CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-org-springframework-security--spring-security-ldap

Spring Security LDAP module providing comprehensive LDAP authentication and authorization capabilities for enterprise applications

Pending
Overview
Eval results
Files

authentication.mddocs/

LDAP Authentication

Comprehensive LDAP authentication functionality supporting multiple authentication strategies including bind authentication and password comparison for flexible integration with different LDAP server configurations.

Capabilities

LdapAuthenticationProvider

Primary authentication provider that orchestrates LDAP authentication using configurable authenticators and authorities populators.

/**
 * Primary LDAP authentication provider that delegates to LdapAuthenticator implementations
 * and optionally populates authorities from LDAP groups or attributes
 */
public class LdapAuthenticationProvider implements AuthenticationProvider, InitializingBean, MessageSourceAware {
    /**
     * Creates an authentication provider with the specified authenticator
     * @param authenticator the LDAP authenticator to use for authentication
     */
    public LdapAuthenticationProvider(LdapAuthenticator authenticator);
    
    /**
     * Creates an authentication provider with authenticator and authorities populator
     * @param authenticator the LDAP authenticator to use
     * @param authoritiesPopulator populator for retrieving user authorities
     */
    public LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator);
    
    /**
     * Performs LDAP authentication for the given authentication request
     * @param authentication the authentication request
     * @return authenticated Authentication object with authorities
     * @throws AuthenticationException if authentication fails
     */
    public Authentication authenticate(Authentication authentication) throws AuthenticationException;
    
    /**
     * Checks if this provider supports the given authentication type
     * @param authentication the authentication class
     * @return true if UsernamePasswordAuthenticationToken is assignable from the class
     */
    public boolean supports(Class<?> authentication);
    
    /**
     * Sets the context mapper for mapping LDAP context to UserDetails
     * @param mapper the context mapper to use
     */
    public void setUserDetailsContextMapper(UserDetailsContextMapper mapper);
    
    /**
     * Sets the authorities populator for retrieving user authorities
     * @param authoritiesPopulator the authorities populator
     */
    public void setAuthoritiesPopulator(LdapAuthoritiesPopulator authoritiesPopulator);
}

Usage Examples:

// Basic authentication provider with bind authenticator
BindAuthenticator authenticator = new BindAuthenticator(contextSource);
authenticator.setUserSearch(userSearch);

LdapAuthenticationProvider authProvider = new LdapAuthenticationProvider(authenticator);

// With authorities populator
DefaultLdapAuthoritiesPopulator authoritiesPopulator = 
    new DefaultLdapAuthoritiesPopulator(contextSource, "ou=groups");
authProvider.setAuthoritiesPopulator(authoritiesPopulator);

// With custom user details mapping
authProvider.setUserDetailsContextMapper(new LdapUserDetailsMapper());

BindAuthenticator

Authenticates users by attempting to bind to the LDAP server using the user's credentials.

/**
 * LDAP authenticator that uses bind authentication - attempts to bind to LDAP using user credentials
 */
public class BindAuthenticator extends AbstractLdapAuthenticator {
    /**
     * Creates a bind authenticator with the specified context source
     * @param contextSource the LDAP context source
     */
    public BindAuthenticator(ContextSource contextSource);
    
    /**
     * Authenticates the user by attempting to bind with their credentials
     * @param authentication the authentication request containing credentials
     * @return DirContextOperations representing the authenticated user
     * @throws BadCredentialsException if authentication fails
     */
    public DirContextOperations authenticate(Authentication authentication);
}

PasswordComparisonAuthenticator

Authenticates users by comparing the provided password with the stored password in LDAP.

