Package org.springframework.security.ldap.userdetails

Class LdapUserDetailsManager

  • All Implemented Interfaces:
    org.springframework.security.core.userdetails.UserDetailsService, org.springframework.security.provisioning.UserDetailsManager
    public class LdapUserDetailsManager
extends java.lang.Object
implements org.springframework.security.provisioning.UserDetailsManager
    An Ldap implementation of UserDetailsManager.

    It is designed around a standard setup where users and groups/roles are stored under separate contexts, defined by the "userDnBase" and "groupSearchBase" properties respectively.

    In this case, LDAP is being used purely to retrieve information and this class can be used in place of any other UserDetailsService for authentication. Authentication isn't performed directly against the directory, unlike with the LDAP authentication provider setup.

    Since:
    2.0

    • Constructor Summary

      Constructors 
      Constructor Description
      LdapUserDetailsManager​(org.springframework.ldap.core.ContextSource contextSource)  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void addAuthorities​(org.springframework.ldap.core.DistinguishedName userDn, java.util.Collection<? extends org.springframework.security.core.GrantedAuthority> authorities)  
      protected org.springframework.ldap.core.DistinguishedName buildGroupDn​(java.lang.String group)
      Creates a DN from a group name.
      void changePassword​(java.lang.String oldPassword, java.lang.String newPassword)
      Changes the password for the current user.
      protected void copyToContext​(org.springframework.security.core.userdetails.UserDetails user, org.springframework.ldap.core.DirContextAdapter ctx)  
      void createUser​(org.springframework.security.core.userdetails.UserDetails user)  
      void deleteUser​(java.lang.String username)  
      org.springframework.security.core.userdetails.UserDetails loadUserByUsername​(java.lang.String username)  
      protected void removeAuthorities​(org.springframework.ldap.core.DistinguishedName userDn, java.util.Collection<? extends org.springframework.security.core.GrantedAuthority> authorities)  
      void setAttributesToRetrieve​(java.lang.String[] attributesToRetrieve)  
      void setGroupMemberAttributeName​(java.lang.String groupMemberAttributeName)
      Sets the name of the multi-valued attribute which holds the DNs of users who are members of a group.
      void setGroupRoleAttributeName​(java.lang.String groupRoleAttributeName)  
      void setGroupSearchBase​(java.lang.String groupSearchBase)  
      void setPasswordAttributeName​(java.lang.String passwordAttributeName)  
      void setRoleMapper​(org.springframework.ldap.core.AttributesMapper roleMapper)  
      void setUsePasswordModifyExtensionOperation​(boolean usePasswordModifyExtensionOperation)
      Sets the method by which a user's password gets modified.
      void setUserDetailsMapper​(UserDetailsContextMapper userDetailsMapper)  
      void setUsernameMapper​(LdapUsernameToDnMapper usernameMapper)  
      void updateUser​(org.springframework.security.core.userdetails.UserDetails user)  
      boolean userExists​(java.lang.String username)  

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • LdapUserDetailsManager

        public LdapUserDetailsManager​(org.springframework.ldap.core.ContextSource contextSource)

    • Method Detail

      • loadUserByUsername

        public org.springframework.security.core.userdetails.UserDetails loadUserByUsername​(java.lang.String username)
        Specified by:
        loadUserByUsername in interface org.springframework.security.core.userdetails.UserDetailsService

      • changePassword

        public void changePassword​(java.lang.String oldPassword,
                           java.lang.String newPassword)
        Changes the password for the current user. The username is obtained from the security context. There are two supported strategies for modifying the user's password depending on the capabilities of the corresponding LDAP server.

        Configured one way, this method will modify the user's password via the LDAP Password Modify Extended Operation . See setUsePasswordModifyExtensionOperation(boolean) for details.

        By default, though, if the old password is supplied, the update will be made by rebinding as the user, thus modifying the password using the user's permissions. If oldPassword is null, the update will be attempted using a standard read/write context supplied by the context source.

        Specified by:
        changePassword in interface org.springframework.security.provisioning.UserDetailsManager
        Parameters:
        oldPassword - the old password
        newPassword - the new value of the password.

      • createUser

        public void createUser​(org.springframework.security.core.userdetails.UserDetails user)
        Specified by:
        createUser in interface org.springframework.security.provisioning.UserDetailsManager

      • updateUser

        public void updateUser​(org.springframework.security.core.userdetails.UserDetails user)
        Specified by:
        updateUser in interface org.springframework.security.provisioning.UserDetailsManager

      • deleteUser

        public void deleteUser​(java.lang.String username)
        Specified by:
        deleteUser in interface org.springframework.security.provisioning.UserDetailsManager

      • userExists

        public boolean userExists​(java.lang.String username)
        Specified by:
        userExists in interface org.springframework.security.provisioning.UserDetailsManager

      • buildGroupDn

        protected org.springframework.ldap.core.DistinguishedName buildGroupDn​(java.lang.String group)
        Creates a DN from a group name.
        Parameters:
        group - the name of the group
        Returns:
        the DN of the corresponding group, including the groupSearchBase

      • copyToContext

        protected void copyToContext​(org.springframework.security.core.userdetails.UserDetails user,
                             org.springframework.ldap.core.DirContextAdapter ctx)

      • addAuthorities

        protected void addAuthorities​(org.springframework.ldap.core.DistinguishedName userDn,
                              java.util.Collection<? extends org.springframework.security.core.GrantedAuthority> authorities)

      • removeAuthorities

        protected void removeAuthorities​(org.springframework.ldap.core.DistinguishedName userDn,
                                 java.util.Collection<? extends org.springframework.security.core.GrantedAuthority> authorities)

      • setPasswordAttributeName

        public void setPasswordAttributeName​(java.lang.String passwordAttributeName)

      • setGroupSearchBase

        public void setGroupSearchBase​(java.lang.String groupSearchBase)

      • setGroupRoleAttributeName

        public void setGroupRoleAttributeName​(java.lang.String groupRoleAttributeName)

      • setAttributesToRetrieve

        public void setAttributesToRetrieve​(java.lang.String[] attributesToRetrieve)

      • setGroupMemberAttributeName

        public void setGroupMemberAttributeName​(java.lang.String groupMemberAttributeName)
        Sets the name of the multi-valued attribute which holds the DNs of users who are members of a group.

        Usually this will be uniquemember (the default value) or member.

        Parameters:
        groupMemberAttributeName - the name of the attribute used to store group members.

      • setRoleMapper

        public void setRoleMapper​(org.springframework.ldap.core.AttributesMapper roleMapper)

      • setUsePasswordModifyExtensionOperation

        public void setUsePasswordModifyExtensionOperation​(boolean usePasswordModifyExtensionOperation)
        Sets the method by which a user's password gets modified. If set to true, then changePassword(java.lang.String, java.lang.String) will modify the user's password by way of the Password Modify Extension Operation. If set to false, then changePassword(java.lang.String, java.lang.String) will modify the user's password by directly modifying attributes on the corresponding entry. Before using this setting, ensure that the corresponding LDAP server supports this extended operation. By default, usePasswordModifyExtensionOperation is false.
        Parameters:
        usePasswordModifyExtensionOperation -
        Since:
        4.2.9