LDAPPasswordAuthenticationDao problem

Hi,
i'm using the acegi security framework in order to authenticate
and manage rights with an ldap backend.
I expected that LDAPPasswordAuthenticationDao will give me some
solutions about that but it seems to be not the case.

In fact, the
LDAPPasswordAuthenticationDao class has a lot of limitations and problems.
For instance, you cannot logon with the uid or sAMAccountName.
if you have a password like a%6(t_ => it doesn't work.
I will have to rewrite it completely for my own use...
I think Tomcat JNDIRealm.java is far better.

I expect that acegi will have a better ldap dao integration. It's necessary to be deployed in an enterprise environment.

Best regards.

Re: LDAPPasswordAuthenticationDao problem

Quote:

Originally Posted by benoit_m35

I think Tomcat JNDIRealm.java is far better.

Quote:

Originally Posted by benoit_m35

I expect that acegi will have a better ldap dao integration.

I don't find these sort of comments very helpful. By all means you're entitled to an opinion, but if you would like help it generally assists to be polite.

Acegi Security's LDAP support classes are in the sandbox. They are not finalised.

If you wish to provide a contribution, we would be happy to apply it to CVS.

I should also add that I didn't personally write the LDAP support classes, so I'm not in a position to answer the specifics of your post.

I expect that the LDAP code will get better. I have had little time to work with it lately, but I am always open to suggestions and feedback.

Please note that I have started a set of unit tests which aim to simulate various configurations. If I could get a sample of your LDAP setup, or even a pointer to more information I will gladly work on integrating these and updating the code for the LDAP Dao to support your use case.

thanks

sorry for my first post. I 've modify the code to allow authentication with the sAMAccountName field. It works good. The code is very maintenable. Thanks for this pretty system.

-- Benoît.

Quote:

Originally Posted by benoit_m35

sorry for my first post. I 've modify the code to allow authentication with the sAMAccountName field. It works good. The code is very maintenable. Thanks for this pretty system.

-- Benoît.

Hi Benoit,

Please post your code. I'm trying to do exactly the same thing and your help would enable me to get up and running much faster!

Also, if you could post the code I will try and get it integrated into the LDAP DAO as soon as I can.

the code

Hi,
here is the code which allow me to authenticate a user with his sAMAccountName instead of using the distinguished name.
As in almost authentication process, the manager do a bind in order to search for the user account with the sAMAccountName. Then the authentication process bind the user with the dn found (to authenticate). I prefer this solution which could fit with many configuration. In fact, i think that ldapPawwordAuthenticaton should work as this :
the xml config will have :
- the server url + port
- the admin or an anonymous dn
- the password for this account
- a userBase
- a userSearch attribute (wich attribute for searching the authenticating user) ex :"sAMAccountName={0}"
- no user context
- all the roles attributes defined by acegi at the moment (very good)

the authentication could be achieve by re-binding the user or comparing the password.

But for the moment, LdapPasswordAuthenticationDao works fine in almost case and i'm happy to see that acegi allow me to secure my J2EE application.

Thaks all.

Code:

