📄 defaultldapauthoritiespopulator.java
字号:
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */package org.acegisecurity.providers.ldap.populator;import org.acegisecurity.GrantedAuthority;import org.acegisecurity.GrantedAuthorityImpl;import org.acegisecurity.ldap.InitialDirContextFactory;import org.acegisecurity.ldap.LdapTemplate;import org.acegisecurity.providers.ldap.LdapAuthoritiesPopulator;import org.acegisecurity.userdetails.ldap.LdapUserDetails;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import org.springframework.util.Assert;import java.util.HashSet;import java.util.Iterator;import java.util.Set;import javax.naming.directory.Attributes;import javax.naming.directory.SearchControls;/** * The default strategy for obtaining user role information from the directory. * <p/> * <p>It obtains roles by performing a search for "groups" the user is a member of.</p> * <p/> * <p/> * A typical group search scenario would be where each group/role is specified using the <tt>groupOfNames</tt> * (or <tt>groupOfUniqueNames</tt>) LDAP objectClass and the user's DN is listed in the <tt>member</tt> (or * <tt>uniqueMember</tt>) attribute to indicate that they should be assigned that role. The following LDIF sample has * the groups stored under the DN <tt>ou=groups,dc=acegisecurity,dc=org</tt> and a group called "developers" with * "ben" and "marissa" as members: * <pre> * dn: ou=groups,dc=acegisecurity,dc=orgobjectClass: top * objectClass: organizationalUnitou: groupsdn: cn=developers,ou=groups,dc=acegisecurity,dc=org * objectClass: groupOfNamesobjectClass: topcn: developersdescription: Acegi Security Developers * member: uid=ben,ou=people,dc=acegisecurity,dc=orgmember: uid=marissa,ou=people,dc=acegisecurity,dc=orgou: developer * </pre> * </p> * <p/> * The group search is performed within a DN specified by the <tt>groupSearchBase</tt> property, which should * be relative to the root DN of its <tt>InitialDirContextFactory</tt>. If the search base is null, group searching is * disabled. The filter used in the search is defined by the <tt>groupSearchFilter</tt> property, with the filter * argument {0} being the full DN of the user. You can also optionally use the parameter {1}, which will be substituted * with the username. You can also specify which attribute defines the role name by setting * the <tt>groupRoleAttribute</tt> property (the default is "cn").</p> * <p/> * <p>The configuration below shows how the group search might be performed with the above schema. * <pre> * <bean id="ldapAuthoritiesPopulator" * class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> * <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> * <constructor-arg><value>ou=groups</value></constructor-arg> * <property name="groupRoleAttribute"><value>ou</value></property> * <!-- the following properties are shown with their default values --> * <property name="searchSubTree"><value>false</value></property> * <property name="rolePrefix"><value>ROLE_</value></property> * <property name="convertToUpperCase"><value>true</value></property> * </bean> * </pre> * A search for roles for user "uid=ben,ou=people,dc=acegisecurity,dc=org" would return the single granted authority * "ROLE_DEVELOPER". * </p> * <p/> * The single-level search is performed by default. Setting the <tt>searchSubTree</tt> property to true will enable * a search of the entire subtree under <tt>groupSearchBase</tt>. * * @author Luke Taylor * @version $Id: DefaultLdapAuthoritiesPopulator.java 1996 2007-08-30 21:15:14Z luke_t $ */public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator { //~ Static fields/initializers ===================================================================================== private static final Log logger = LogFactory.getLog(DefaultLdapAuthoritiesPopulator.class); //~ Instance fields ================================================================================================ /** * A default role which will be assigned to all authenticated users if set */ private GrantedAuthority defaultRole = null; /** * An initial context factory is only required if searching for groups is required. */ private InitialDirContextFactory initialDirContextFactory = null; private LdapTemplate ldapTemplate; /** * Controls used to determine whether group searches should be performed over the full sub-tree from the * base DN. Modified by searchSubTree property */ private SearchControls searchControls = new SearchControls(); /** * The ID of the attribute which contains the role name for a group */ private String groupRoleAttribute = "cn"; /** * The base DN from which the search for group membership should be performed */ private String groupSearchBase = null; /** * The pattern to be used for the user search. {0} is the user's DN */ private String groupSearchFilter = "(member={0})"; /** * Attributes of the User's LDAP Object that contain role name information. */// private String[] userRoleAttributes = null; private String rolePrefix = "ROLE_"; private boolean convertToUpperCase = true; //~ Constructors =================================================================================================== /** * Constructor for group search scenarios. <tt>userRoleAttributes</tt> may still be * set as a property. * * @param initialDirContextFactory supplies the contexts used to search for user roles. * @param groupSearchBase if this is an empty string the search will be performed from the root DN of the * context factory. */ public DefaultLdapAuthoritiesPopulator(InitialDirContextFactory initialDirContextFactory, String groupSearchBase) { this.setInitialDirContextFactory(initialDirContextFactory); this.setGroupSearchBase(groupSearchBase); } //~ Methods ======================================================================================================== /** * This method should be overridden if required to obtain any additional * roles for the given user (on top of those obtained from the standard * search implemented by this class). * * @param ldapUser the user who's roles are required * @return the extra roles which will be merged with those returned by the group search */ protected Set getAdditionalRoles(LdapUserDetails ldapUser) { return null; } /** * Obtains the authorities for the user who's directory entry is represented by * the supplied LdapUserDetails object. * * @param userDetails the user who's authorities are required * @return the set of roles granted to the user. */ public final GrantedAuthority[] getGrantedAuthorities(LdapUserDetails userDetails) { String userDn = userDetails.getDn(); if (logger.isDebugEnabled()) { logger.debug("Getting authorities for user " + userDn); } Set roles = getGroupMembershipRoles(userDn, userDetails.getUsername()); // Temporary use of deprecated method Set oldGroupRoles = getGroupMembershipRoles(userDn, userDetails.getAttributes()); if (oldGroupRoles != null) { roles.addAll(oldGroupRoles); } Set extraRoles = getAdditionalRoles(userDetails); if (extraRoles != null) { roles.addAll(extraRoles); } if (defaultRole != null) { roles.add(defaultRole); } return (GrantedAuthority[]) roles.toArray(new GrantedAuthority[roles.size()]); }// protected Set getRolesFromUserAttributes(String userDn, Attributes userAttributes) {// Set userRoles = new HashSet();//// for(int i=0; userRoleAttributes != null && i < userRoleAttributes.length; i++) {// Attribute roleAttribute = userAttributes.get(userRoleAttributes[i]);//// addAttributeValuesToRoleSet(roleAttribute, userRoles);// }//// return userRoles;// } public Set getGroupMembershipRoles(String userDn, String username) { Set authorities = new HashSet(); if (getGroupSearchBase() == null) { return authorities; } if (logger.isDebugEnabled()) { logger.debug("Searching for roles for user '" + username + "', DN = " + "'" + userDn + "', with filter " + groupSearchFilter + " in search base '" + getGroupSearchBase() + "'"); } Set userRoles = ldapTemplate.searchForSingleAttributeValues(getGroupSearchBase(), groupSearchFilter, new String[]{userDn, username}, groupRoleAttribute); if (logger.isDebugEnabled()) { logger.debug("Roles from search: " + userRoles); } Iterator it = userRoles.iterator(); while (it.hasNext()) { String role = (String) it.next(); if (convertToUpperCase) { role = role.toUpperCase(); } authorities.add(new GrantedAuthorityImpl(rolePrefix + role)); } return authorities; } /** * Searches for groups the user is a member of. * * @param userDn the user's distinguished name. * @param userAttributes the retrieved user's attributes (unused by default). * @return the set of roles obtained from a group membership search, or null if <tt>groupSearchBase</tt> has been * set. * @deprecated Subclasses should implement <tt>getAdditionalRoles</tt> instead. */ protected Set getGroupMembershipRoles(String userDn, Attributes userAttributes) { return new HashSet(); } protected InitialDirContextFactory getInitialDirContextFactory() { return initialDirContextFactory; } /** * Set the {@link InitialDirContextFactory} * * @param initialDirContextFactory supplies the contexts used to search for user roles. */ private void setInitialDirContextFactory(InitialDirContextFactory initialDirContextFactory) { Assert.notNull(initialDirContextFactory, "InitialDirContextFactory must not be null"); this.initialDirContextFactory = initialDirContextFactory; ldapTemplate = new LdapTemplate(initialDirContextFactory); ldapTemplate.setSearchControls(searchControls); } /** * Set the group search base (name to search under) * * @param groupSearchBase if this is an empty string the search will be performed from the root DN of the context * factory. */ private void setGroupSearchBase(String groupSearchBase) { Assert.notNull(groupSearchBase, "The groupSearchBase (name to search under), must not be null."); this.groupSearchBase = groupSearchBase; if (groupSearchBase.length() == 0) { logger.info("groupSearchBase is empty. Searches will be performed from the root: " + getInitialDirContextFactory().getRootDn()); } } protected String getGroupSearchBase() { return groupSearchBase; } public void setConvertToUpperCase(boolean convertToUpperCase) { this.convertToUpperCase = convertToUpperCase; } /** * The default role which will be assigned to all users. * * @param defaultRole the role name, including any desired prefix. */ public void setDefaultRole(String defaultRole) { Assert.notNull(defaultRole, "The defaultRole property cannot be set to null"); this.defaultRole = new GrantedAuthorityImpl(defaultRole); } public void setGroupRoleAttribute(String groupRoleAttribute) { Assert.notNull(groupRoleAttribute, "groupRoleAttribute must not be null"); this.groupRoleAttribute = groupRoleAttribute; } public void setGroupSearchFilter(String groupSearchFilter) { Assert.notNull(groupSearchFilter, "groupSearchFilter must not be null"); this.groupSearchFilter = groupSearchFilter; } public void setRolePrefix(String rolePrefix) { Assert.notNull(rolePrefix, "rolePrefix must not be null"); this.rolePrefix = rolePrefix; } /** * If set to true, a subtree scope search will be performed. If false a single-level search is used. * * @param searchSubtree set to true to enable searching of the entire tree below the <tt>groupSearchBase</tt>. */ public void setSearchSubtree(boolean searchSubtree) { int searchScope = searchSubtree ? SearchControls.SUBTREE_SCOPE : SearchControls.ONELEVEL_SCOPE; searchControls.setSearchScope(searchScope); }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -