Skip to content

Add support for a custom LdapAuthoritiesPopulator to ActiveDirectoryL… #3940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

Expand All @@ -58,8 +59,9 @@
* domain name to the username supplied in the authentication request. If no domain name
* is configured, it is assumed that the username will always contain the domain name.
* <p>
* The user authorities are obtained from the data contained in the {@code memberOf}
* attribute.
* If a custom {@link #setAuthoritiesPopulator(LdapAuthoritiesPopulator) authoritiesPopulator}
* is not specified, the user authorities are obtained from the data contained in the
* {@code memberOf} attribute.
*
* <h3>Active Directory Sub-Error Codes</h3>
*
Expand Down Expand Up @@ -107,6 +109,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends
private final String url;
private boolean convertSubErrorCodesToExceptions;
private String searchFilter = "(&(objectClass=user)(userPrincipalName={0}))";
private LdapAuthoritiesPopulator authoritiesPopulator;

// Only used to allow tests to substitute a mock LdapContext
ContextFactory contextFactory = new ContextFactory();
Expand All @@ -122,6 +125,22 @@ public ActiveDirectoryLdapAuthenticationProvider(String domain, String url,
this.domain = StringUtils.hasText(domain) ? domain.toLowerCase() : null;
this.url = url;
this.rootDn = StringUtils.hasText(rootDn) ? rootDn.toLowerCase() : null;
this.authoritiesPopulator = null;
}

/**
* @param domain the domain name (may be null or empty)
* @param url an LDAP url (or multiple URLs)
* @param rootDn the root DN (may be null or empty)
* @param authoritiesPopulator (may be null or empty)
*/
public ActiveDirectoryLdapAuthenticationProvider(String domain, String url,
String rootDn, LdapAuthoritiesPopulator authoritiesPopulator) {
Assert.isTrue(StringUtils.hasText(url), "Url cannot be empty");
this.domain = StringUtils.hasText(domain) ? domain.toLowerCase() : null;
this.url = url;
this.rootDn = StringUtils.hasText(rootDn) ? rootDn.toLowerCase() : null;
this.authoritiesPopulator = authoritiesPopulator;
}

/**
Expand All @@ -133,6 +152,31 @@ public ActiveDirectoryLdapAuthenticationProvider(String domain, String url) {
this.domain = StringUtils.hasText(domain) ? domain.toLowerCase() : null;
this.url = url;
rootDn = this.domain == null ? null : rootDnFromDomain(this.domain);
this.authoritiesPopulator = null;
}

/**
* @param domain the domain name (may be null or empty)
* @param url an LDAP url (or multiple URLs)
* @param authoritiesPopulator (may be null or empty)
*/
public ActiveDirectoryLdapAuthenticationProvider(String domain, String url,
LdapAuthoritiesPopulator authoritiesPopulator) {
Assert.isTrue(StringUtils.hasText(url), "Url cannot be empty");
this.domain = StringUtils.hasText(domain) ? domain.toLowerCase() : null;
this.url = url;
rootDn = this.domain == null ? null : rootDnFromDomain(this.domain);
this.authoritiesPopulator = authoritiesPopulator;
}

private void setAuthoritiesPopulator(LdapAuthoritiesPopulator authoritiesPopulator) {
Assert.notNull(authoritiesPopulator,
"An LdapAuthoritiesPopulator must be supplied");
this.authoritiesPopulator = authoritiesPopulator;
}

protected LdapAuthoritiesPopulator getAuthoritiesPopulator() {
return this.authoritiesPopulator;
}

@Override
Expand Down Expand Up @@ -163,6 +207,9 @@ protected DirContextOperations doAuthentication(
@Override
protected Collection<? extends GrantedAuthority> loadUserAuthorities(
DirContextOperations userData, String username, String password) {
if (authoritiesPopulator != null) {
return getAuthoritiesPopulator().getGrantedAuthorities(userData, username);
}
String[] groups = userData.getStringAttributes("memberOf");

if (groups == null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,18 @@
import org.mockito.ArgumentCaptor;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.authentication.AccountExpiredException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
import org.springframework.security.core.Authentication;

import javax.naming.AuthenticationException;
Expand All @@ -46,6 +51,8 @@
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;

import java.util.Collection;
import java.util.ArrayList;
import java.util.Hashtable;

import static org.assertj.core.api.Assertions.assertThat;
Expand Down Expand Up @@ -393,6 +400,56 @@ public void rootDnProvidedSeparatelyFromDomainAlsoWorks() throws Exception {

}

// SEC-2163
@Test
public void customAuthoritiesPopulatorWorks() throws Exception {
ActiveDirectoryLdapAuthenticationProvider customProvider = new ActiveDirectoryLdapAuthenticationProvider(
"mydomain.eu", "ldap://192.168.1.200/", new LdapAuthoritiesPopulator() {
@Override
public Collection<? extends GrantedAuthority> getGrantedAuthorities(
DirContextOperations userData, String username) {
String[] groups = userData.getStringAttributes("customGroups");

if (groups == null) {
return AuthorityUtils.NO_AUTHORITIES;
}
ArrayList<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(
groups.length);

for (String group : groups) {
authorities.add(new SimpleGrantedAuthority(new DistinguishedName(group)
.removeLast().getValue()));
}

return authorities;
}
});
DirContext ctx = mock(DirContext.class);
when(ctx.getNameInNamespace()).thenReturn("");

DirContextAdapter dca = new DirContextAdapter();
SearchResult sr = new SearchResult("CN=Joe Jannsen,CN=Users", dca,
dca.getAttributes());
@SuppressWarnings("deprecation")
DistinguishedName searchBaseDn = new DistinguishedName("DC=mydomain,DC=eu");
when(
ctx.search(eq(searchBaseDn), any(String.class), any(Object[].class),
any(SearchControls.class))).thenReturn(
new MockNamingEnumeration(sr)).thenReturn(new MockNamingEnumeration(sr));

customProvider.contextFactory = createContextFactoryReturning(ctx);

Authentication result = customProvider.authenticate(joe);

assertThat(result.getAuthorities()).isEmpty();

dca.addAttributeValue("customGroups", "CN=Admin,CN=Users,DC=mydomain,DC=eu");

result = customProvider.authenticate(joe);

assertThat(result.getAuthorities()).hasSize(1);
}

ContextFactory createContextFactoryThrowing(final NamingException e) {
return new ContextFactory() {
@Override
Expand Down