public class LdapPasswordAuthenticationDao implements PasswordAuthenticationDao { static Hashtable superUserEnv; static DirContext superUserCtx; static { superUserEnv = new Hashtable(); superUserEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); superUserEnv.put(Context.PROVIDER_URL, "ldap://annu.crbdom:389"); superUserEnv.put(Context.SECURITY_AUTHENTICATION, "simple"); superUserEnv.put(Context.SECURITY_PRINCIPAL, "cn=administrateur,cn=users,dc=crbdom"); // specify the username superUserEnv.put(Context.SECURITY_CREDENTIALS, "password"); // specify // the // password } public LdapPasswordAuthenticationDao() throws NamingException{ superUserCtx = new InitialDirContext(superUserEnv); } /** InnerClass used to keep context variable together. */ private class UserContext { public DirContext dirContext; public String userPrincipal; /** * Get the attribute(s) to match when searching for the user object. * This implementation returns a "distinguishedName" attribute with the * value returned by <code>getUserPrincipal(username)</code>. A * subclass may customize this behavior by overriding * <code>getUserPrincipal</code> and/or * <code>getUsernameAttributes</code>. * * @param username * DOCUMENT ME! * * @return DOCUMENT ME! */ public Attributes getUsernameAttributes() { Attributes matchAttrs = new BasicAttributes(true); // ignore case matchAttrs.put(new BasicAttribute("distinguishedName", userPrincipal)); return matchAttrs; } } public static final String BAD_CREDENTIALS_EXCEPTION_MESSAGE = "Invalid username, password or context"; private static final transient Log log = LogFactory .getLog(LdapPasswordAuthenticationDao.class); /** Type of authentication within LDAP; default is simple. */ private String authenticationType = "simple"; /** * If set to a non-null value, and a user can be bound to a LDAP Conext, but * no role information is found then this role is automatically added. If * null (the default) then a BadCredentialsException is thrown * * * For example; if you have an LDAP directory with no role information * stored, you might simply want to give any user who can login a role of * "USER". * */ private String defaultRole = null; /** * The INITIAL_CONTEXT_FACTORY used to create the JNDI Factory. Default is * "com.sun.jndi.ldap.LdapCtxFactory"; you should not need to set * this unless you have unusual needs. */ private String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory"; /** Internal variable, concatenation */ private String providerUrl; /** * Used to build LDAP Search Filter for finding roles (in the roleContexts) * pointing to a user. Uses MessageFormat like tokens; {0} is the user's * DistiguishedName, {1} is the user's username. For more information on * syntax see javax.naming.directory.DirContext.search(), or RFC 2254. * * * Example: if each group has an attribute 'memberUid' with values being the * usernames of the user's in that group, then the value of this property * would be (memberUid={1}) * */ private String roleAttributesSearchFilter; /** * Contexts to search for role's (which point to the user id). * * Example, if you have a Groups object containing Groups of users then the * expression: ou=Groups,dc=mycompany,dc=com might be used; * alternatively, if rootContext="dc=mycompany,dc=com" then simply use * "ou=Groups" here. */ private String[] roleContexts; /** * Attribute(s) of any role object returned from the roleContexts to use as * role-names. Warning: if you do role lookups using the * roleContexts and roleAttributesSearchFilter then you need to set * roleNameAttributes or ALL attributes will be returned. * */ private String[] roleNameAttributes; /** * Prefix to be associated with any roles found for a user, defaults to an * empty string. Older versions of this class used "ROLE_" for this value. */ private String rolePrefix = ""; /** * Suffix to be associated with any roles found for a user, defaults to an * empty string. */ private String roleSuffix = ""; /** * Root context of the LDAP Connection, if any is needed. * * Example: dc=mycompany,dc=com * * * Note: It is usually preferable to add this data as part * of the userContexts and/or roleContexts attributes. * */ private String rootContext = ""; /** * If true then all role name values returned from the directory will be * converted to uppercase. */ private boolean upperCaseRoleNames = false; /** * LDAP URL (without the port) of the LDAP server to connect to; example * ldap://dir.mycompany.com:389/ (port 389 is the standard LDAP * port). */ private String url; /** * One or more LDAP Contexts which contain user account information, use the * MessageFormat key {0} to denote location where the user's username should * be inserted into the expression to create a DistiguishedName. * * Example: * * cn={0},ou=Users,dc=mycompnay,dc=com * * * Alternatively, if you had set rootContext="dc=mycompany,dc=com" then the * first example would be rewritten as cn={0},ou=Users . * */ private MessageFormat[] userContexts; /** * Name(s) of the attribute(s) for a user account object contaning role * names assigned to the user. Leave unset if there are none. Consult your * LDAP server administrator to determine these value(s). * */ private String[] userRolesAttributes; /** * * @param results * Result of searching on of the roleContexts for matches against * the current user. * @param roles * List of roles the user has already been assigned. * @throws NamingException */ protected void addAnyRolesFound(NamingEnumeration results, Collection roles) throws NamingException { while (results.hasMore()) { SearchResult result = (SearchResult) results.next(); Attributes attrs = result.getAttributes(); if (attrs == null) { continue; } // Here we loop over the attributes returned in the SearchResult // TODO replace with Utility method call: NamingEnumeration e = attrs.getAll(); while (e.hasMore()) { Attribute a = (Attribute) e.next(); for (int i = 0; i < a.size(); i++) { roles.add((String) a.get(i)); } } } } /** * @return Returns the defaultRole. */ public String getDefaultRole() { return defaultRole; } /** * Get an array <code>GrantedAuthorities</code> given the list of roles * obtained from the LDAP context. Delegates to * <code>getGrantedAuthority(String ldapRole)</code>. This function may * be overridden in a subclass. * * @param ldapRoles * DOCUMENT ME! * * @return DOCUMENT ME! */ protected GrantedAuthority[] getGrantedAuthorities(String[] ldapRoles) { GrantedAuthority[] grantedAuthorities = new GrantedAuthority[ldapRoles.length]; for (int i = 0; i < ldapRoles.length; i++) { grantedAuthorities[i] = getGrantedAuthority(ldapRoles[i]); } return grantedAuthorities; } /** * Get a <code>GrantedAuthority</code> given a role obtained from the LDAP * context. If found in the LDAP role, the following characters are * converted to underscore: ',' (comma), '=' (equals), ' ' (space) This * function may be overridden in a subclass. * * @param ldapRole * DOCUMENT ME! * * @return DOCUMENT ME! */ protected GrantedAuthority getGrantedAuthority(String ldapRole) { String roleName = rolePrefix + ldapRole.toUpperCase() + roleSuffix; if (upperCaseRoleNames) { roleName = roleName.toUpperCase(); } GrantedAuthority ga = new GrantedAuthorityImpl(roleName); if (log.isDebugEnabled()) { log.debug("GrantedAuthority: " + ga); } return ga; } /** * @return The InitialContextFactory for creating the root JNDI context; * defaults to "com.sun.jndi.ldap.LdapCtxFactory" */ public String getInitialContextFactory() { return initialContextFactory; } // ~ Methods // ================================================================ /** * Given a password, construct the Hashtable of JNDI values for a bind * attempt. */ protected Hashtable getJdniEnvironment(String password) { Hashtable env = new Hashtable(11); env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory); env.put(Context.PROVIDER_URL, getProviderURL()); env.put(Context.SECURITY_AUTHENTICATION, authenticationType); env.put(Context.SECURITY_CREDENTIALS, password); return env; } /** * @return The full "Provuder" URL for the LDAP source; it should look * something like: ldap://www.mycompany.com:389/ */ public synchronized String getProviderURL() { if (null == this.providerUrl) { StringBuffer providerUrl = new StringBuffer(this.url); if (!this.url.endsWith("/")) { providerUrl.append("/"); } providerUrl.append(this.rootContext); this.providerUrl = providerUrl.toString(); } return this.providerUrl; } /** * @return Returns the roleUserAttributes. */ public String getRoleAttributesSearchFilter() { return roleAttributesSearchFilter; } /** * @return Array of MessageFormat String's for Contexts that store role * information for users. */ public String[] getRoleContexts() { return roleContexts; } /** * @return Returns the roleNameAttributes. */ public String[] getRoleNameAttributes() { return roleNameAttributes; } /** * @return Returns the rolePrefix. */ public String getRolePrefix() { return rolePrefix; } protected Collection getRolesFromRoleSearch(UserContext userContext, String[] roleAttributes) { if ((null == roleContexts) || (roleContexts.length == 0)) { System.out.println("role context vaut null : "); return null; } String[] searchFilterVars = new String[] { userContext.userPrincipal}; SearchControls controls = new SearchControls(); controls.setSearchScope(SearchControls.SUBTREE_SCOPE); // controls.setReturningAttributes(roleAttributes); System.out.println("roleAttributesSearchFilter : " + roleAttributesSearchFilter); List roles = new ArrayList(); for (int i = 0; i < roleContexts.length; i++) { try { System.out.println("le role contexte vaut : " + roleContexts[i] ); System.out.println("le role attribute search vaut : " + roleAttributesSearchFilter); System.out.println("searchFilterVars : " + searchFilterVars[0]); /**NamingEnumeration results = userContext.dirContext.search( roleContexts[i], roleAttributesSearchFilter, searchFilterVars, controls);*/ NamingEnumeration results = userContext.dirContext.search( "ou=Applis,dc=crbdom", "(&(member=CN=Benoit MORAILLON,OU=STI,OU=DFI,DC=crbdom))", controls); addAnyRolesFound(results, roles); } catch (NamingException e) { if (log.isInfoEnabled()) { log.info("Unable to find user-role match in context = " + roleContexts[i], e); } } } return roles; } /** * Looksup any roleAttributes associated with the user's DN within the * DirContext. * * @param userContext * UserContext Object containing DirContext in which to operate, * and the user's DistinguishedName. * @param roleAttributes * Names of all attributes to search for role name information. * @return Collection of roles granted to the user within the JNDI Context. * @throws NamingException */ protected Collection getRolesFromUserContext(UserContext userContext, String[] roleAttributes) throws NamingException { List roles = new ArrayList(); if (roleAttributes != null) { if (log.isDebugEnabled()) { StringBuffer rolesString = new StringBuffer(); for (int i = 0; i < roleAttributes.length; i++) { rolesString.append(", "); rolesString.append(roleAttributes[i]); } log.debug("Searching user context '" + userContext.userPrincipal + "' for roles " + "attributes: " + rolesString.substring(1)); } Attributes attrs = userContext.dirContext.getAttributes( userContext.userPrincipal, roleAttributes); NamingEnumeration roleEnum = attrs.getAll(); while (roleEnum.hasMore()) { Attribute roleAttr = (Attribute) roleEnum.next(); for (int i = 0; i < roleAttr.size(); i++) { roles.add(roleAttr.get(i)); } } } return roles; } /** * @return Returns the roleSuffix. */ public String getRoleSuffix() { return roleSuffix; } /** * @return Returns the rootContext which to connect to; typically it could * look something like: dc=mycompany,dc=com. */ public String getRootContext() { return rootContext; } /** * @return The LDAP URL to conntect to; example: * ldap://ldap.mycompany.com:389/ */ public String getURL() { return url; } protected User changeForsAMAccountName(String username) throws NamingException{ SearchControls cons = new SearchControls(); cons.setSearchScope(SearchControls.SUBTREE_SCOPE); User user = new User(); NamingEnumeration answer = superUserCtx.search(this.rootContext, "(&(sAMAccountName=" + username + "))", cons); while (answer.hasMore()) { SearchResult si = (SearchResult) answer.next(); Attributes att = si.getAttributes(); String uc = si.getNameInNamespace(); uc.replaceAll(username,"{0}"); this.setUserContext(uc); user.setUsername(att.get("sAMAccountName").get().toString()); user.setNom(att.get("cn").get().toString()); user.setEmail(att.get("mail").get().toString()); user.setTelephone(att.get("telephoneNumber").get().toString()); user.setService("rien"); user.setDirection("rien"); return user; } return null; } /** * Attempts to bind to the userContexts; returning on the first successful * bind; or failing with a BadCredentialsException. * * @param username * @param password * @return UserContext, an innerclass holding the DirContext, and the user's * LDAP Principal String. * @throws NamingException * @throws BadCredentialsException */ protected UserContext getUserContext(String username, String password) throws NamingException, BadCredentialsException { Hashtable env = getJdniEnvironment(password); UserContext userContext = new UserContext(); for (int i = 0; i < userContexts.length; i++) { env.remove(Context.SECURITY_PRINCIPAL); userContext.userPrincipal = userContexts[i] .format(new String[] { username }); env.put(Context.SECURITY_PRINCIPAL, userContext.userPrincipal); try { userContext.dirContext = new InitialDirContext(env); if (userContext.dirContext != null) { return userContext; } } catch (AuthenticationException ax) { if (log.isInfoEnabled()) { log.info("Authentication exception for user.", ax); } } } throw new BadCredentialsException(BAD_CREDENTIALS_EXCEPTION_MESSAGE); } /** * @return Returns the userContexts. */ public String[] getUserContexts() { String[] formats = new String[userContexts.length]; for (int i = 0; i < userContexts.length; i++) { formats[i] = userContexts[i].toPattern(); } return formats; } /** * @return Returns the userRolesAttributes. */ public String[] getUserRolesAttributes() { return userRolesAttributes; } /** * @FIXME When using a search (see getRolesFromContext()) I don't think this * extra check is needed; JNDI should be responible for returning * only the attributes requested (or maybe I don't understand JNDI * well enough). * * @param Name/Id * of the JNDI Attribute. * * @return Return true if the given name is a role attribute. */ protected boolean isRoleAttribute(String name) { log.info("Checking rolename: " + name); if (name != null) { for (int i = 0; i < userRolesAttributes.length; i++) { if (name.equals(userRolesAttributes[i])) { return true; } } } return false; } /** * @return Returns the upperCaseRoleNames. */ public boolean isUpperCaseRoleNames() { return upperCaseRoleNames; } public UserDetails loadUserByUsernameAndPassword(String username, String password) throws DataAccessException, BadCredentialsException { if ((password == null) || (password.length() == 0)) { throw new BadCredentialsException("Empty password"); } try { if (log.isDebugEnabled()) { log.debug("Connecting to " + getProviderURL() + " as " + username); } User u = this.changeForsAMAccountName(username); if (u == null) throw new BadCredentialsException( BAD_CREDENTIALS_EXCEPTION_MESSAGE); UserContext userContext = getUserContext(username, password); Collection roles = getRolesFromUserContext(userContext, getUserRolesAttributes()); Collection roles2 = getRolesFromRoleSearch(userContext, getRoleNameAttributes()); if (null != roles2) { roles.addAll(roles2); } userContext.dirContext.close(); if (roles.isEmpty()) { if (null == defaultRole) { throw new BadCredentialsException( "The user has no granted " + "authorities or the rolesAttribute is invalid"); } else { roles.add(defaultRole); } } String[] ldapRoles = (String[]) roles.toArray(new String[] {}); return new User(username, password, u.getNom(), "", u.getTelephone(), u.getEmail(), u.getService(), u.getDirection(), true, true, true, true, getGrantedAuthorities(ldapRoles)); } catch (AuthenticationException ex) { throw new BadCredentialsException( BAD_CREDENTIALS_EXCEPTION_MESSAGE, ex); } catch (CommunicationException ex) { throw new DataAccessResourceFailureException(ex.getRootCause() .getMessage(), ex); } catch (NamingException ex) { throw new DataAccessResourceFailureException(ex.getMessage(), ex); } } /** * If set to a non-null value, and a user can be bound to a LDAP Conext, but * no role information is found then this role is automatically added. If * null (the default) then a BadCredentialsException is thrown * * * For example; if you have an LDAP directory with no role information * stored, you might simply want to give any user who can login a role of * "USER". * * * @param defaultRole * The defaultRole to set. */ public void setDefaultRole(String defaultRole) { this.defaultRole = defaultRole; } /** * The INITIAL_CONTEXT_FACTORY used to create the JNDI Factory. Default is * "com.sun.jndi.ldap.LdapCtxFactory"; you should not need to set * this unless you have unusual needs. * * @param initialContextFactory * The InitialContextFactory for creating the root JNDI context; * defaults to "com.sun.jndi.ldap.LdapCtxFactory" */ public void setInitialContextFactory(String initialContextFactory) { this.initialContextFactory = initialContextFactory; } /** * Name(s) of the attribute(s) for a user account object contaning role * names assigned to the user. Leave unset if there are none. Consult your * LDAP server administrator to determine these value(s). * * @param roleUserAttributes * The roleUserAttributes to set. */ public void setRoleAttributesSearchFilter(String roleAttributesSearchArgs) { this.roleAttributesSearchFilter = roleAttributesSearchArgs; } /** Shortcut for setRoleContexts( new String[]{roleContext} ); */ public void setRoleContext(String roleContext) { setRoleContexts(new String[] { roleContext }); } /** * Contexts to search for role's (which point to the user id). * * Example, if you have a Groups object containing Groups of users then the * expression: ou=Groups,dc=mycompany,dc=com might be used; * alternatively, if rootContext="dc=mycompany,dc=com" then simply use * "ou=Groups" here. * * @param roleContexts * Array of MessageFormat String's for Contexts that store role * information for users. */ public void setRoleContexts(String[] roleContexts) { this.roleContexts = roleContexts; } /** * Used to build LDAP Search Filter for finding roles (in the roleContexts) * pointing to a user. Uses MessageFormat like tokens; {0} is the user's * DistiguishedName, {1} is the user's username. For more information on * syntax see javax.naming.directory.DirContext.search(), or RFC 2254. * * * Example: if each group has an attribute 'memberUid' with values being the * usernames of the user's in that group, then the value of this property * would be (memberUid={1}) * * * @param roleNameAttributes * The roleNameAttributes to set. */ public void setRoleNameAttribute(String roleNameAttribute) { setRoleNameAttributes(new String[] { roleNameAttribute }); } /** * Attribute(s) of any role object returned from the roleContexts to use as * role-names. Warning: if you do role lookups using the * roleContexts and roleAttributesSearchFilter then you need to set * roleNameAttributes or ALL attributes will be returned. * * @param roleNameAttributes * The roleNameAttributes to set. */ public void setRoleNameAttributes(String[] roleNameAttributes) { this.roleNameAttributes = roleNameAttributes; } /** * Prefix to be associated with any roles found for a user, defaults to an * empty string. Older versions of this class used "ROLE_" for this value. * * @param rolePrefix * The rolePrefix to set. */ public void setRolePrefix(String rolePrefix) { this.rolePrefix = rolePrefix; } /** * Suffix to be associated with any roles found for a user, defaults to an * empty string. * * @param roleSuffix * The roleSuffix to set. */ public void setRoleSuffix(String roleSuffix) { this.roleSuffix = roleSuffix; } /** * Root context of the LDAP Connection, if any is needed. * * Example: dc=mycompany,dc=com * * * Note: It is usually preferable to add this data as part * of the userContexts and/or roleContexts attributes. * * * @param rootContext * The rootContext which to connect to; typically it could look * something like: dc=mycompany,dc=com. */ public void setRootContext(String rootContext) { this.rootContext = rootContext; } /** * If true then all role name values returned from the directory will be * converted to uppercase. * * @param upperCaseRoleNames * The upperCaseRoleNames to set. */ public void setUpperCaseRoleNames(boolean upperCaseRoleNames) { this.upperCaseRoleNames = upperCaseRoleNames; } /** * @param host * The LDAP URL to conntect to; example: * ldap://ldap.mycompany.com:389/ */ public void setURL(String url) { this.url = url; } /** Shortcut for setUserContexts( new String[]{userContext} ); */ public void setUserContext(String userContext) { setUserContexts(new String[] { userContext }); } /** * One or more LDAP Contexts which contain user account information, use the * MessageFormat key {0} to denote location where the user's username should * be inserted into the expression to create a DistiguishedName. * * Example: * * cn={0},ou=Users,dc=mycompnay,dc=com * * * Alternatively, if you had set rootContext="dc=mycompany,dc=com" then the * first example would be rewritten as cn={0},ou=Users . * * * @param userContexts * The userContexts to set. */ public void setUserContexts(String[] userContexts) { this.userContexts = new MessageFormat[userContexts.length]; for (int i = 0; i < userContexts.length; i++) { this.userContexts[i] = new MessageFormat(userContexts[i]); } } /** Shortcut for setUserRolesAttributes(new String[]{userRolesAttribute}); */ public void setUserRolesAttribute(String userRolesAttribute) { this.userRolesAttributes = new String[] { userRolesAttribute }; } /** * Attribute(s) of any role object returned from the roleContexts to use as * role-names. Warning: if you do role lookups using the * roleContexts and roleAttributesSearchFilter then you need to set * roleNameAttributes or ALL attributes will be returned. * * @param userRolesAttributes * The userRolesAttributes to set. */ public void setUserRolesAttributes(String[] userRolesAttributes) { this.userRolesAttributes = userRolesAttributes; } }

