Package org.springframework.security.ldap.authentication.ad

Class ActiveDirectoryLdapAuthenticationProvider

  • All Implemented Interfaces:
    org.springframework.beans.factory.Aware, org.springframework.context.MessageSourceAware, org.springframework.security.authentication.AuthenticationProvider
    public final class ActiveDirectoryLdapAuthenticationProvider
extends AbstractLdapAuthenticationProvider
    Specialized LDAP authentication provider which uses Active Directory configuration conventions.

    It will authenticate using the Active Directory userPrincipalName or a custom searchFilter in the form username@domain. If the username does not already end with the domain name, the userPrincipalName will be built by appending the configured domain name to the username supplied in the authentication request. If no domain name is configured, it is assumed that the username will always contain the domain name.

    The user authorities are obtained from the data contained in the memberOf attribute.

    Active Directory Sub-Error Codes

    When an authentication fails, resulting in a standard LDAP 49 error code, Active Directory also supplies its own sub-error codes within the error message. These will be used to provide additional log information on why an authentication has failed. Typical examples are
    • 525 - user not found
    • 52e - invalid credentials
    • 530 - not permitted to logon at this time
    • 532 - password expired
    • 533 - account disabled
    • 701 - account expired
    • 773 - user must reset password
    • 775 - account locked
    If you set the convertSubErrorCodesToExceptions property to true, the codes will also be used to control the exception raised.
    Since:
    3.1

    • Constructor Detail

      • ActiveDirectoryLdapAuthenticationProvider

        public ActiveDirectoryLdapAuthenticationProvider​(java.lang.String domain,
                                                 java.lang.String url,
                                                 java.lang.String rootDn)
        Parameters:
        domain - the domain name (can be null or empty)
        url - an LDAP url (or multiple space-delimited URLs).
        rootDn - the root DN (can be null or empty)
        See Also:
        JNDI URL format documentation

      • ActiveDirectoryLdapAuthenticationProvider

        public ActiveDirectoryLdapAuthenticationProvider​(java.lang.String domain,
                                                 java.lang.String url)
        Parameters:
        domain - the domain name (may be null or empty)
        url - an LDAP url (or multiple URLs)

    • Method Detail

      • doAuthentication

        protected org.springframework.ldap.core.DirContextOperations doAuthentication​(org.springframework.security.authentication.UsernamePasswordAuthenticationToken auth)
        Specified by:
        doAuthentication in class AbstractLdapAuthenticationProvider

      • loadUserAuthorities

        protected java.util.Collection<? extends org.springframework.security.core.GrantedAuthority> loadUserAuthorities​(org.springframework.ldap.core.DirContextOperations userData,
                                                                                                                 java.lang.String username,
                                                                                                                 java.lang.String password)
        Creates the user authority list from the values of the memberOf attribute obtained from the user's Active Directory entry.
        Specified by:
        loadUserAuthorities in class AbstractLdapAuthenticationProvider

      • setConvertSubErrorCodesToExceptions

        public void setConvertSubErrorCodesToExceptions​(boolean convertSubErrorCodesToExceptions)
        By default, a failed authentication (LDAP error 49) will result in a BadCredentialsException.

        If this property is set to true, the exception message from a failed bind attempt will be parsed for the AD-specific error code and a CredentialsExpiredException, DisabledException, AccountExpiredException or LockedException will be thrown for the corresponding codes. All other codes will result in the default BadCredentialsException.

        Parameters:
        convertSubErrorCodesToExceptions - true to raise an exception based on the AD error code.

      • setSearchFilter

        public void setSearchFilter​(java.lang.String searchFilter)
        The LDAP filter string to search for the user being authenticated. Occurrences of {0} are replaced with the username@domain. Occurrences of {1} are replaced with the username only.

        Defaults to: (&(objectClass=user)(userPrincipalName={0}))

        Parameters:
        searchFilter - the filter string
        Since:
        3.2.6

      • setContextEnvironmentProperties

        public void setContextEnvironmentProperties​(java.util.Map<java.lang.String,​java.lang.Object> environment)
        Allows a custom environment properties to be used to create initial LDAP context.
        Parameters:
        environment - the additional environment parameters to use when creating the LDAP Context