/**
 * LDAP authenticator that compares the authentication password with the value stored in LDAP
 */
public class PasswordComparisonAuthenticator extends AbstractLdapAuthenticator {
    /**
     * Creates a password comparison authenticator with the specified context source
     * @param contextSource the LDAP context source
     */
    public PasswordComparisonAuthenticator(ContextSource contextSource);
    
    /**
     * Authenticates by comparing passwords
     * @param authentication the authentication request
     * @return DirContextOperations representing the authenticated user
     * @throws BadCredentialsException if authentication fails
     */
    public DirContextOperations authenticate(Authentication authentication);
    
    /**
     * Sets the password encoder for encoding comparison passwords
     * @param passwordEncoder the password encoder to use
     */
    public void setPasswordEncoder(PasswordEncoder passwordEncoder);
    
    /**
     * Sets the name of the LDAP attribute containing the password
     * @param passwordAttribute the password attribute name (default: "userPassword")
     */
    public void setPasswordAttributeName(String passwordAttribute);
    
    /**
     * Sets whether to use password comparison instead of bind authentication
     * @param usePasswordComparison true to use password comparison
     */
    public void setUsePasswordComparison(boolean usePasswordComparison);
}

AbstractLdapAuthenticator

Base class for LDAP authenticators providing common functionality.

/**
 * Base class for LDAP authenticators providing common configuration and user lookup functionality
 */
public abstract class AbstractLdapAuthenticator implements LdapAuthenticator, InitializingBean, MessageSourceAware {
    /**
     * Creates an authenticator with the specified context source
     * @param contextSource the LDAP context source
     */
    protected AbstractLdapAuthenticator(ContextSource contextSource);
    
    /**
     * Sets the user search strategy for locating users in LDAP
     * @param userSearch the user search implementation
     */
    public void setUserSearch(LdapUserSearch userSearch);
    
    /**
     * Sets user DN patterns for direct user lookup without search
     * @param userDnPatterns array of DN patterns with {0} placeholder for username
     */
    public void setUserDnPatterns(String[] userDnPatterns);
    
    /**
     * Gets the distinguished names for a username using configured patterns or search
     * @param username the username to look up
     * @return collection of DN strings
     */
    protected Collection<String> getUserDns(String username);
}

AbstractLdapAuthenticationProvider

Base class for LDAP authentication providers providing common functionality.

/**
 * Base class for standard LdapAuthenticationProvider and ActiveDirectoryLdapAuthenticationProvider
 */
public abstract class AbstractLdapAuthenticationProvider implements AuthenticationProvider, InitializingBean, MessageSourceAware {
    /**
     * Performs authentication using the configured authenticator
     * @param authentication the authentication request
     * @return authenticated Authentication object with authorities
     * @throws AuthenticationException if authentication fails
     */
    public Authentication authenticate(Authentication authentication) throws AuthenticationException;
    
    /**
     * Checks if this provider supports the given authentication type
     * @param authentication the authentication class
     * @return true if supported
     */
    public boolean supports(Class<?> authentication);
    
    /**
     * Sets the authorities mapper for mapping authorities
     * @param authoritiesMapper the authorities mapper
     */
    public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper);
    
    /**
     * Sets the user details context mapper
     * @param userDetailsContextMapper the context mapper
     */
    public void setUserDetailsContextMapper(UserDetailsContextMapper userDetailsContextMapper);
    
    /**
     * Sets whether to use the authentication name in the returned Authentication object
     * @param useAuthenticationRequestCredentials true to use authentication name
     */
    public void setUseAuthenticationRequestCredentials(boolean useAuthenticationRequestCredentials);
}

ActiveDirectoryLdapAuthenticationProvider

Specialized authentication provider for Microsoft Active Directory integration.

/**
 * Specialized authentication provider for Microsoft Active Directory environments
 */
public class ActiveDirectoryLdapAuthenticationProvider implements AuthenticationProvider, InitializingBean, MessageSourceAware {
    /**
     * Creates an Active Directory authentication provider
     * @param domain the Active Directory domain
     * @param url the LDAP URL for the domain controller
     */
    public ActiveDirectoryLdapAuthenticationProvider(String domain, String url);
    
    /**
     * Creates an Active Directory authentication provider with additional URLs
     * @param domain the Active Directory domain
     * @param url the primary LDAP URL
     * @param rootDn the root DN for searches
     */
    public ActiveDirectoryLdapAuthenticationProvider(String domain, String url, String rootDn);
    