Thanks for the code. I have actually created a branch in the acegi CVS to work on some major changes. I am looking at making a mode where the LDAP DAO performs similar to apache's mod_auth_ldap, I think your change will probably help me in working out the best way to implement this. Thanks.

new release

hi,
i've change the code in order to make a lot of enhancement.
please feel free to ask in case of misunderstanding.

-- Benoît.

Code:

public class LdapPasswordAuthenticationDao implements PasswordAuthenticationDao{ SearchControls constraints; Hashtable env; SearchControls consOne; SearchControls consSub; public DirContext getManagerEnv() throws NamingException{ env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://server:389"); env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, "cn=acadi acadi,ou=STI,dc=server"); // specify // the // username env.put(Context.SECURITY_CREDENTIALS, "password"); // specify the password return new InitialDirContext(env); } public LdapPasswordAuthenticationDao() throws NamingException{ consOne = new SearchControls(); consOne.setSearchScope(SearchControls.ONELEVEL_SCOPE); consSub = new SearchControls(); consSub.setSearchScope(SearchControls.SUBTREE_SCOPE); } /** InnerClass used to keep context variable together. */ private class UserContext { public DirContext dirContext; public String userPrincipal; /** * Get the attribute(s) to match when searching for the user object. * This implementation returns a "distinguishedName" attribute with the * value returned by <code>getUserPrincipal(username)</code>. A * subclass may customize this behavior by overriding * <code>getUserPrincipal</code> and/or * <code>getUsernameAttributes</code>. * * @param username * DOCUMENT ME! * * @return DOCUMENT ME! */ public Attributes getUsernameAttributes() { Attributes matchAttrs = new BasicAttributes(true); // ignore case matchAttrs.put(new BasicAttribute("distinguishedName", userPrincipal)); return matchAttrs; } } public static final String BAD_CREDENTIALS_EXCEPTION_MESSAGE = "Invalid username, password or context"; private static final transient Log log = LogFactory .getLog(LdapPasswordAuthenticationDao.class); /** Type of authentication within LDAP; default is simple. */ private String authenticationType = "simple"; /** * If set to a non-null value, and a user can be bound to a LDAP Conext, but * no role information is found then this role is automatically added. If * null (the default) then a BadCredentialsException is thrown * * * For example; if you have an LDAP directory with no role information * stored, you might simply want to give any user who can login a role of * "USER". * */ private String defaultRole = null; /** * The INITIAL_CONTEXT_FACTORY used to create the JNDI Factory. Default is * "com.sun.jndi.ldap.LdapCtxFactory"; you should not need to set * this unless you have unusual needs. */ private String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory"; /** Internal variable, concatenation */ private String providerUrl; /** * Used to build LDAP Search Filter for finding roles (in the roleContexts) * pointing to a user. Uses MessageFormat like tokens; {0} is the user's * DistiguishedName, {1} is the user's username. For more information on * syntax see javax.naming.directory.DirContext.search(), or RFC 2254. * * * Example: if each group has an attribute 'memberUid' with values being the * usernames of the user's in that group, then the value of this property * would be (memberUid={1}) * */ private String roleAttributesSearchFilter; /** * Contexts to search for role's (which point to the user id). * * Example, if you have a Groups object containing Groups of users then the * expression: ou=Groups,dc=mycompany,dc=com might be used; * alternatively, if rootContext="dc=mycompany,dc=com" then simply use * "ou=Groups" here. */ private String[] roleContexts; /** * Attribute(s) of any role object returned from the roleContexts to use as * role-names. Warning: if you do role lookups using the * roleContexts and roleAttributesSearchFilter then you need to set * roleNameAttributes or ALL attributes will be returned. * */ private String[] roleNameAttributes; /** * Prefix to be associated with any roles found for a user, defaults to an * empty string. Older versions of this class used "ROLE_" for this value. */ private String rolePrefix = ""; /** * Suffix to be associated with any roles found for a user, defaults to an * empty string. */ private String roleSuffix = ""; /** * Root context of the LDAP Connection, if any is needed. * * Example: dc=mycompany,dc=com * * * Note: It is usually preferable to add this data as part * of the userContexts and/or roleContexts attributes. * */ private String rootContext = ""; /** * If true then all role name values returned from the directory will be * converted to uppercase. */ private boolean upperCaseRoleNames = false; /** * LDAP URL (without the port) of the LDAP server to connect to; example * ldap://dir.mycompany.com:389/ (port 389 is the standard LDAP * port). */ private String url; /** * Name(s) of the attribute(s) for a user account object contaning role * names assigned to the user. Leave unset if there are none. Consult your * LDAP server administrator to determine these value(s). * */ private String[] userRolesAttributes; /** * * @param results * Result of searching on of the roleContexts for matches against * the current user. * @param roles * List of roles the user has already been assigned. * @throws NamingException */ protected void addAnyRolesFound(NamingEnumeration results, Collection roles) throws NamingException { while (results.hasMore()) { SearchResult result = (SearchResult) results.next(); Attributes attrs = result.getAttributes(); if (attrs == null) { continue; } // Here we loop over the attributes returned in the SearchResult // TODO replace with Utility method call: NamingEnumeration e = attrs.getAll(); while (e.hasMore()) { Attribute a = (Attribute) e.next(); for (int i = 0; i < a.size(); i++) { roles.add((String) a.get(i)); } } } } /** * @return Returns the defaultRole. */ public String getDefaultRole() { return defaultRole; } /** * Get an array <code>GrantedAuthorities</code> given the list of roles * obtained from the LDAP context. Delegates to * <code>getGrantedAuthority(String ldapRole)</code>. This function may * be overridden in a subclass. * * @param ldapRoles * DOCUMENT ME! * * @return DOCUMENT ME! */ protected GrantedAuthority[] getGrantedAuthorities(String[] ldapRoles) { GrantedAuthority[] grantedAuthorities = new GrantedAuthority[ldapRoles.length]; for (int i = 0; i < ldapRoles.length; i++) { grantedAuthorities[i] = getGrantedAuthority(ldapRoles[i]); } return grantedAuthorities; } /** * Get a <code>GrantedAuthority</code> given a role obtained from the LDAP * context. If found in the LDAP role, the following characters are * converted to underscore: ',' (comma), '=' (equals), ' ' (space) This * function may be overridden in a subclass. * * @param ldapRole * DOCUMENT ME! * * @return DOCUMENT ME! */ protected GrantedAuthority getGrantedAuthority(String ldapRole) { String roleName = rolePrefix + ldapRole.toUpperCase() + roleSuffix; if (upperCaseRoleNames) { roleName = roleName.toUpperCase(); } GrantedAuthority ga = new GrantedAuthorityImpl(roleName); if (log.isDebugEnabled()) { log.debug("GrantedAuthority: " + ga); } return ga; } /** * @return The InitialContextFactory for creating the root JNDI