Package org.springframework.security.ldap.authentication.ad

Class ActiveDirectoryLdapAuthenticationProvider

java.lang.Object

org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider

org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider

All Implemented Interfaces:

org.springframework.beans.factory.Aware, org.springframework.context.MessageSourceAware, AuthenticationProvider

public final class ActiveDirectoryLdapAuthenticationProvider
extends AbstractLdapAuthenticationProvider

Specialized LDAP authentication provider which uses Active Directory configuration conventions.

It will authenticate using the Active Directory userPrincipalName or a custom searchFilter in the form username@domain. If the username does not already end with the domain name, the userPrincipalName will be built by appending the configured domain name to the username supplied in the authentication request. If no domain name is configured, it is assumed that the username will always contain the domain name.

The user authorities are obtained from the data contained in the memberOf attribute.

Active Directory Sub-Error Codes

When an authentication fails, resulting in a standard LDAP 49 error code, Active Directory also supplies its own sub-error codes within the error message. These will be used to provide additional log information on why an authentication has failed. Typical examples are

• 525 - user not found
• 52e - invalid credentials
• 530 - not permitted to logon at this time
• 532 - password expired
• 533 - account disabled
• 701 - account expired
• 773 - user must reset password
• 775 - account locked

If you set the convertSubErrorCodesToExceptions property to true, the codes will also be used to control the exception raised.

Since:

3.1

Field Summary

Fields inherited from class org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider

logger, messages, userDetailsContextMapper

Constructor Summary

Constructors

Constructor	Description
ActiveDirectoryLdapAuthenticationProvider(String domain, String url)
ActiveDirectoryLdapAuthenticationProvider(String domain, String url, String rootDn)

Method Summary

Modifier and Type	Method	Description
protected org.springframework.ldap.core.DirContextOperations	doAuthentication(UsernamePasswordAuthenticationToken auth)
protected Collection<? extends GrantedAuthority>	loadUserAuthorities(org.springframework.ldap.core.DirContextOperations userData, String username, String password)	Creates the user authority list from the values of the memberOf attribute obtained from the user's Active Directory entry.
void	setContextEnvironmentProperties(Map<String,Object> environment)	Allows a custom environment properties to be used to create initial LDAP context.
void	setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)	By default, a failed authentication (LDAP error 49) will result in a BadCredentialsException.
void	setSearchFilter(String searchFilter)	The LDAP filter string to search for the user being authenticated.

Methods inherited from class org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider

authenticate, createSuccessfulAuthentication, getUserDetailsContextMapper, setAuthoritiesMapper, setMessageSource, setUseAuthenticationRequestCredentials, setUserDetailsContextMapper, supports

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

ActiveDirectoryLdapAuthenticationProvider

public ActiveDirectoryLdapAuthenticationProvider(String domain,
 String url,
 String rootDn)

Parameters:

domain - the domain name (may be null or empty)

url - an LDAP url (or multiple URLs)

rootDn - the root DN (may be null or empty)

ActiveDirectoryLdapAuthenticationProvider

public ActiveDirectoryLdapAuthenticationProvider(String domain,
 String url)

Parameters:

domain - the domain name (may be null or empty)

url - an LDAP url (or multiple URLs)

Method Details

doAuthentication

protected org.springframework.ldap.core.DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken auth)

Specified by:

doAuthentication in class AbstractLdapAuthenticationProvider

loadUserAuthorities

protected Collection<? extends GrantedAuthority> loadUserAuthorities(org.springframework.ldap.core.DirContextOperations userData,
 String username,
 String password)

Creates the user authority list from the values of the memberOf attribute obtained from the user's Active Directory entry.

Specified by:

loadUserAuthorities in class AbstractLdapAuthenticationProvider

setConvertSubErrorCodesToExceptions

public void setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)

By default, a failed authentication (LDAP error 49) will result in a BadCredentialsException.

If this property is set to true, the exception message from a failed bind attempt will be parsed for the AD-specific error code and a CredentialsExpiredException, DisabledException, AccountExpiredException or LockedException will be thrown for the corresponding codes. All other codes will result in the default BadCredentialsException.

Parameters:

convertSubErrorCodesToExceptions - true to raise an exception based on the AD error code.

setSearchFilter

public void setSearchFilter(String searchFilter)

The LDAP filter string to search for the user being authenticated. Occurrences of {0} are replaced with the username@domain. Occurrences of {1} are replaced with the username only.

Defaults to: (&(objectClass=user)(userPrincipalName={0}))

Parameters:

searchFilter - the filter string

Since:

3.2.6

setContextEnvironmentProperties

public void setContextEnvironmentProperties(Map<String,Object> environment)

Allows a custom environment properties to be used to create initial LDAP context.

Parameters:

environment - the additional environment parameters to use when creating the LDAP Context