public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLdapAuthenticationProvider
It will authenticate using the Active Directory
userPrincipalName or a custom searchFilter
in the form username@domain. If the username does not already end with the
domain name, the userPrincipalName will be built by appending the configured
domain name to the username supplied in the authentication request. If no domain name
is configured, it is assumed that the username will always contain the domain name.
The user authorities are obtained from the data contained in the memberOf
attribute.
convertSubErrorCodesToExceptions property to true, the codes will also be used
to control the exception raised.logger, messages, userDetailsContextMapper| Constructor and Description |
|---|
ActiveDirectoryLdapAuthenticationProvider(String domain,
String url) |
ActiveDirectoryLdapAuthenticationProvider(String domain,
String url,
String rootDn) |
| Modifier and Type | Method and Description |
|---|---|
protected DirContextOperations |
doAuthentication(org.springframework.security.authentication.UsernamePasswordAuthenticationToken auth) |
protected Collection<? extends org.springframework.security.core.GrantedAuthority> |
loadUserAuthorities(DirContextOperations userData,
String username,
String password)
Creates the user authority list from the values of the
memberOf attribute
obtained from the user's Active Directory entry. |
void |
setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)
By default, a failed authentication (LDAP error 49) will result in a
BadCredentialsException. |
void |
setSearchFilter(String searchFilter)
The LDAP filter string to search for the user being authenticated.
|
authenticate, createSuccessfulAuthentication, getUserDetailsContextMapper, setAuthoritiesMapper, setMessageSource, setUseAuthenticationRequestCredentials, setUserDetailsContextMapper, supportspublic ActiveDirectoryLdapAuthenticationProvider(String domain, String url, String rootDn)
domain - the domain name (may be null or empty)url - an LDAP url (or multiple URLs)rootDn - the root DN (may be null or empty)protected DirContextOperations doAuthentication(org.springframework.security.authentication.UsernamePasswordAuthenticationToken auth)
doAuthentication in class AbstractLdapAuthenticationProviderprotected Collection<? extends org.springframework.security.core.GrantedAuthority> loadUserAuthorities(DirContextOperations userData, String username, String password)
memberOf attribute
obtained from the user's Active Directory entry.loadUserAuthorities in class AbstractLdapAuthenticationProviderpublic void setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions)
BadCredentialsException.
If this property is set to true, the exception message from a failed bind
attempt will be parsed for the AD-specific error code and a
CredentialsExpiredException, DisabledException,
AccountExpiredException or LockedException will be thrown for the
corresponding codes. All other codes will result in the default
BadCredentialsException.
convertSubErrorCodesToExceptions - true to raise an exception based on
the AD error code.public void setSearchFilter(String searchFilter)
username@domain.
Defaults to: (&(objectClass=user)(userPrincipalName= 0))}
searchFilter - the filter string