Nov 5th, 2012, 09:05 AM
mapping LDAP groups to roles
I'm trying to fit Spring Security onto our LDAP environment with pre-existing users/groups for a typical role-based scenario. I cannot change the naming scheme for these users/groups. Also, in reading the Spring Security docs, I do not want to set an empty role prefix, since per:
"An empty role prefix means that the voter will vote for every ConfigAttribute. When there are different categories of ConfigAttributes used, this will not be optimal since the voter will be voting for attributes which do not represent roles."
However, I found a set of classes that appears to map groups to roles:
If so, which of these class(es) should I use/extend to map LDAP groups (e.g., cn=department-admin) to Spring Security roles (e.g., ROLE_ADMIN)? Are there any examples that I may glance over?
Nov 8th, 2012, 02:26 PM
So after spending some time looking through the classes and their respective unit tests, I think MapBasedAttributes2GrantedAuthoritiesMapper would best fit my use case of mapping LDAP groups to Security Security roles. However, AbstractLdapAuthenticationProvider contains an instance variable of type GrantedAuthoriesMapper whereas Attributes2GrantedAuthoritiesMapper is the root interface for MapBasedAttributes2GrantedAuthoritiesMapper.
1) Am I on the right track to satisfying my use case?
2) If so, are there any plans to refactor this design, perhaps nesting Attributes2GrantedAuthoritiesMapper under GrantedAuthoriesMapper, somehow.
3) Is there a completely different (yet not overly complex) way of doing this?
I'm considering an adapter pattern where my custom subtype of GrantedAuthoriesMapper will embed an instance of MapBasedAttributes2GrantedAuthoritiesMapper, but I'd love to hear some sage advice before going that route.
Last edited by jrod; Nov 8th, 2012 at 02:55 PM.