From bc8ea2bc7b9e101d11ef93677c6fd25ea45099f8 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Fri, 21 Feb 2014 13:56:02 +0000
Subject: [PATCH] Bind-only LDAP security DAO, without user management
 https://www.argeo.org/bugzilla/show_bug.cgi?id=168

git-svn-id: https://svn.argeo.org/commons/trunk@6838 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---
 .../org.argeo.security.auth.ldap/.project     |  2 +-
 .../META-INF/spring/security-ldap-osgi.xml    | 16 ++--
 .../spring/security-ldap-services.xml         | 22 ++---
 .../META-INF/spring/security-ldap.xml         | 88 +++++++++----------
 .../org.argeo.security.auth.ldap/pom.xml      |  4 +-
 security/modules/pom.xml                      |  1 +
 .../ldap/jcr/JcrLdapSynchronizer.java         |  4 +-
 7 files changed, 70 insertions(+), 67 deletions(-)

diff --git a/security/modules/org.argeo.security.auth.ldap/.project b/security/modules/org.argeo.security.auth.ldap/.project
index cd8b39380..0c72d5914 100644
--- a/security/modules/org.argeo.security.auth.ldap/.project
+++ b/security/modules/org.argeo.security.auth.ldap/.project
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <projectDescription>
-	<name>org.argeo.security.dao.ldap</name>
+	<name>org.argeo.security.auth.ldap</name>
 	<comment></comment>
 	<projects>
 	</projects>
diff --git a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-osgi.xml b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-osgi.xml
index aa3b67ac6..d817f9644 100644
--- a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-osgi.xml
+++ b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-osgi.xml
@@ -16,12 +16,12 @@
 		context-class-loader="service-provider" />
 
 	<!-- User management -->
-	<service ref="userDetailsManager"
-		interface="org.springframework.security.userdetails.UserDetailsService"
-		context-class-loader="service-provider" />
-	<service ref="userDetailsManager"
-		interface="org.springframework.security.userdetails.UserDetailsManager"
-		context-class-loader="service-provider" />
-	<service ref="userDetailsManager" interface="org.argeo.security.UserAdminService"
-		context-class-loader="service-provider" />
+<!-- 	<service ref="userDetailsManager" -->
+<!-- 		interface="org.springframework.security.userdetails.UserDetailsService" -->
+<!-- 		context-class-loader="service-provider" /> -->
+<!-- 	<service ref="userDetailsManager" -->
+<!-- 		interface="org.springframework.security.userdetails.UserDetailsManager" -->
+<!-- 		context-class-loader="service-provider" /> -->
+<!-- 	<service ref="userDetailsManager" interface="org.argeo.security.UserAdminService" -->
+<!-- 		context-class-loader="service-provider" /> -->
 </beans:beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-services.xml b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-services.xml
index 36dedf389..0b9a8b8f0 100644
--- a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-services.xml
+++ b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-services.xml
@@ -8,7 +8,7 @@
 		<property name="providers">
 			<list>
 				<ref bean="authByAdapterProvider" />
-				<ref bean="preAuthProvider" />
+<!-- 				<ref bean="preAuthProvider" /> -->
 				<ref bean="anonymousAuthenticationProvider" />
 				<ref bean="rememberMeAuthenticationProvider" />
 				<ref bean="ldapAuthenticationProvider" />
@@ -23,16 +23,16 @@
 		<property name="key" value="${argeo.security.systemKey}" />
 	</bean>
 
-	<bean id="preAuthProvider"
-		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
-		<description><![CDATA[Pre-authentication]]></description>
-		<property name="preAuthenticatedUserDetailsService">
-			<bean id="userDetailsServiceWrapper"
-				class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
-				<property name="userDetailsService" ref="userDetailsManager" />
-			</bean>
-		</property>
-	</bean>
+<!-- 	<bean id="preAuthProvider" -->
+<!-- 		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider"> -->
+<!-- 		<description><![CDATA[Pre-authentication]]></description> -->
+<!-- 		<property name="preAuthenticatedUserDetailsService"> -->
+<!-- 			<bean id="userDetailsServiceWrapper" -->
+<!-- 				class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper"> -->
+<!-- 				<property name="userDetailsService" ref="userDetailsManager" /> -->
+<!-- 			</bean> -->
+<!-- 		</property> -->
+<!-- 	</bean> -->
 
