SEC-814: Added standard bean config to ldap example and updated doc to provide some pointers to DefaultLdapAuthoritiesPopulator

18 years ago · 5cf0c84e2f
2 changed files with 75 additions and 31 deletions
--- a/samples/ldap/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/samples/ldap/src/main/webapp/WEB-INF/applicationContext-security.xml
@ -1,32 +1,65 @@
				@@ -1,32 +1,65 @@
-<beans:beans xmlns="http://www.springframework.org/schema/security"
-    xmlns:beans="http://www.springframework.org/schema/beans"
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:s="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
    
-    <http>
-        <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
-        <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
-        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
-
-        <form-login />
-        <anonymous />
-        <logout />
-    </http>
-
-    <!--
-        Usernames/Passwords are
-        rod/koala
-        dianne/emu
-        scott/wombat
-    -->
-        <ldap-server ldif="classpath:users.ldif" />
-
-        <ldap-authentication-provider 
-            group-search-filter="member={0}" 
-            group-search-base="ou=groups"
-            user-search-base="ou=people"
-            user-search-filter="uid={0}"
-        />
-
-</beans:beans>
+    <s:http>
+        <s:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
+        <s:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
+        <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
+
+        <s:form-login />
+        <s:anonymous />
+        <s:logout />
+    </s:http>
+
+
+    <!-- Simple namespace-based configuration -->
+
+    <s:ldap-server ldif="classpath:users.ldif" />
+
+    <s:ldap-authentication-provider 
+        group-search-filter="member={0}" 
+        group-search-base="ou=groups"
+        user-search-base="ou=people"
+        user-search-filter="uid={0}"
+    />
+    
+    <!-- Traditional Bean version of the same configuration -->
+    
+    <!-- This bean points at the embedded directory server created by the ldap-server element above  -->
+    <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
+        <constructor-arg value="ldap://localhost:389/dc=springframework,dc=org"/>
+    </bean>
+
+    <bean id="secondLdapProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
+        <s:custom-authentication-provider />
+		<constructor-arg>
+			<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
+				<constructor-arg ref="contextSource" />
+				<property name="userSearch">
+					<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
+					  <constructor-arg index="0" value="ou=people"/>
+					  <constructor-arg index="1" value="(uid={0})"/>
+					  <constructor-arg index="2" ref="contextSource" />
+					</bean>				
+				</property>
+			</bean>
+		</constructor-arg>
+		<constructor-arg>
+			<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
+				<constructor-arg ref="contextSource" />
+				<constructor-arg value="ou=groups" />
+				<property name="groupSearchFilter" value="member={0}"/>
+				<property name="groupRoleAttribute" value="ou" />
+				<property name="rolePrefix" value="ROLE_"/>
+				<property name="searchSubtree" value="true"/>
+				<property name="convertToUpperCase" value="true"/>
+			</bean>
+		</constructor-arg>
+    </bean>
+
+
+
+</beans>
--- a/src/docbkx/ldap-auth-provider.xml
+++ b/src/docbkx/ldap-auth-provider.xml
@ -239,7 +239,7 @@
				@@ -239,7 +239,7 @@
                    is used, and the login name will be substituted for the parameter
                    <parameter>{0}</parameter>. The pattern should be relative to the DN that the
                    configured
-                    <interfacename>InitialDirContextFactory</interfacename>
+                    <interfacename>SpringSecurityContextSource</interfacename>
                    will bind to (see the section on
                    <link linkend="ldap-context-source">connecting to the LDAP server</link>
                    for more information on this). For example, if you are using an LDAP server with
@ -323,6 +323,17 @@
				@@ -323,6 +323,17 @@
                    which will be replaced with the user's login name.</para>
            </section>
        </section>
+        <section xml:id="ldap-authorities">
+            <title>LdapAuthoritiesPopulator</title>
+            <para>
+                After authenticating the user successfully, the <classname>LdapAuthenticationProvider</classname>
+                will attempt to load a set of authorities for the user by calling the configured 
+                <interfacename>LdapAuthoritiesPopulator</interfacename> bean. The <classname>DefaultLdapAuthoritiesPopulator</classname>
+                is an implementation which will load the authorities by searching the directory for groups of which the user is a member
+                (typically these will be <literal>groupOfNames</literal> or <literal>groupOfUniqueNames</literal> entries in the directory).
+                Consult the Javadoc for this class for more details on how it works.
+            </para>
+        </section>
        <section xml:id="ldap-bean-config">
            <info>
                <title>Spring Bean Configuration</title>
@ -367,7 +378,7 @@
				@@ -367,7 +378,7 @@
                <literal>(member=&lt;user's-DN&gt;)</literal>. The role name will be taken from the
                <quote>ou</quote>
                attribute of each match.</para>
-            <para>To configurae a user search object, which uses the filter
+            <para>To configure a user search object, which uses the filter
                <literal>(uid=&lt;user-login-name&gt;)</literal>
                for use instead of the DN-pattern (or in addition to it), you would configure the
                following bean
@ -403,7 +414,7 @@ public interface UserDetailsContextMapper {
				@@ -403,7 +414,7 @@ public interface UserDetailsContextMapper {
    void mapUserToContext(UserDetails user, DirContextAdapter ctx);
 }]]>                    
                </programlisting>
-                Only the first method is relevant for authentication. If you provide an implememntation of this, you can
+                Only the first method is relevant for authentication. If you provide an implementation of this interface, you can
                control exactly how the UserDetails object is created. The first parameter is an instance of Spring LDAP's
                <interfacename>DirContextOperations</interfacename> which gives you access to the LDAP attributes which were loaded.
                The <literal>username</literal> parameter is the name used to authenticate and the final parameter is the list of authorities