From ff1367187d728854f39a55e360f8908d4ab04159 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Sat, 19 Sep 2009 11:01:10 +0000
Subject: [PATCH] Restructure interface with Spring security.

git-svn-id: https://svn.argeo.org/commons/trunk@2977 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---
 .../META-INF/spring/dao.xml                   |  13 --
 .../META-INF/spring/ldap.xml                  |  62 +++++----
 .../security/ldap/ArgeoSecurityDaoLdap.java   | 127 ++++++++++++++----
 3 files changed, 137 insertions(+), 65 deletions(-)
 delete mode 100644 security/modules/org.argeo.security.manager.ldap/META-INF/spring/dao.xml

diff --git a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/dao.xml b/security/modules/org.argeo.security.manager.ldap/META-INF/spring/dao.xml
deleted file mode 100644
index dc1ad373b..000000000
--- a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/dao.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:security="http://www.springframework.org/schema/security"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
-
-
-	<bean id="securityDao" class="org.argeo.security.ldap.ArgeoSecurityDaoLdap">
-		<constructor-arg ref="contextSource" />
-		<property name="userDetailsManager" ref="userDetailsManager" />
-		<property name="authoritiesPopulator" ref="authoritiesPopulator" />
-	</bean>
-</beans>
diff --git a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap.xml b/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap.xml
index ddfa022f7..534bfe5df 100644
--- a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap.xml
+++ b/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap.xml
@@ -22,47 +22,53 @@
 
 	<bean id="authenticationProvider"
 		class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
+		<constructor-arg ref="ldapAuthenticator" />
 		<constructor-arg>
-			<bean
-				class="org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator">
-				<constructor-arg ref="contextSource" />
-				<property name="userDnPatterns">
-					<list>
-						<value>uid={0},ou=users</value>
-					</list>
-				</property>
-				<property name="passwordEncoder">
-					<bean
-						class="org.springframework.security.providers.ldap.authenticator.LdapShaPasswordEncoder"></bean>
-				</property>
-			</bean>
+			<bean factory-bean="securityDao" factory-method="getAuthoritiesPopulator" />
 		</constructor-arg>
-		<constructor-arg ref="authoritiesPopulator" />
-		<property name="userDetailsContextMapper" ref="userDetailsMapper" />
+		<property name="userDetailsContextMapper">
+			<bean factory-bean="securityDao" factory-method="getUserDetailsMapper" />
+		</property>
 	</bean>
 
-	<bean id="authoritiesPopulator" class="org.argeo.security.ldap.ArgeoLdapAuthoritiesPopulator">
+	<bean id="securityDao" class="org.argeo.security.ldap.ArgeoSecurityDaoLdap">
 		<constructor-arg ref="contextSource" />
-		<constructor-arg value="ou=groups" />
-		<property name="defaultRole" value="ROLE_USER" />
-		<property name="groupSearchFilter" value="uniqueMember={0}" />
+		<property name="userNatureMappers" ref="userNatureMappers" />
 	</bean>
 
-	<bean id="userDetailsManager"
-		class="org.springframework.security.userdetails.ldap.LdapUserDetailsManager">
+	<bean id="ldapAuthenticator"
+		class="org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator">
 		<constructor-arg ref="contextSource" />
-		<property name="userDetailsMapper" ref="userDetailsMapper" />
-		<property name="groupSearchBase" value="ou=groups" />
-		<property name="usernameMapper">
+		<property name="userDnPatterns">
+			<list>
+				<value>uid={0},ou=users</value>
+			</list>
+		</property>
+		<property name="passwordEncoder">
 			<bean
-				class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper">
-				<constructor-arg value="ou=users" />
-				<constructor-arg value="uid" />
-			</bean>
+				class="org.springframework.security.providers.ldap.authenticator.LdapShaPasswordEncoder" />
 		</property>
 	</bean>
 