 	<bean id="anonymousAuthenticationProvider"
 		class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
diff --git a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap.xml b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap.xml
index 3777f8853..f367aba1d 100644
--- a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap.xml
+++ b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap.xml
@@ -22,59 +22,59 @@
 	</bean>
 
 	<!-- PasswordComparisonAuthenticator doesn't work with SSHA -->
+<!-- 	<bean id="ldapAuthenticator" -->
+<!-- 		class="org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator"> -->
+<!-- 		<constructor-arg ref="contextSource" /> -->
+<!-- 		<property name="userDnPatterns"> -->
+<!-- 			<list> -->
+<!-- 				<value><![CDATA[${argeo.ldap.usernameAttribute}={0},${argeo.ldap.userBase}]]></value> -->
+<!-- 			</list> -->
+<!-- 		</property> -->
+<!-- 		<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" /> -->
+<!-- 		<property name="passwordEncoder" ref="passwordEncoder" /> -->
+<!-- 	</bean> -->
+
+	<!-- Bind authenticator doesn't work with Apache DS 1.0 -->
 	<bean id="ldapAuthenticator"
-		class="org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator">
+		class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
 		<constructor-arg ref="contextSource" />
 		<property name="userDnPatterns">
 			<list>
 				<value><![CDATA[${argeo.ldap.usernameAttribute}={0},${argeo.ldap.userBase}]]></value>
 			</list>
 		</property>
-		<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" />
-		<property name="passwordEncoder" ref="passwordEncoder" />
 	</bean>
 
-	<!-- Bind authenticator doesn't work with Apache DS 1.0 -->
-	<!-- <bean id="ldapAuthenticator" -->
-	<!-- class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> -->
-	<!-- <constructor-arg ref="contextSource" /> -->
-	<!-- <property name="userDnPatterns"> -->
-	<!-- <list> -->
-	<!-- <value><![CDATA[${argeo.ldap.usernameAttribute}={0},${argeo.ldap.userBase}]]></value> -->
-	<!-- </list> -->
-	<!-- </property> -->
-	<!-- </bean> -->
-
 	<!-- USER DETAILS -->
-	<bean id="userDetailsManager" class="org.argeo.security.ldap.ArgeoLdapUserDetailsManager">
-		<constructor-arg ref="contextSource" />
-		<property name="groupSearchBase" value="${argeo.ldap.groupBase}" />
-		<property name="groupMemberAttributeName" value="${argeo.ldap.groupMemberAttribute}" />
-		<property name="usernameMapper" ref="usernameMapper" />
-		<property name="userDetailsMapper" ref="jcrLdapSynchronizer" />
-		<property name="userAdminDao" ref="userAdminDao" />
-		<property name="passwordEncoder" ref="passwordEncoder" />
-		<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" />
-		<property name="superUsername" value="${argeo.security.superUsername}" />
-	</bean>
+<!-- 	<bean id="userDetailsManager" class="org.argeo.security.ldap.ArgeoLdapUserDetailsManager"> -->
+<!-- 		<constructor-arg ref="contextSource" /> -->
+<!-- 		<property name="groupSearchBase" value="${argeo.ldap.groupBase}" /> -->
+<!-- 		<property name="groupMemberAttributeName" value="${argeo.ldap.groupMemberAttribute}" /> -->
+<!-- 		<property name="usernameMapper" ref="usernameMapper" /> -->
+<!-- 		<property name="userDetailsMapper" ref="jcrLdapSynchronizer" /> -->
+<!-- 		<property name="userAdminDao" ref="userAdminDao" /> -->
+<!-- 		<property name="passwordEncoder" ref="passwordEncoder" /> -->
+<!-- 		<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" /> -->
+<!-- 		<property name="superUsername" value="${argeo.security.superUsername}" /> -->
+<!-- 	</bean> -->
 