context; * defaults to "com.sun.jndi.ldap.LdapCtxFactory" */ public String getInitialContextFactory() { return initialContextFactory; } // ~ Methods // ================================================================ /** * Given a password, construct the Hashtable of JNDI values for a bind * attempt. */ protected Hashtable getJdniEnvironment(String password) { Hashtable env = new Hashtable(11); env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory); env.put(Context.PROVIDER_URL, getProviderURL()); env.put(Context.SECURITY_AUTHENTICATION, authenticationType); env.put(Context.SECURITY_CREDENTIALS, password); return env; } /** * @return The full "Provuder" URL for the LDAP source; it should look * something like: ldap://www.mycompany.com:389/ */ public synchronized String getProviderURL() { if (null == this.providerUrl) { StringBuffer providerUrl = new StringBuffer(this.url); if (!this.url.endsWith("/")) { providerUrl.append("/"); } providerUrl.append(this.rootContext); this.providerUrl = providerUrl.toString(); } return this.providerUrl; } public void unLockAccount(String userDn)throws NamingException{ ModificationItem[] mods = new ModificationItem[1]; DirContext superUserCtx = getManagerEnv(); BasicAttribute mod1 = new BasicAttribute("lockoutTime"); mod1.add("0"); mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, mod1); superUserCtx.modifyAttributes(userDn, mods); superUserCtx.close(); } /** * @return Returns the roleUserAttributes. */ public String getRoleAttributesSearchFilter() { return roleAttributesSearchFilter; } /** * @return Array of MessageFormat String's for Contexts that store role * information for users. */ public String[] getRoleContexts() { return roleContexts; } /** * @return Returns the roleNameAttributes. */ public String[] getRoleNameAttributes() { return roleNameAttributes; } /** * @return Returns the rolePrefix. */ public String getRolePrefix() { return rolePrefix; } protected Collection getRolesFromRoleSearch(String userDn, String[] roleAttributes) throws NamingException{ if ((null == roleContexts) || (roleContexts.length == 0)) { System.out.println("role context vaut null : "); return null; } DirContext ctx = this.getManagerEnv(); SearchControls controls = new SearchControls(); controls.setSearchScope(SearchControls.SUBTREE_SCOPE); controls.setReturningAttributes(this.roleNameAttributes); String[]varFilter = new String[1]; varFilter[0] = userDn; List roles = new ArrayList(); for (int i = 0; i < roleContexts.length; i++) { try { NamingEnumeration results = ctx.search( roleContexts[i], roleAttributesSearchFilter,varFilter ,controls); addAnyRolesFound(results, roles); } catch (NamingException e) { if (log.isInfoEnabled()) { log.info("Unable to find user-role match in context = " + roleContexts[i], e); } } } ctx.close(); return roles; } /** * Looksup any roleAttributes associated with the user's DN within the * DirContext. * * @param userContext * UserContext Object containing DirContext in which to operate, * and the user's DistinguishedName. * @param roleAttributes * Names of all attributes to search for role name information. * @return Collection of roles granted to the user within the JNDI Context. * @throws NamingException */ protected Collection getRolesFromUserContext(String userDn, String[] roleAttributes) throws NamingException { List roles = new ArrayList(); DirContext ctx = this.getManagerEnv(); if (roleAttributes != null) { if (log.isDebugEnabled()) { StringBuffer rolesString = new StringBuffer(); for (int i = 0; i < roleAttributes.length; i++) { rolesString.append(", "); rolesString.append(roleAttributes[i]); } log.debug("Searching user context '" + userDn+ "' for roles " + "attributes: " + rolesString.substring(1)); } Attributes attrs = ctx.getAttributes( userDn, roleAttributes); NamingEnumeration roleEnum = attrs.getAll(); while (roleEnum.hasMore()) { Attribute roleAttr = (Attribute) roleEnum.next(); for (int i = 0; i < roleAttr.size(); i++) { roles.add(roleAttr.get(i)); } } } ctx.close(); return roles; } /** * @return Returns the roleSuffix. */ public String getRoleSuffix() { return roleSuffix; } /** * @return Returns the rootContext which to connect to; typically it could * look something like: dc=mycompany,dc=com. */ public String getRootContext() { return rootContext; } /** * @return The LDAP URL to conntect to; example: * ldap://ldap.mycompany.com:389/ */ public String getURL() { return url; } protected User changeForsAMAccountName(String username) throws NamingException{ SearchControls cons = new SearchControls(); cons.setSearchScope(SearchControls.SUBTREE_SCOPE); User user = new User(); DirContext superUserCtx = getManagerEnv(); NamingEnumeration answer = superUserCtx.search(this.rootContext, "(&(sAMAccountName=" + username + "))", cons); while (answer.hasMore()) { SearchResult si = (SearchResult) answer.next(); Attributes att = si.getAttributes(); String uc = si.getNameInNamespace(); user.setUsername(att.get("sAMAccountName").get().toString()); user.setNom(att.get("cn").get().toString()); user.setEmail(att.get("mail").get().toString()); user.setTelephone(att.get("telephoneNumber").get().toString()); user.setService("rien"); user.setDirection("rien"); user.setDn(uc); // on délocke le compte superUserCtx.close(); return user; } superUserCtx.close(); return null; } /** * Attempts to bind to the userContexts; returning on the first successful * bind; or failing with a BadCredentialsException. * * @param username * @param password * @return UserContext, an innerclass holding the DirContext, and the user's * LDAP Principal String. * @throws NamingException * @throws BadCredentialsException */ protected UserContext bindUser(String userDn, String password) throws NamingException, BadCredentialsException { Hashtable env = getJdniEnvironment(password); UserContext userContext = new UserContext(); env.remove(Context.SECURITY_PRINCIPAL); userContext.userPrincipal = userDn; env.put(Context.SECURITY_PRINCIPAL, userContext.userPrincipal); try { userContext.dirContext = new InitialDirContext(env); if (userContext.dirContext != null) { return userContext; } } catch (AuthenticationException ax) { if (log.isInfoEnabled()) { log.info("Authentication exception for user.", ax); } } throw new BadCredentialsException(BAD_CREDENTIALS_EXCEPTION_MESSAGE); } /** * @return Returns the userRolesAttributes. */ public String[] getUserRolesAttributes() { return userRolesAttributes; } /** * @FIXME When using a search (see getRolesFromContext()) I don't think this * extra check is needed; JNDI should be responible for returning * only the attributes requested (or maybe I don't understand JNDI * well enough). * * @param Name/Id * of the JNDI Attribute. * * @return Return true if the given name is a role attribute. */ protected boolean isRoleAttribute(String name) { log.info("Checking rolename: " + name); if (name != null) { for (int i = 0; i < userRolesAttributes.length; i++) { if (name.equals(userRolesAttributes[i])) { return true; } } } return false; } /** * @return Returns the upperCaseRoleNames. */ public boolean isUpperCaseRoleNames() { return upperCaseRoleNames; } public UserDetails loadUserByUsernameAndPassword(String username, String password) throws DataAccessException, BadCredentialsException { if ((password == null) || (password.length() == 0)) { throw new BadCredentialsException("Empty password"); } try { if (log.isDebugEnabled()) { log.debug("Connecting to " + getProviderURL() + " as " + username); } User u = this.changeForsAMAccountName(username); if (u == null) throw new BadCredentialsException( BAD_CREDENTIALS_EXCEPTION_MESSAGE); UserContext userContext = bindUser(u.getDn(), password); Collection roles = getRolesFromUserContext(u.getDn(), getUserRolesAttributes()); Collection roles2 = getRolesFromRoleSearch(u.getDn(), getRoleNameAttributes()); if (null != roles2) { roles.addAll(roles2); } userContext.dirContext.close(); if (roles.isEmpty()) { if (null == defaultRole) { throw new BadCredentialsException( "The user has no granted " + "authorities or the rolesAttribute is invalid"); } else { roles.add(defaultRole); } } String[] ldapRoles = (String[]) roles.toArray(new String[] {}); return new User(username, password, u.getNom(), "", u.getTelephone(), u.getEmail(), u.getService(), u.getDirection(), true, true, true, true, getGrantedAuthorities(ldapRoles)); } catch (AuthenticationException ex) { throw new BadCredentialsException( BAD_CREDENTIALS_EXCEPTION_MESSAGE, ex); } catch (CommunicationException ex) { throw new DataAccessResourceFailureException(ex.getRootCause() .getMessage(), ex); } catch (NamingException ex) { throw new DataAccessResourceFailureException(ex.getMessage(), ex); } } /** * If set to a non-null value, and a user can be bound to a LDAP Conext, but * no role information is found then this role is automatically added. If * null (the default) then a BadCredentialsException is thrown * * * For example; if you have an LDAP directory with no role information * stored, you might simply want to give any user who can login a role of * "USER". * * * @param defaultRole * The defaultRole to set. */ public void setDefaultRole(String defaultRole) { this.defaultRole = defaultRole; } /** * The INITIAL_CONTEXT_FACTORY used to create the JNDI Factory. Default is * "com.sun.jndi.ldap.LdapCtxFactory"; you should not need to set * this unless you have unusual needs. * * @param initialContextFactory * The InitialContextFactory for creating the root JNDI context; * defaults to "com.sun.jndi.ldap.LdapCtxFactory" */ public void setInitialContextFactory(String initialContextFactory) { this.initialContextFactory = initialContextFactory; } /** * Name(s) of the attribute(s) for a user account object contaning role * names assigned to the user. Leave unset if there are none. Consult your * LDAP server administrator to determine these value(s). * * @param roleUserAttributes * The roleUserAttributes to set. */ public void setRoleAttributesSearchFilter(String roleAttributesSearchArgs) { this.roleAttributesSearchFilter = roleAttributesSearchArgs; } /** Shortcut for setRoleContexts( new String[]{roleContext} ); */ public void setRoleContext(String roleContext) { setRoleContexts(new String[] { roleContext }); } /** * Contexts to search for role's (which point to the user id). * * Example, if you have a Groups object containing Groups of users then the * expression: ou=Groups,dc=mycompany,dc=com might be used; * alternatively, if rootContext="dc=mycompany,dc=com" then simply use * "ou=Groups" here. * * @param roleContexts * Array of MessageFormat String's for Contexts that store role * information for users. */ public void setRoleContexts(String[] roleContexts) { this.roleContexts = roleContexts; } /** * Used to build LDAP Search Filter for finding roles (in the roleContexts) * pointing to a user. Uses MessageFormat like tokens; {0} is the user's * DistiguishedName, {1} is the user's username. For more information on * syntax see javax.naming.directory.DirContext.search(), or RFC 2254. * * * Example: if each group has an attribute 'memberUid' with values being the * usernames of the user's in that group, then the value of this property * would be (memberUid={1}) * * * @param roleNameAttributes * The roleNameAttributes to set. */ public void setRoleNameAttribute(String roleNameAttribute) { setRoleNameAttributes(new String[] { roleNameAttribute }); } /** * Attribute(s) of any role object returned from the roleContexts to use as * role-names. Warning: if you do role lookups using the * roleContexts and roleAttributesSearchFilter then you need to set * roleNameAttributes or ALL attributes will be returned. * * @param roleNameAttributes * The roleNameAttributes to set. */ public void setRoleNameAttributes(String[] roleNameAttributes) { this.roleNameAttributes = roleNameAttributes; } /** * Prefix to be associated with any roles found for a user, defaults to an * empty string. Older versions of this class used "ROLE_" for this value. * * @param rolePrefix * The rolePrefix to set. */ public void setRolePrefix(String rolePrefix) { this.rolePrefix = rolePrefix; } /** * Suffix to be associated with any roles found for a user, defaults to an * empty string. * * @param roleSuffix * The roleSuffix to set. */ public void setRoleSuffix(String roleSuffix) { this.roleSuffix = roleSuffix; } /** * Root context of the LDAP Connection, if any is needed. * * Example: dc=mycompany,dc=com * * * Note: It is usually preferable to add this data as part * of the userContexts and/or roleContexts attributes. * * * @param rootContext * The rootContext which to connect to; typically it could look * something like: dc=mycompany,dc=com. */ public void setRootContext(String rootContext) { this.rootContext = rootContext; } /** * If true then all role name values returned from the directory will be * converted to uppercase. * * @param upperCaseRoleNames * The upperCaseRoleNames to set. */ public void setUpperCaseRoleNames(boolean upperCaseRoleNames) { this.upperCaseRoleNames = upperCaseRoleNames; } /** * @param host * The LDAP URL to conntect to; example: * ldap://ldap.mycompany.com:389/ */ public void setURL(String url) { this.url = url; } /** Shortcut for setUserRolesAttributes(new String[]{userRolesAttribute}); */ public void setUserRolesAttribute(String userRolesAttribute) { this.userRolesAttributes = new String[] { userRolesAttribute }; } /** * Attribute(s) of any role object returned from the roleContexts to use as * role-names. Warning: if you do role lookups using the * roleContexts and roleAttributesSearchFilter then you need to set * roleNameAttributes or ALL attributes will be returned. * * @param userRolesAttributes * The userRolesAttributes to set. */ public void setUserRolesAttributes(String[] userRolesAttributes) { this.userRolesAttributes = userRolesAttributes; } }

the config is

Code:

<bean id="ldapAuthenticationDao" class="org.appfuse.dao.ldap.LdapPasswordAuthenticationDao"> <property name="URL"><value>ldap://server:389</value></property> <property name="rootContext"><value>dc=server</value></property> <property name="roleContext"><value>ou=Applis,dc=server</value></property> <property name="roleAttributesSearchFilter"><value>(&(member={0}))</value></property> <property name="roleNameAttributes"><value>sAMAccountName</value></property> </bean>

Thanks Benoit - I got it working also using your code.

I have a question regarding your value for 'roleNameAttributes'. If sAMAccountName is used here for an Active Directory server, then for me it returns a user name, not the actual name of the role for that user. I guess this is dependent on the LDAP server you are pointing to, but this is what occurs for me.

Anyway, the code is generic enough to work in both our cases which is good! One thing that would be useful is to create properties for the JNDI context values so they can be set through the Spring config.