Use more specific LdapAuthority in DefaultLdapAuthoritiesPopulator

[heruan]

Summary

When using DefaultLdapAuthoritiesPopulator, the set of GrantedAuthorities contains instances of SimpleGrantedAuthority while I would expect instances of LdapAuthority; as it is now, I cannot discriminate LDAP authorities from others.

NestedLdapAuthoritiesPopulator already uses the more specific LdapAuthority.

Actual Behavior

At DefaultLdapAuthoritiesPopulator.java#L255 the authority set is populated wiht:

authorities.add(new SimpleGrantedAuthority(this.rolePrefix + role));

Expected Behavior

I would expect the authority set to be populated with:

authorities.add(new LdapAuthority(this.rolePrefix + role, roleDn));

Version

Spring Security 5.1.0

[rwinch]

Thanks for the report. We cannot really make changes to the code as this is a breaking change.

Does NestedLdapAuthorityPopulator meet your needs? If not, we could consider creating a new implementation.

[heruan]

Well, I’ve already created my own implementation for this. I guess this should be fixed on the next major, where breaking changes are not an issue?

BTW this would hardly break anything, but I understand the policy.

[rwinch]

I guess this should be fixed on the next major, where breaking changes are not an issue?

I think it is still better to offer an alternative implementation so that if necessary we decide to remove the functionality we can properly deprecate and eventually remove it. This allows a smoother migration than surprising users in a major release. Would you be interested in submitting a new implementation?

BTW this would hardly break anything, but I understand the policy.

You might be surprised what breaks users 😉

[heruan]

Would you be interested in submitting a new implementation?

Sure, I've already submitted 🙂