X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.ldap%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fldap%2FArgeoSecurityDaoLdap.java;h=dc6cd6392030cada61bf78712dc9cca790fadb3d;hb=4c8c237990cda2b1a9be35532796510d9d5734c5;hp=f5e41232e1033cf675bd3c8c2a069010a67997a3;hpb=977a7a352131b082a98739f15e421f2bff747567;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java index f5e41232e..dc6cd6392 100644 --- a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java +++ b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java @@ -16,8 +16,6 @@ package org.argeo.security.ldap; -import static org.argeo.security.core.ArgeoUserDetails.createSimpleArgeoUser; - import java.util.Collections; import java.util.List; import java.util.Set; @@ -27,140 +25,54 @@ import javax.naming.Name; import javax.naming.NamingException; import javax.naming.directory.DirContext; -import org.argeo.security.ArgeoSecurityDao; -import org.argeo.security.ArgeoUser; -import org.argeo.security.CurrentUserDao; -import org.argeo.security.SimpleArgeoUser; import org.argeo.security.UserAdminDao; -import org.argeo.security.core.ArgeoUserDetails; -import org.springframework.beans.factory.InitializingBean; import org.springframework.ldap.core.ContextExecutor; import org.springframework.ldap.core.ContextMapper; import org.springframework.ldap.core.DirContextAdapter; import org.springframework.ldap.core.DistinguishedName; import org.springframework.ldap.core.LdapTemplate; import org.springframework.ldap.core.support.BaseLdapPathContextSource; -import org.springframework.security.context.SecurityContextHolder; -import org.springframework.security.ldap.DefaultLdapUsernameToDnMapper; -import org.springframework.security.ldap.LdapAuthoritiesPopulator; import org.springframework.security.ldap.LdapUsernameToDnMapper; import org.springframework.security.ldap.LdapUtils; -import org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator; -import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; -import org.springframework.security.providers.UsernamePasswordAuthenticationToken; -import org.springframework.security.userdetails.UserDetails; -import org.springframework.security.userdetails.UserDetailsManager; -import org.springframework.security.userdetails.UserDetailsService; -import org.springframework.security.userdetails.ldap.LdapUserDetailsManager; -import org.springframework.security.userdetails.ldap.LdapUserDetailsService; -import org.springframework.security.userdetails.ldap.UserDetailsContextMapper; -public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, CurrentUserDao, - UserAdminDao, InitializingBean { - // private final static Log log = LogFactory.getLog(UserDaoLdap.class); +/** + * Wraps a Spring LDAP user details manager, providing additional methods to + * manage roles. + */ +public class ArgeoSecurityDaoLdap implements UserAdminDao { + private String userBase; + private String usernameAttribute; + private String groupBase; + private String[] groupClasses; - private UserDetailsManager userDetailsManager; - private LdapAuthoritiesPopulator authoritiesPopulator; - private String userBase = "ou=People"; - private String usernameAttributeName = "uid"; - private String groupBase = "ou=Roles"; - private String[] groupClasses = { "top", "groupOfNames" }; - private String groupRoleAttributeName = "cn"; - private String groupMemberAttributeName = "member"; - private String defaultRole = "ROLE_USER"; - private String rolePrefix = "ROLE_"; + private String groupRoleAttribute; + private String groupMemberAttribute; + private String defaultRole; + private String rolePrefix; - private final BaseLdapPathContextSource contextSource; private final LdapTemplate ldapTemplate; + private LdapUsernameToDnMapper usernameMapper; - private LdapUsernameToDnMapper usernameMapper = null; - - private UserDetailsContextMapper userDetailsMapper; - private LdapUserDetailsService ldapUserDetailsService; - private List userNatureMappers; - + /** + * Standard constructor, using the LDAP context source shared with Spring + * Security components. + */ public ArgeoSecurityDaoLdap(BaseLdapPathContextSource contextSource) { - this.contextSource = contextSource; - ldapTemplate = new LdapTemplate(this.contextSource); - } - - public void afterPropertiesSet() throws Exception { - if (usernameMapper == null) - usernameMapper = new DefaultLdapUsernameToDnMapper(userBase, - usernameAttributeName); - - if (authoritiesPopulator == null) { - DefaultLdapAuthoritiesPopulator ap = new DefaultLdapAuthoritiesPopulator( - ldapTemplate.getContextSource(), groupBase); - ap.setDefaultRole(defaultRole); - ap.setGroupSearchFilter(groupMemberAttributeName + "={0}"); - authoritiesPopulator = ap; - } - - if (userDetailsMapper == null) { - ArgeoUserDetailsContextMapper audm = new ArgeoUserDetailsContextMapper(); - audm.setUserNatureMappers(userNatureMappers); - userDetailsMapper = audm; - } - - if (userDetailsManager == null) { - LdapUserDetailsManager ludm = new LdapUserDetailsManager( - ldapTemplate.getContextSource()); - ludm.setGroupSearchBase(groupBase); - ludm.setUserDetailsMapper(userDetailsMapper); - ludm.setUsernameMapper(usernameMapper); - ludm.setGroupMemberAttributeName(groupMemberAttributeName); - userDetailsManager = ludm; - } - - if (ldapUserDetailsService == null) { - FilterBasedLdapUserSearch ldapUserSearch = new FilterBasedLdapUserSearch( - userBase, "(" + usernameAttributeName + "={0})", - contextSource); - ldapUserDetailsService = new LdapUserDetailsService(ldapUserSearch, - authoritiesPopulator); - ldapUserDetailsService.setUserDetailsMapper(userDetailsMapper); - } - } - - public synchronized void createUser(ArgeoUser user) { - userDetailsManager.createUser(new ArgeoUserDetails(user)); - } - - public synchronized ArgeoUser getUser(String uname) { - SimpleArgeoUser user = createSimpleArgeoUser(getDetails(uname)); - user.setPassword(null); - return user; + this.ldapTemplate = new LdapTemplate(contextSource); } - public synchronized ArgeoUser getUserWithPassword(String uname) { - return createSimpleArgeoUser(getDetails(uname)); - } - - // public ArgeoUser getCurrentUser() { - // ArgeoUser argeoUser = ArgeoUserDetails.securityContextUser(); - // if (argeoUser == null) - // return null; - // if (argeoUser.getRoles().contains(defaultRole)) - // argeoUser.getRoles().remove(defaultRole); - // return argeoUser; - // } - @SuppressWarnings("unchecked") - public synchronized Set listUsers() { + public synchronized Set listUsers() { List usernames = (List) ldapTemplate.listBindings( new DistinguishedName(userBase), new ContextMapper() { public Object mapFromContext(Object ctxArg) { DirContextAdapter ctx = (DirContextAdapter) ctxArg; - return ctx.getStringAttribute(usernameAttributeName); + return ctx.getStringAttribute(usernameAttribute); } }); - TreeSet lst = new TreeSet(); - for (String username : usernames) { - lst.add(createSimpleArgeoUser(getDetails(username))); - } - return Collections.unmodifiableSortedSet(lst); + return Collections + .unmodifiableSortedSet(new TreeSet(usernames)); } @SuppressWarnings("unchecked") @@ -169,7 +81,7 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, CurrentUserDao, ldapTemplate.listBindings(groupBase, new ContextMapper() { public Object mapFromContext(Object ctxArg) { String groupName = ((DirContextAdapter) ctxArg) - .getStringAttribute(groupRoleAttributeName); + .getStringAttribute(groupRoleAttribute); String roleName = convertGroupToRole(groupName); return roleName; } @@ -177,45 +89,24 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, CurrentUserDao, } @SuppressWarnings("unchecked") - public Set listUsersInRole(String role) { - return (Set) ldapTemplate.lookup( + public Set listUsersInRole(String role) { + return (Set) ldapTemplate.lookup( buildGroupDn(convertRoleToGroup(role)), new ContextMapper() { public Object mapFromContext(Object ctxArg) { DirContextAdapter ctx = (DirContextAdapter) ctxArg; String[] userDns = ctx - .getStringAttributes(groupMemberAttributeName); - TreeSet set = new TreeSet(); + .getStringAttributes(groupMemberAttribute); + TreeSet set = new TreeSet(); for (String userDn : userDns) { DistinguishedName dn = new DistinguishedName(userDn); - String username = dn - .getValue(usernameAttributeName); - set.add(createSimpleArgeoUser(getDetails(username))); + String username = dn.getValue(usernameAttribute); + set.add(username); } return Collections.unmodifiableSortedSet(set); } }); } - public synchronized void updateUser(ArgeoUser user) { - ArgeoUserDetails argeoUserDetails = new ArgeoUserDetails(user); - userDetailsManager.updateUser(new