Skip to content

SEC-1915 Add cutomisation of search filter in ActiveDirectoryLdapAuthenticationProvider #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,8 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
private final String rootDn;
private final String url;
private boolean convertSubErrorCodesToExceptions;
private String searchFilter = "(&(objectClass=user)(userPrincipalName={0}))";
private boolean searchByBindPrincipal = true;

// Only used to allow tests to substitute a mock LdapContext
ContextFactory contextFactory = new ContextFactory();
Expand Down Expand Up @@ -169,7 +171,7 @@ private DirContext bindAsUser(String username, String password) {

Hashtable<String,String> env = new Hashtable<String,String>();
env.put(Context.SECURITY_AUTHENTICATION, "simple");
String bindPrincipal = createBindPrincipal(username);
String bindPrincipal = searchByBindPrincipal ? createBindPrincipal(username) : username;
env.put(Context.SECURITY_PRINCIPAL, bindPrincipal);
env.put(Context.PROVIDER_URL, bindUrl);
env.put(Context.SECURITY_CREDENTIALS, password);
Expand Down Expand Up @@ -273,9 +275,7 @@ private DirContextOperations searchForUser(DirContext ctx, String username) thro
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

String searchFilter = "(&(objectClass=user)(userPrincipalName={0}))";

final String bindPrincipal = createBindPrincipal(username);
final String bindPrincipal = searchByBindPrincipal ? createBindPrincipal(username) : username;

String searchRoot = rootDn != null ? rootDn : searchRootFromPrincipal(bindPrincipal);

Expand Down Expand Up @@ -340,6 +340,31 @@ public void setConvertSubErrorCodesToExceptions(boolean convertSubErrorCodesToEx
this.convertSubErrorCodesToExceptions = convertSubErrorCodesToExceptions;
}

/**
* If this property is set to {@code true}, the bind principal ({@code user@domain})
* is used to bind and lookup users's authorities.
* If set to {@code false} only the username is used.
* Defaults to {@code true}.
*
* @param searchByBindPrincipal
*/
public void setSearchByBindPrincipal(boolean searchByBindPrincipal)
{
this.searchByBindPrincipal = searchByBindPrincipal;
}

/**
* Custom search filter that is used to lookup user's authorities.
* Occurrences of {0} are replaced with the username or bind principal, depending on {@link #searchByBindPrincipal}.
* The default is: {@code (&amp;(objectClass=user)(userPrincipalName={0})) }.
*
* @param searchFilter
*/
public void setSearchFilter(String searchFilter)
{
this.searchFilter = searchFilter;
}

static class ContextFactory {
DirContext createContext(Hashtable<?,?> env) throws NamingException {
return new InitialLdapContext(env, null);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
package org.springframework.security.ldap.authentication.ad;

import static org.junit.Assert.*;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.*;
import static org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.ContextFactory;

Expand All @@ -33,11 +34,9 @@
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.Context;
import javax.naming.Name;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
Expand Down Expand Up @@ -86,7 +85,7 @@ public void successfulAuthenticationProducesExpectedAuthorities() throws Excepti

assertEquals(0, result.getAuthorities().size());

dca.addAttributeValue("memberOf","CN=Admin,CN=Users,DC=mydomain,DC=eu");
dca.addAttributeValue("memberOf", "CN=Admin,CN=Users,DC=mydomain,DC=eu");

sr.setAttributes(dca.getAttributes());

Expand All @@ -95,6 +94,7 @@ public void successfulAuthenticationProducesExpectedAuthorities() throws Excepti
assertEquals(1, result.getAuthorities().size());
}


@Test
public void nullDomainIsSupportedIfAuthenticatingWithFullUserPrincipal() throws Exception {
provider = new ActiveDirectoryLdapAuthenticationProvider(null, "ldap://192.168.1.200/");
Expand Down Expand Up @@ -264,6 +264,43 @@ public void nonAuthenticationExceptionIsConvertedToSpringLdapException() throws
provider.authenticate(joe);
}

@Test
public void searchFilterIsUsedInAuthorityLookup() throws Exception {

String customFilter = "(&(objectClass=user)(sAMAccountName={0}))";
DirContext ctx = mock(DirContext.class);
when(ctx.getNameInNamespace()).thenReturn("");

DirContextAdapter dca = new DirContextAdapter();
SearchResult sr = new SearchResult("CN=Joe Jannsen,CN=Users", null, dca.getAttributes());
when(ctx.search(any(Name.class), eq(customFilter), any(Object[].class), any(SearchControls.class)))
.thenReturn(new MockNamingEnumeration(sr))
.thenReturn(new MockNamingEnumeration(sr));

provider.contextFactory = createContextFactoryReturning(ctx);
provider.setSearchFilter(customFilter);
provider.authenticate(joe);
}

@Test
public void usernameUsedInAuthorityLookupWhenSearchByBindPrincipalIsFalse() throws Exception {

DirContext ctx = mock(DirContext.class);
when(ctx.getNameInNamespace()).thenReturn("");

DirContextAdapter dca = new DirContextAdapter();
SearchResult sr = new SearchResult("CN=Joe Jannsen,CN=Users", null, dca.getAttributes());
when(ctx.search(any(Name.class), any(String.class), eq(new String[]{joe.getName()}), any(SearchControls.class)))
.thenReturn(new MockNamingEnumeration(sr))
.thenReturn(new MockNamingEnumeration(sr));

provider.contextFactory = createContextFactoryReturning(ctx);
provider.setSearchByBindPrincipal(false);
provider.authenticate(joe);

assertEquals(joe.getName(), ctx.getEnvironment().get(Context.SECURITY_PRINCIPAL) );
}

ContextFactory createContextFactoryThrowing(final NamingException e) {
return new ContextFactory() {
@Override
Expand All @@ -277,7 +314,8 @@ DirContext createContext(Hashtable<?, ?> env) throws NamingException {
ContextFactory createContextFactoryReturning(final DirContext ctx) {
return new ContextFactory() {
@Override
DirContext createContext(Hashtable<?, ?> env) throws NamingException {
DirContext createContext(Hashtable env) throws NamingException {
when(ctx.getEnvironment()).thenReturn( env );
return ctx;
}
};
Expand Down