Polish GrantedAuthorityDefaults
* Move GrantedAuthorityDefaults to config module * Move setting of default role into config module vs ApplicationContextAware Issue gh-3701
This commit is contained in:
Rob Winch
+36
-48
@@ -16,29 +16,25 @@
|
||||
|
||||
package org.springframework.security.ldap.userdetails;
|
||||
|
||||
import org.springframework.beans.BeansException;
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.context.ApplicationContextAware;
|
||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
|
||||
import org.springframework.ldap.core.ContextSource;
|
||||
import org.springframework.ldap.core.DirContextOperations;
|
||||
import org.springframework.ldap.core.LdapTemplate;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import javax.naming.directory.SearchControls;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.naming.directory.SearchControls;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import org.springframework.ldap.core.ContextSource;
|
||||
import org.springframework.ldap.core.DirContextOperations;
|
||||
import org.springframework.ldap.core.LdapTemplate;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* The default strategy for obtaining user role information from the directory.
|
||||
* <p>
|
||||
@@ -101,7 +97,7 @@ import java.util.Set;
|
||||
* @author Luke Taylor
|
||||
* @author Filip Hanik
|
||||
*/
|
||||
public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator, ApplicationContextAware {
|
||||
public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
|
||||
// ~ Static fields/initializers
|
||||
// =====================================================================================
|
||||
|
||||
@@ -144,7 +140,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
/**
|
||||
* The role prefix that will be prepended to each role name
|
||||
*/
|
||||
private GrantedAuthorityDefaults rolePrefix = new GrantedAuthorityDefaults("ROLE_");
|
||||
private String rolePrefix = "ROLE_";
|
||||
/**
|
||||
* Should we convert the role name to uppercase
|
||||
*/
|
||||
@@ -164,7 +160,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
public DefaultLdapAuthoritiesPopulator(ContextSource contextSource,
|
||||
String groupSearchBase) {
|
||||
Assert.notNull(contextSource, "contextSource must not be null");
|
||||
ldapTemplate = new SpringSecurityLdapTemplate(contextSource);
|
||||
this.ldapTemplate = new SpringSecurityLdapTemplate(contextSource);
|
||||
getLdapTemplate().setSearchControls(getSearchControls());
|
||||
this.groupSearchBase = groupSearchBase;
|
||||
|
||||
@@ -172,7 +168,8 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
logger.info("groupSearchBase is null. No group search will be performed.");
|
||||
}
|
||||
else if (groupSearchBase.length() == 0) {
|
||||
logger.info("groupSearchBase is empty. Searches will be performed from the context source base");
|
||||
logger.info(
|
||||
"groupSearchBase is empty. Searches will be performed from the context source base");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -201,6 +198,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* @param user the user who's authorities are required
|
||||
* @return the set of roles granted to the user.
|
||||
*/
|
||||
@Override
|
||||
public final Collection<GrantedAuthority> getGrantedAuthorities(
|
||||
DirContextOperations user, String username) {
|
||||
String userDn = user.getNameInNamespace();
|
||||
@@ -217,8 +215,8 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
roles.addAll(extraRoles);
|
||||
}
|
||||
|
||||
if (defaultRole != null) {
|
||||
roles.add(defaultRole);
|
||||
if (this.defaultRole != null) {
|
||||
roles.add(this.defaultRole);
|
||||
}
|
||||
|
||||
List<GrantedAuthority> result = new ArrayList<GrantedAuthority>(roles.size());
|
||||
@@ -236,13 +234,13 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Searching for roles for user '" + username + "', DN = " + "'"
|
||||
+ userDn + "', with filter " + groupSearchFilter
|
||||
+ userDn + "', with filter " + this.groupSearchFilter
|
||||
+ " in search base '" + getGroupSearchBase() + "'");
|
||||
}
|
||||
|
||||
Set<String> userRoles = getLdapTemplate().searchForSingleAttributeValues(
|
||||
getGroupSearchBase(), groupSearchFilter,
|
||||
new String[] { userDn, username }, groupRoleAttribute);
|
||||
getGroupSearchBase(), this.groupSearchFilter,
|
||||
new String[] { userDn, username }, this.groupRoleAttribute);
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Roles from search: " + userRoles);
|
||||
@@ -250,11 +248,11 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
|
||||
for (String role : userRoles) {
|
||||
|
||||
if (convertToUpperCase) {
|
||||
if (this.convertToUpperCase) {
|
||||
role = role.toUpperCase();
|
||||
}
|
||||
|
||||
authorities.add(new SimpleGrantedAuthority(rolePrefix.getRolePrefix() + role));
|
||||
authorities.add(new SimpleGrantedAuthority(this.rolePrefix + role));
|
||||
}
|
||||
|
||||
return authorities;
|
||||
@@ -265,7 +263,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
}
|
||||
|
||||
protected String getGroupSearchBase() {
|
||||
return groupSearchBase;
|
||||
return this.groupSearchBase;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -301,7 +299,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
*/
|
||||
public void setRolePrefix(String rolePrefix) {
|
||||
Assert.notNull(rolePrefix, "rolePrefix must not be null");
|
||||
this.rolePrefix = new GrantedAuthorityDefaults(rolePrefix);
|
||||
this.rolePrefix = rolePrefix;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -314,7 +312,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
public void setSearchSubtree(boolean searchSubtree) {
|
||||
int searchScope = searchSubtree ? SearchControls.SUBTREE_SCOPE
|
||||
: SearchControls.ONELEVEL_SCOPE;
|
||||
searchControls.setSearchScope(searchScope);
|
||||
this.searchControls.setSearchScope(searchScope);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -334,7 +332,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* @see org.springframework.security.ldap.SpringSecurityLdapTemplate
|
||||
*/
|
||||
protected SpringSecurityLdapTemplate getLdapTemplate() {
