).
protected InitialDirContextFactory getInitialDirContextFactory()
protected java.lang.String getGroupSearchBase()
public void setConvertToUpperCase(boolean convertToUpperCase)
public void setDefaultRole(java.lang.String defaultRole)
defaultRole
- the role name, including any desired prefix.public void setGroupRoleAttribute(java.lang.String groupRoleAttribute)
public void setGroupSearchFilter(java.lang.String groupSearchFilter)
public void setRolePrefix(java.lang.String rolePrefix)
public void setSearchSubtree(boolean searchSubtree)
searchSubtree
- set to true to enable searching of the entire tree below the groupSearchBase.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |