Dynamic Context Usernames - Post Login

[fivesticks]

I'm a first time LDAP-Template user. Love it.

Question: once my end user logs in, how do I go about changing the context source to use their credentials?

So, for example, right now my ldaptemplate spring configuration looks like this (the ${} values are in an external properties file):

Code:

<bean id="contextSource" class="net.sf.ldaptemplate.support.LdapContextSource">
<property name="url" value="${ldap.url}" />
<property name="userName" value="${ldap.userDn}" />
<property name="base" value="${ldap.base}" />
<property name="password" value="${ldap.password}" />
<property name="authenticatedReadOnly" value="true" />
</bean>
<bean id="ldapTemplate" class="net.sf.ldaptemplate.LdapTemplate">
<constructor-arg ref="contextSource" />
</bean>

Once a user authenticates via Acegi, I'd like to take their credentials and plug them into the userName and password sections of the context source instead of using the generic manager dn and pw. Do I just have to reconfigure the context source and re-inject it into the ldap template?

Any advice? Is this possible? Is this advisable? Thanks!

[rasky]

Have a look at AcegiAuthenticationSource..
You supply an instance of it to your ContextSource in stead of user dn and password to have them retrieved from Acegi.

[fivesticks]

Cool. That basically did it. I did end up override LdapContextSource with the following code:

Code:

        /*
         * 2006-08-16 reid@fivesticks.com if we're going to us the
         * authentication source, it must have both principal and credentials to
         * procede. If they're empty, use the defaults for anonymous access.
         */
        log.info("attempting to setup authenticated environment.");

        if (StringUtils.hasText(authenticationSource.getPrincipal())
                && StringUtils.hasText(authenticationSource.getCredentials())) {
            log
                    .info("no authenticationSource credentials just yet, using anonymous");
            env.put(Context.SECURITY_PRINCIPAL, authenticationSource
                    .getPrincipal());
            // reidlog.debug("Principal: '" + userName + "'");
            env.put(Context.SECURITY_CREDENTIALS, authenticationSource
                    .getCredentials());
        } else {
            env.put(Context.SECURITY_PRINCIPAL, this.getUserName());
            // reidlog.debug("Principal: '" + userName + "'");
            env.put(Context.SECURITY_CREDENTIALS, this.getPassword());
        }

        log.info("princ/cred " + env.get(Context.SECURITY_PRINCIPAL) + " / "
                + env.get(Context.SECURITY_CREDENTIALS));

In the event no credentials exist, we'll use the default. When credentials exist, we'll use those.

Any harm in this?

thanks for the input.

[rasky]

Probably no harm in that, as long as the default credentials are not for an administrator, in which case you'd have a security issue.

When it comes to subclassing ContextSource, I'd probably lean towards putting the logic in a custom AuthenticationSource implementation in stead, either a subclass of AcegiAuthenticationSource or a decorator on AuthenticationSource. That's basically the design idea behind AuthenticationSource: to contain the logic for retrieving the credentials to use; ContextSource shouldn't have to concern itself with the details of that.

Either way would work though, so it's probably more a question of taste.