|
||||
return ldapTemplate;
|
||||
return this.ldapTemplate;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -344,7 +342,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* @see #setGroupRoleAttribute(String)
|
||||
*/
|
||||
protected final String getGroupRoleAttribute() {
|
||||
return groupRoleAttribute;
|
||||
return this.groupRoleAttribute;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -354,7 +352,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* @see #setGroupSearchFilter(String)
|
||||
*/
|
||||
protected final String getGroupSearchFilter() {
|
||||
return groupSearchFilter;
|
||||
return this.groupSearchFilter;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -364,7 +362,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* @see #setRolePrefix(String)
|
||||
*/
|
||||
protected final String getRolePrefix() {
|
||||
return this.rolePrefix.getRolePrefix();
|
||||
return this.rolePrefix;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -374,7 +372,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* @see #setConvertToUpperCase(boolean)
|
||||
*/
|
||||
protected final boolean isConvertToUpperCase() {
|
||||
return convertToUpperCase;
|
||||
return this.convertToUpperCase;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -384,7 +382,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* @see #setDefaultRole(String)
|
||||
*/
|
||||
private GrantedAuthority getDefaultRole() {
|
||||
return defaultRole;
|
||||
return this.defaultRole;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -393,16 +391,6 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* @return the search controls
|
||||
*/
|
||||
private SearchControls getSearchControls() {
|
||||
return searchControls;
|
||||
return this.searchControls;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setApplicationContext(ApplicationContext context) throws
|
||||
BeansException {
|
||||
String[] beanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
||||
if (beanNames.length == 1) {
|
||||
this.rolePrefix = context.getBean(beanNames[0], GrantedAuthorityDefaults.class);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
+14
-25
@@ -21,12 +21,8 @@ import java.util.Collection;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import org.springframework.beans.BeansException;
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.context.ApplicationContextAware;
|
||||
import org.springframework.ldap.core.DirContextAdapter;
|
||||
import org.springframework.ldap.core.DirContextOperations;
|
||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
import org.springframework.security.core.userdetails.UserDetails;
|
||||
@@ -41,29 +37,30 @@ import org.springframework.util.Assert;
|
||||
* @author Luke Taylor
|
||||
* @author Eddú Meléndez
|
||||
*/
|
||||
public class LdapUserDetailsMapper implements UserDetailsContextMapper, ApplicationContextAware {
|
||||
public class LdapUserDetailsMapper implements UserDetailsContextMapper {
|
||||
// ~ Instance fields
|
||||
// ================================================================================================
|
||||
|
||||
private final Log logger = LogFactory.getLog(LdapUserDetailsMapper.class);
|
||||
private String passwordAttributeName = "userPassword";
|
||||
private GrantedAuthorityDefaults rolePrefix = new GrantedAuthorityDefaults("ROLE_");
|
||||
private String rolePrefix = "ROLE_";
|
||||
private String[] roleAttributes = null;
|
||||
private boolean convertToUpperCase = true;
|
||||
|
||||
// ~ Methods
|
||||
// ========================================================================================================
|
||||
|
||||
@Override
|
||||
public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
|
||||
Collection<? extends GrantedAuthority> authorities) {
|
||||
String dn = ctx.getNameInNamespace();
|
||||
|
||||
logger.debug("Mapping user details from context with DN: " + dn);
|
||||
this.logger.debug("Mapping user details from context with DN: " + dn);
|
||||
|
||||
LdapUserDetailsImpl.Essence essence = new LdapUserDetailsImpl.Essence();
|
||||
essence.setDn(dn);
|
||||
|
||||
Object passwordValue = ctx.getObjectAttribute(passwordAttributeName);
|
||||
Object passwordValue = ctx.getObjectAttribute(this.passwordAttributeName);
|
||||
|
||||
if (passwordValue != null) {
|
||||
essence.setPassword(mapPassword(passwordValue));
|
||||
@@ -72,12 +69,13 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper, Applicat
|
||||
essence.setUsername(username);
|
||||
|
||||
// Map the roles
|
||||
for (int i = 0; (roleAttributes != null) && (i < roleAttributes.length); i++) {
|
||||
String[] rolesForAttribute = ctx.getStringAttributes(roleAttributes[i]);
|
||||
for (int i = 0; (this.roleAttributes != null)
|
||||
&& (i < this.roleAttributes.length); i++) {
|
||||
String[] rolesForAttribute = ctx.getStringAttributes(this.roleAttributes[i]);
|
||||
|
||||
if (rolesForAttribute == null) {
|
||||
logger.debug("Couldn't read role attribute '" + roleAttributes[i]
|
||||
+ "' for user " + dn);
|
||||
this.logger.debug("Couldn't read role attribute '"
|
||||
+ this.roleAttributes[i] + "' for user " + dn);
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -110,6 +108,7 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper, Applicat
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
|
||||
throw new UnsupportedOperationException(
|
||||
"LdapUserDetailsMapper only supports reading from a context. Please"
|
||||
@@ -149,10 +148,10 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper, Applicat
|
||||
*/
|
||||
protected GrantedAuthority createAuthority(Object role) {
|
||||
if (role instanceof String) {
|
||||
if (convertToUpperCase) {
|
||||
if (this.convertToUpperCase) {
|
||||
role = ((String) role).toUpperCase();
|
||||
}
|
||||
return new SimpleGrantedAuthority(this.rolePrefix.getRolePrefix() + role);
|
||||
return new SimpleGrantedAuthority(this.rolePrefix + role);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
@@ -194,16 +193,6 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper, Applicat
|
||||
* @param rolePrefix the prefix (defaults to "ROLE_").