-	<bean id="userAdminDao" class="org.argeo.security.ldap.ArgeoUserAdminDaoLdap">
-		<constructor-arg ref="contextSource" />
-		<property name="userBase" value="${argeo.ldap.userBase}" />
-		<property name="usernameAttribute" value="${argeo.ldap.usernameAttribute}" />
-		<property name="groupClasses">
-			<list>
-				<value>top</value>
-				<value>${argeo.ldap.groupClass}</value>
-			</list>
-		</property>
-		<property name="groupBase" value="${argeo.ldap.groupBase}" />
-		<property name="groupRoleAttribute" value="${argeo.ldap.groupRoleAttribute}" />
-		<property name="groupMemberAttribute" value="${argeo.ldap.groupMemberAttribute}" />
-		<property name="defaultRole" value="${argeo.security.defaultRole}" />
-		<property name="rolePrefix" value="${argeo.security.rolePrefix}" />
-		<property name="usernameMapper" ref="usernameMapper" />
-	</bean>
+<!-- 	<bean id="userAdminDao" class="org.argeo.security.ldap.ArgeoUserAdminDaoLdap"> -->
+<!-- 		<constructor-arg ref="contextSource" /> -->
+<!-- 		<property name="userBase" value="${argeo.ldap.userBase}" /> -->
+<!-- 		<property name="usernameAttribute" value="${argeo.ldap.usernameAttribute}" /> -->
+<!-- 		<property name="groupClasses"> -->
+<!-- 			<list> -->
+<!-- 				<value>top</value> -->
+<!-- 				<value>${argeo.ldap.groupClass}</value> -->
+<!-- 			</list> -->
+<!-- 		</property> -->
+<!-- 		<property name="groupBase" value="${argeo.ldap.groupBase}" /> -->
+<!-- 		<property name="groupRoleAttribute" value="${argeo.ldap.groupRoleAttribute}" /> -->
+<!-- 		<property name="groupMemberAttribute" value="${argeo.ldap.groupMemberAttribute}" /> -->
+<!-- 		<property name="defaultRole" value="${argeo.security.defaultRole}" /> -->
+<!-- 		<property name="rolePrefix" value="${argeo.security.rolePrefix}" /> -->
+<!-- 		<property name="usernameMapper" ref="usernameMapper" /> -->
+<!-- 	</bean> -->
 
 	<bean id="usernameMapper"
 		class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper">
@@ -96,8 +96,8 @@
 		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
 		<constructor-arg
 			value="${argeo.ldap.protocol}://${argeo.ldap.host}:${argeo.ldap.port}/${argeo.ldap.rootdn}" />
-		<property name="userDn" value="${argeo.ldap.manager.userdn}" />
-		<property name="password" value="${argeo.ldap.manager.password}" />
+<!-- 		<property name="userDn" value="${argeo.ldap.manager.userdn}" /> -->
+<!-- 		<property name="password" value="${argeo.ldap.manager.password}" /> -->
 	</bean>
 
 	<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
diff --git a/security/modules/org.argeo.security.auth.ldap/pom.xml b/security/modules/org.argeo.security.auth.ldap/pom.xml
index 6c3cf75f4..3f0dca9cf 100644
--- a/security/modules/org.argeo.security.auth.ldap/pom.xml
+++ b/security/modules/org.argeo.security.auth.ldap/pom.xml
@@ -6,8 +6,8 @@
 		<artifactId>modules</artifactId>
 		<relativePath>..</relativePath>
 	</parent>
-	<artifactId>org.argeo.security.dao.ldap</artifactId>
-	<name>Commons Security DAO LDAP</name>
+	<artifactId>org.argeo.security.auth.ldap</artifactId>
+	<name>Commons Security Auth LDAP</name>
 	<build>
 		<plugins>
 			<plugin>
diff --git a/security/modules/pom.xml b/security/modules/pom.xml
index 5bbeba8fd..38469edd7 100644
--- a/security/modules/pom.xml
+++ b/security/modules/pom.xml
@@ -15,6 +15,7 @@
 		<module>org.argeo.security.dao.os</module>
 		<module>org.argeo.security.dao.jackrabbit</module>
 		<module>org.argeo.security.dao.ldap</module>
+		<module>org.argeo.security.auth.ldap</module>
 		<module>org.argeo.security.webapp</module>
 	</modules>
 	<build>
diff --git a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java
index 08c985c3b..3e9e2cbfa 100644
--- a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java
+++ b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java
@@ -23,6 +23,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Random;
 import java.util.SortedSet;
+import java.util.UUID;
 
 import javax.jcr.Node;
 import javax.jcr.NodeIterator;
@@ -277,7 +278,8 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper,
 				.getAttributeSortedStringSet(passwordAttribute);
 		String password;
 		if (passwordAttributes == null || passwordAttributes.size() == 0) {
-			throw new ArgeoException("No password found for user " + username);
+			//throw new ArgeoException("No password found for user " + username);
+			password = "NULL";
 		} else {
 			byte[] arr = (byte[]) passwordAttributes.first();
 			password = new String(arr);
-- 
2.30.2