Package org.springframework.security.ldap.userdetails

Class LdapUserDetailsManager

java.lang.Object
org.springframework.security.ldap.userdetails.LdapUserDetailsManager
All Implemented Interfaces:
org.springframework.security.core.userdetails.UserDetailsService, org.springframework.security.provisioning.UserDetailsManager
public class LdapUserDetailsManager extends Object implements org.springframework.security.provisioning.UserDetailsManager
An Ldap implementation of UserDetailsManager.

It is designed around a standard setup where users and groups/roles are stored under separate contexts, defined by the "userDnBase" and "groupSearchBase" properties respectively.

In this case, LDAP is being used purely to retrieve information and this class can be used in place of any other UserDetailsService for authentication. Authentication isn't performed directly against the directory, unlike with the LDAP authentication provider setup.

Since:
2.0

  • Constructor Details

    • LdapUserDetailsManager

      public LdapUserDetailsManager(org.springframework.ldap.core.ContextSource contextSource)

  • Method Details

    • loadUserByUsername

      public org.springframework.security.core.userdetails.UserDetails loadUserByUsername(String username)
      Specified by:
      loadUserByUsername in interface org.springframework.security.core.userdetails.UserDetailsService

    • changePassword

      public void changePassword(String oldPassword, String newPassword)
      Changes the password for the current user. The username is obtained from the security context. There are two supported strategies for modifying the user's password depending on the capabilities of the corresponding LDAP server.

      Configured one way, this method will modify the user's password via the LDAP Password Modify Extended Operation . See setUsePasswordModifyExtensionOperation(boolean) for details.

      By default, though, if the old password is supplied, the update will be made by rebinding as the user, thus modifying the password using the user's permissions. If oldPassword is null, the update will be attempted using a standard read/write context supplied by the context source.

      Specified by:
      changePassword in interface org.springframework.security.provisioning.UserDetailsManager
      Parameters:
      oldPassword - the old password
      newPassword - the new value of the password.

    • createUser

      public void createUser(org.springframework.security.core.userdetails.UserDetails user)
      Specified by:
      createUser in interface org.springframework.security.provisioning.UserDetailsManager

    • updateUser

      public void updateUser(org.springframework.security.core.userdetails.UserDetails user)
      Specified by:
      updateUser in interface org.springframework.security.provisioning.UserDetailsManager

    • deleteUser

      public void deleteUser(String username)
      Specified by:
      deleteUser in interface org.springframework.security.provisioning.UserDetailsManager

    • userExists

      public boolean userExists(String username)
      Specified by:
      userExists in interface org.springframework.security.provisioning.UserDetailsManager

    • buildGroupDn

      protected org.springframework.ldap.core.DistinguishedName buildGroupDn(String group)
      Creates a DN from a group name.
      Parameters:
      group - the name of the group
      Returns:
      the DN of the corresponding group, including the groupSearchBase

    • copyToContext

      protected void copyToContext(org.springframework.security.core.userdetails.UserDetails user, org.springframework.ldap.core.DirContextAdapter ctx)

    • addAuthorities

      protected void addAuthorities(org.springframework.ldap.core.DistinguishedName userDn, Collection<? extends org.springframework.security.core.GrantedAuthority> authorities)

    • removeAuthorities

      protected void removeAuthorities(org.springframework.ldap.core.DistinguishedName userDn, Collection<? extends org.springframework.security.core.GrantedAuthority> authorities)

    • setUsernameMapper

      public void setUsernameMapper(LdapUsernameToDnMapper usernameMapper)

    • setPasswordAttributeName

      public void setPasswordAttributeName(String passwordAttributeName)

    • setGroupSearchBase

      public void setGroupSearchBase(String groupSearchBase)

    • setGroupRoleAttributeName

      public void setGroupRoleAttributeName(String groupRoleAttributeName)

    • setAttributesToRetrieve

      public void setAttributesToRetrieve(String[] attributesToRetrieve)

    • setUserDetailsMapper

      public void setUserDetailsMapper(UserDetailsContextMapper userDetailsMapper)

    • setGroupMemberAttributeName

      public void setGroupMemberAttributeName(String groupMemberAttributeName)
      Sets the name of the multi-valued attribute which holds the DNs of users who are members of a group.

      Usually this will be uniquemember (the default value) or member.

      Parameters:
      groupMemberAttributeName - the name of the attribute used to store group members.

    • setRoleMapper

      public void setRoleMapper(org.springframework.ldap.core.AttributesMapper roleMapper)

    • setUsePasswordModifyExtensionOperation

      public void setUsePasswordModifyExtensionOperation(boolean usePasswordModifyExtensionOperation)
      Sets the method by which a user's password gets modified. If set to true, then changePassword(java.lang.String, java.lang.String) will modify the user's password by way of the Password Modify Extension Operation. If set to false, then changePassword(java.lang.String, java.lang.String) will modify the user's password by directly modifying attributes on the corresponding entry. Before using this setting, ensure that the corresponding LDAP server supports this extended operation. By default, usePasswordModifyExtensionOperation is false.
      Parameters:
      usePasswordModifyExtensionOperation -
      Since:
      4.2.9

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Since:
      5.8