ArgeoUserDetails(user)); - // refresh logged in user - if (ArgeoUserDetails.securityContextUser().getUsername() - .equals(argeoUserDetails.getUsername())) { - SecurityContextHolder.getContext().setAuthentication( - new UsernamePasswordAuthenticationToken(argeoUserDetails, - null, argeoUserDetails.getAuthorities())); - } - } - - public synchronized void deleteUser(String username) { - userDetailsManager.deleteUser(username); - } - - public synchronized Boolean userExists(String username) { - return userDetailsManager.userExists(username); - } - public void createRole(String role, final String superuserName) { String group = convertRoleToGroup(role); DistinguishedName superuserDn = (DistinguishedName) ldapTemplate @@ -231,11 +122,8 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, CurrentUserDao, DirContextAdapter context = new DirContextAdapter(); context.setAttributeValues("objectClass", groupClasses); context.setAttributeValue("cn", group); - // Add superuser because cannot create empty group - context.setAttributeValue(groupMemberAttributeName, - superuserDn.toString()); - + context.setAttributeValue(groupMemberAttribute, superuserDn.toString()); ldapTemplate.bind(groupDn, context, null); } @@ -245,6 +133,7 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, CurrentUserDao, ldapTemplate.unbind(dn); } + /** Maps a role (ROLE_XXX) to the related LDAP group (xxx) */ protected String convertRoleToGroup(String role) { String group = role; if (group.startsWith(rolePrefix)) { @@ -254,48 +143,36 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, CurrentUserDao, return group; } - public String convertGroupToRole(String groupName) { + /** Maps anLDAP group (xxx) to the related role (ROLE_XXX) */ + protected String convertGroupToRole(String groupName) { groupName = groupName.toUpperCase(); return rolePrefix + groupName; } protected Name buildGroupDn(String name) { - return new DistinguishedName(groupRoleAttributeName + "=" + name + "," + return new DistinguishedName(groupRoleAttribute + "=" + name + "," + groupBase); } - public void setUserDetailsManager(UserDetailsManager userDetailsManager) { - this.userDetailsManager = userDetailsManager; - } - public void setUserBase(String userBase) { this.userBase = userBase; } - public void setUsernameAttributeName(String usernameAttribute) { - this.usernameAttributeName = usernameAttribute; - } - - public void setAuthoritiesPopulator( - LdapAuthoritiesPopulator authoritiesPopulator) { - this.authoritiesPopulator = authoritiesPopulator; - } - - protected UserDetails getDetails(String username) { - return userDetailsManager.loadUserByUsername(username); + public void setUsernameAttribute(String usernameAttribute) { + this.usernameAttribute = usernameAttribute; } public void setGroupBase(String groupBase) { this.groupBase = groupBase; } - public void setGroupRoleAttributeName(String groupRoleAttributeName) { - this.groupRoleAttributeName = groupRoleAttributeName; + public void setGroupRoleAttribute(String groupRoleAttributeName) { + this.groupRoleAttribute = groupRoleAttributeName; } - public void setGroupMemberAttributeName(String groupMemberAttributeName) { - this.groupMemberAttributeName = groupMemberAttributeName; + public void setGroupMemberAttribute(String groupMemberAttributeName) { + this.groupMemberAttribute = groupMemberAttributeName; } public void setDefaultRole(String defaultRole) { @@ -310,22 +187,6 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, CurrentUserDao, this.usernameMapper = usernameMapper; } - public void setUserDetailsMapper(UserDetailsContextMapper userDetailsMapper) { - this.userDetailsMapper = userDetailsMapper; - } - - public LdapAuthoritiesPopulator getAuthoritiesPopulator() { - return authoritiesPopulator; - } - - public UserDetailsContextMapper getUserDetailsMapper() { - return userDetailsMapper; - } - - public void setUserNatureMappers(List userNatureMappers) { - this.userNatureMappers = userNatureMappers; - } - public String getDefaultRole() { return defaultRole; } @@ -333,9 +194,4 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, CurrentUserDao, public void setGroupClasses(String[] groupClasses) { this.groupClasses = groupClasses; } - - public UserDetailsService getUserDetailsService() { - return ldapUserDetailsService; - } - }