    /**
     * Performs Active Directory authentication
     * @param authentication the authentication request
     * @return authenticated Authentication object
     * @throws AuthenticationException if authentication fails
     */
    public Authentication authenticate(Authentication authentication) throws AuthenticationException;
    
    /**
     * Sets whether to convert sub-error codes to exceptions
     * @param convertSubErrorCodesToExceptions true to convert sub-errors
     */
    public void setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions);
    
    /**
     * Sets the search filter for finding users in Active Directory
     * @param searchFilter the LDAP search filter
     */
    public void setSearchFilter(String searchFilter);
    
    /**
     * Sets whether to use bind authentication or password comparison
     * @param useAuthenticationRequestCredentials true to use bind authentication
     */
    public void setUseAuthenticationRequestCredentials(boolean useAuthenticationRequestCredentials);
}

Usage Examples:

// Active Directory authentication
ActiveDirectoryLdapAuthenticationProvider adProvider = 
    new ActiveDirectoryLdapAuthenticationProvider("corp.example.com", "ldap://dc.corp.example.com:389/");
adProvider.setConvertSubErrorCodesToExceptions(true);
adProvider.setUseAuthenticationRequestCredentials(true);

// Password comparison authentication
PasswordComparisonAuthenticator passwordAuth = new PasswordComparisonAuthenticator(contextSource);
passwordAuth.setPasswordEncoder(new BCryptPasswordEncoder());
passwordAuth.setPasswordAttributeName("userPassword");

LdapAuthenticationProvider provider = new LdapAuthenticationProvider(passwordAuth);

Authentication Interfaces

LdapAuthenticator

Strategy interface for LDAP authentication implementations.

/**
 * Strategy interface for LDAP authentication implementations
 */
public interface LdapAuthenticator {
    /**
     * Performs LDAP authentication for the given authentication request
     * @param authentication the authentication request containing credentials
     * @return DirContextOperations representing the authenticated user context
     * @throws AuthenticationException if authentication fails
     */
    DirContextOperations authenticate(Authentication authentication);
}

NullLdapAuthoritiesPopulator

No-operation authorities populator that returns empty authorities collection.

/**
 * Implementation of LdapAuthoritiesPopulator that returns an empty authorities collection
 */
public class NullLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
    /**
     * Returns an empty collection of granted authorities
     * @param userData LDAP context operations for the user
     * @param username the username
     * @return empty collection of authorities
     */
    public Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username);
}

Configuration Examples

Basic Bind Authentication Setup

@Configuration
@EnableWebSecurity
public class LdapSecurityConfig {
    
    @Bean
    public DefaultSpringSecurityContextSource contextSource() {
        DefaultSpringSecurityContextSource contextSource = 
            new DefaultSpringSecurityContextSource("ldap://localhost:389/dc=springframework,dc=org");
        contextSource.setUserDn("cn=manager,dc=springframework,dc=org");
        contextSource.setPassword("password");
        return contextSource;
    }
    
    @Bean
    public FilterBasedLdapUserSearch userSearch() {
        return new FilterBasedLdapUserSearch("ou=people", "uid={0}", contextSource());
    }
    
    @Bean
    public BindAuthenticator authenticator() {
        BindAuthenticator authenticator = new BindAuthenticator(contextSource());
        authenticator.setUserSearch(userSearch());
        return authenticator;
    }
    
    @Bean
    public LdapAuthenticationProvider authenticationProvider() {
        return new LdapAuthenticationProvider(authenticator());
    }
}

Password Comparison Authentication

@Bean
public PasswordComparisonAuthenticator passwordAuthenticator() {
    PasswordComparisonAuthenticator authenticator = 
        new PasswordComparisonAuthenticator(contextSource());
    authenticator.setPasswordEncoder(new BCryptPasswordEncoder());
    authenticator.setPasswordAttributeName("userPassword");
    authenticator.setUserSearch(userSearch());
    return authenticator;
}

Install with Tessl CLI

npx tessl i tessl/maven-org-springframework-security--spring-security-ldap

docs

authentication.md

authorities.md

context-management.md

embedded-server.md

index.md

json-serialization.md

password-policy.md

user-details.md

tile.json