+
+	<!--
+		<bean id="authoritiesPopulator"
+		class="org.argeo.security.ldap.ArgeoLdapAuthoritiesPopulator">
+		<constructor-arg ref="contextSource" /> <constructor-arg
+		value="ou=groups" /> <property name="defaultRole" value="ROLE_USER" />
+		<property name="groupSearchFilter" value="uniqueMember={0}" /> </bean>
+
+		<bean id="userDetailsManager"
+		class="org.springframework.security.userdetails.ldap.LdapUserDetailsManager">
+		<constructor-arg ref="contextSource" /> <property
+		name="userDetailsMapper" ref="userDetailsMapper" /> <property
+		name="groupSearchBase" value="ou=groups" /> <property
+		name="usernameMapper"> <bean
+		class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper">
+		<constructor-arg value="ou=users" /> <constructor-arg value="uid" />
+		</bean> </property> </bean>
 	<bean id="userDetailsMapper" class="org.argeo.security.ldap.ArgeoUserDetailsContextMapper">
 		<property name="userNatureMappers" ref="userNatureMappers" />
 	</bean>
+	-->
 </beans>
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
index ae1fceea3..83e090661 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
@@ -20,28 +20,64 @@ import org.springframework.ldap.core.DirContextAdapter;
 import org.springframework.ldap.core.DistinguishedName;
 import org.springframework.ldap.core.LdapTemplate;
 import org.springframework.security.ldap.DefaultLdapUsernameToDnMapper;
+import org.springframework.security.ldap.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.LdapUsernameToDnMapper;
 import org.springframework.security.ldap.LdapUtils;
+import org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.userdetails.UserDetails;
 import org.springframework.security.userdetails.UserDetailsManager;
+import org.springframework.security.userdetails.ldap.LdapUserDetailsManager;
+import org.springframework.security.userdetails.ldap.UserDetailsContextMapper;
 
 public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean {
 	// private final static Log log = LogFactory.getLog(UserDaoLdap.class);
 
 	private UserDetailsManager userDetailsManager;
-	private ArgeoLdapAuthoritiesPopulator authoritiesPopulator;
+	private LdapAuthoritiesPopulator authoritiesPopulator;
 	private String userBase = "ou=users";
-	private String usernameAttribute = "uid";
+	private String usernameAttributeName = "uid";
+	private String groupBase = "ou=groups";
+	private String groupRoleAttributeName = "cn";
+	private String groupMemberAttributeName = "uniquemember";
+	private String defaultRole = "ROLE_USER";
+	private String rolePrefix = "ROLE_";
 
 	private final LdapTemplate ldapTemplate;
 
-	/* TODO: factorize with user details manager */
 	private LdapUsernameToDnMapper usernameMapper = null;
 
+	private UserDetailsContextMapper userDetailsMapper;
+	private List<UserNatureMapper> userNatureMappers;
+
 	public void afterPropertiesSet() throws Exception {
 		if (usernameMapper == null)
 			usernameMapper = new DefaultLdapUsernameToDnMapper(userBase,
-					usernameAttribute);
+					usernameAttributeName);
+
+		if (authoritiesPopulator == null) {
+			DefaultLdapAuthoritiesPopulator ap = new DefaultLdapAuthoritiesPopulator(
+					ldapTemplate.getContextSource(), groupBase);
+			ap.setDefaultRole(defaultRole);
+			ap.setGroupSearchFilter(groupMemberAttributeName + "={0}");
+			authoritiesPopulator = ap;
+		}
+
+		if (userDetailsMapper == null) {
+			ArgeoUserDetailsContextMapper audm = new ArgeoUserDetailsContextMapper();
+			audm.setUserNatureMappers(userNatureMappers);
+			userDetailsMapper = audm;
+		}
+
+		if (userDetailsManager == null) {
+			LdapUserDetailsManager ludm = new LdapUserDetailsManager(
+					ldapTemplate.getContextSource());
+			ludm.setGroupSearchBase(groupBase);
+			ludm.setUserDetailsMapper(userDetailsMapper);
+			ludm.setUsernameMapper(usernameMapper);
+			ludm.setGroupMemberAttributeName(groupMemberAttributeName);
+			userDetailsManager = ludm;
+		}
+
 	}
 
 	public ArgeoSecurityDaoLdap(ContextSource contextSource) {
@@ -62,7 +98,7 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 				new DistinguishedName(userBase), new ContextMapper() {
 					public Object mapFromContext(Object ctxArg) {
 						DirContextAdapter ctx = (DirContextAdapter) ctxArg;
-						return ctx.getStringAttribute(usernameAttribute);
+						return ctx.getStringAttribute(usernameAttributeName);
 					}
 				});
 