|
||||
*/
|
||||
public void setRolePrefix(String rolePrefix) {
|
||||
this.rolePrefix = new GrantedAuthorityDefaults(rolePrefix);
|
||||
this.rolePrefix = rolePrefix;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setApplicationContext(ApplicationContext context) throws
|
||||
BeansException {
|
||||
String[] beanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
||||
if (beanNames.length == 1) {
|
||||
this.rolePrefix = context.getBean(beanNames[0], GrantedAuthorityDefaults.class);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
-60
@@ -1,60 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.ldap.userdetails;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.ldap.core.ContextSource;
|
||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
/**
|
||||
* @author Eddú Meléndez
|
||||
*/
|
||||
public class DefaultLdapAuthoritiesPopulatorTests {
|
||||
|
||||
@Test
|
||||
public void testDefaultRolePrefix() {
|
||||
AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext();
|
||||
context.register(LdapAuthoritiesPopulatorConfiguration.class);
|
||||
context.refresh();
|
||||
|
||||
DefaultLdapAuthoritiesPopulator ldapPopulator = context.getBean(DefaultLdapAuthoritiesPopulator.class);
|
||||
assertThat(ldapPopulator.getRolePrefix()).isEqualTo("ROL_");
|
||||
}
|
||||
|
||||
@Configuration
|
||||
static class LdapAuthoritiesPopulatorConfiguration {
|
||||
|
||||
@Bean
|
||||
public GrantedAuthorityDefaults authorityDefaults() {
|
||||
return new GrantedAuthorityDefaults("ROL_");
|
||||
}
|
||||
|
||||
@Bean
|
||||
public DefaultLdapAuthoritiesPopulator ldapAuthoritiesPopulator() {
|
||||
ContextSource contextSource = mock(ContextSource.class);
|
||||
return new DefaultLdapAuthoritiesPopulator(contextSource, "ou=groups");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
-32
@@ -21,14 +21,9 @@ import javax.naming.directory.BasicAttributes;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.ldap.core.DirContextAdapter;
|
||||
import org.springframework.ldap.core.DistinguishedName;
|
||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
||||
import org.springframework.security.core.authority.AuthorityUtils;
|
||||
import org.springframework.test.util.ReflectionTestUtils;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
@@ -100,31 +95,4 @@ public class LdapUserDetailsMapperTests {
|
||||
assertThat(user.getPassword()).isEqualTo("mypassword");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDefaultRolePrefix() {
|
||||
AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext();
|
||||
context.register(LdapUserDetailsMapperConfiguration.class);
|
||||
context.refresh();
|
||||
|
||||
LdapUserDetailsMapper ldapUserDetailsMapper = context.getBean(LdapUserDetailsMapper.class);
|
||||
|
||||
GrantedAuthorityDefaults rolePrefix = (GrantedAuthorityDefaults) ReflectionTestUtils.getField(ldapUserDetailsMapper, "rolePrefix");
|
||||
assertThat(rolePrefix.getRolePrefix()).isEqualTo("ROL_");
|
||||
}
|
||||
|
||||
@Configuration
|
||||
static class LdapUserDetailsMapperConfiguration {
|
||||
|
||||
@Bean
|
||||
public GrantedAuthorityDefaults authorityDefaults() {
|
||||
return new GrantedAuthorityDefaults("ROL_");
|
||||
}
|
||||
|
||||
@Bean
|
||||
public LdapUserDetailsMapper ldapUserDetailsMapper() {
|
||||
return new LdapUserDetailsMapper();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user