ActiveDirectoryLdapAuthenticationProvider

Class Overview

Specialized LDAP authentication provider which uses Active Directory configuration conventions.

It will authenticate using the Active Directory userPrincipalName (in the form username@domain). If the username does not already end with the domain name, the userPrincipalName will be built by appending the configured domain name to the username supplied in the authentication request. If no domain name is configured, it is assumed that the username will always contain the domain name.

The user authorities are obtained from the data contained in the memberOf attribute.

Active Directory Sub-Error Codes

When an authentication fails, resulting in a standard LDAP 49 error code, Active Directory also supplies its own sub-error codes within the error message. These will be used to provide additional log information on why an authentication has failed. Typical examples are

• 525 - user not found
• 52e - invalid credentials
• 530 - not permitted to logon at this time
• 532 - password expired
• 533 - account disabled
• 701 - account expired
• 773 - user must reset password
• 775 - account locked

If you set the convertSubErrorCodesToExceptions property to true, the codes will also be used to control the exception raised.

Summary

[Expand] Inherited Fields
From class org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider protected final Log logger protected MessageSourceAccessor messages protected UserDetailsContextMapper userDetailsContextMapper

Public Constructors
	ActiveDirectoryLdapAuthenticationProvider(String domain, String url)

Public Methods
void	setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToExceptions) By default, a failed authentication (LDAP error 49) will result in a BadCredentialsException.

Protected Methods
DirContextOperations	doAuthentication(UsernamePasswordAuthenticationToken auth)
Collection<? extends GrantedAuthority>	loadUserAuthorities(DirContextOperations userData, String username, String password) Creates the user authority list from the values of the memberOf attribute obtained from the user's Active Directory entry.

[Expand] Inherited Methods
From class org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider Authentication authenticate(Authentication authentication) Performs authentication with the same contract as authenticate(Authentication). Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication, UserDetails user) Creates the final Authentication object which will be returned from the authenticate method. abstract DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken auth) UserDetailsContextMapper getUserDetailsContextMapper() Provides access to the injected UserDetailsContextMapper strategy for use by subclasses. abstract Collection<? extends GrantedAuthority> loadUserAuthorities(DirContextOperations userData, String username, String password) void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) void setMessageSource(MessageSource messageSource) void setUseAuthenticationRequestCredentials(boolean useAuthenticationRequestCredentials) Determines whether the supplied password will be used as the credentials in the successful authentication token. void setUserDetailsContextMapper(UserDetailsContextMapper userDetailsContextMapper) Allows a custom strategy to be used for creating the UserDetails which will be stored as the principal in the Authentication returned by the createSuccessfulAuthentication(org.springframework.security.authentication.UsernamePasswordAuthenticationToken, org.springframework.security.core.userdetails.UserDetails) method. boolean supports(Class<?> authentication) Returns true if this AuthenticationProvider supports the indicated Authentication object.
From class java.lang.Object Object clone() boolean equals(Object arg0) void finalize() final Class<?> getClass() int hashCode() final void notify() final void notifyAll() String toString() final void wait() final void wait(long arg0, int arg1) final void wait(long arg0)
From interface org.springframework.context.MessageSourceAware abstract void setMessageSource(MessageSource arg0)
From interface org.springframework.security.authentication.AuthenticationProvider abstract Authentication authenticate(Authentication authentication) Performs authentication with the same contract as authenticate(Authentication). abstract boolean supports(Class<?> authentication) Returns true if this AuthenticationProvider supports the indicated Authentication object.