@@ -75,17 +111,15 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 
 	@SuppressWarnings("unchecked")
 	public List<String> listEditableRoles() {
-		return (List<String>) ldapTemplate.listBindings(authoritiesPopulator
-				.getGroupSearchBase(), new ContextMapper() {
-			public Object mapFromContext(Object ctxArg) {
-				String groupName = ((DirContextAdapter) ctxArg)
-						.getStringAttribute(authoritiesPopulator
-								.getGroupRoleAttribute());
-				String roleName = authoritiesPopulator
-						.convertGroupToRole(groupName);
-				return roleName;
-			}
-		});
+		return (List<String>) ldapTemplate.listBindings(groupBase,
+				new ContextMapper() {
+					public Object mapFromContext(Object ctxArg) {
+						String groupName = ((DirContextAdapter) ctxArg)
+								.getStringAttribute(groupRoleAttributeName);
+						String roleName = convertGroupToRole(groupName);
+						return roleName;
+					}
+				});
 	}
 
 	public void update(ArgeoUser user) {
@@ -134,18 +168,23 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 	}
 
 	protected String convertRoleToGroup(String role) {
-		// FIXME: factorize with spring security
 		String group = role;
-		if (group.startsWith("ROLE_")) {
-			group = group.substring("ROLE_".length());
+		if (group.startsWith(rolePrefix)) {
+			group = group.substring(rolePrefix.length());
 			group = group.toLowerCase();
 		}
 		return group;
 	}
 
+	public String convertGroupToRole(String groupName) {
+		groupName = groupName.toUpperCase();
+
+		return rolePrefix + groupName;
+	}
+
 	protected Name buildGroupDn(String name) {
-		return new DistinguishedName("cn=" + name + ","
-				+ authoritiesPopulator.getGroupSearchBase());
+		return new DistinguishedName(groupRoleAttributeName + "=" + name + ","
+				+ groupBase);
 	}
 
 	public void setUserDetailsManager(UserDetailsManager userDetailsManager) {
@@ -156,16 +195,56 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 		this.userBase = userBase;
 	}
 
-	public void setUsernameAttribute(String usernameAttribute) {
-		this.usernameAttribute = usernameAttribute;
+	public void setUsernameAttributeName(String usernameAttribute) {
+		this.usernameAttributeName = usernameAttribute;
 	}
 
 	public void setAuthoritiesPopulator(
-			ArgeoLdapAuthoritiesPopulator authoritiesPopulator) {
+			LdapAuthoritiesPopulator authoritiesPopulator) {
 		this.authoritiesPopulator = authoritiesPopulator;
 	}
 
 	protected UserDetails getDetails(String username) {
 		return userDetailsManager.loadUserByUsername(username);
 	}
+
+	public void setGroupBase(String groupBase) {
+		this.groupBase = groupBase;
+	}
+
+	public void setGroupRoleAttributeName(String groupRoleAttributeName) {
+		this.groupRoleAttributeName = groupRoleAttributeName;
+	}
+
+	public void setGroupMemberAttributeName(String groupMemberAttributeName) {
+		this.groupMemberAttributeName = groupMemberAttributeName;
+	}
+
+	public void setDefaultRole(String defaultRole) {
+		this.defaultRole = defaultRole;
+	}
+
+	public void setRolePrefix(String rolePrefix) {
+		this.rolePrefix = rolePrefix;
+	}
+
+	public void setUsernameMapper(LdapUsernameToDnMapper usernameMapper) {
+		this.usernameMapper = usernameMapper;
+	}
+
+	public void setUserDetailsMapper(UserDetailsContextMapper userDetailsMapper) {
+		this.userDetailsMapper = userDetailsMapper;
+	}
+
+	public LdapAuthoritiesPopulator getAuthoritiesPopulator() {
+		return authoritiesPopulator;
+	}
+
+	public UserDetailsContextMapper getUserDetailsMapper() {
+		return userDetailsMapper;
+	}
+
+	public void setUserNatureMappers(List<UserNatureMapper> userNatureMappers) {
+		this.userNatureMappers = userNatureMappers;
+	}
 }
-- 
2.30.2