<!-– The LDAP server connection context: who to log into LDAP as to perform a search for a simple user account name, starting at the base DN --> <b:bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <b:constructor-arg value="ldap://<host>:389/<root-DN>" > </b:constructor-arg> --> <b:property name="base" value="" /> <b:property name="userDn" value="cn=fredf,ou=users,ou=acme,dc=company,dc=com" /> <b:property name="password" value="WhoCares4securitY" /> </b:bean> <!-- The LDAP user acount search operation's parameters used by the above ldapContextSource that starts at a base DN, searches the entire subtree, and tries to find a user object who's attribute matches the search filter --> <b:bean id=”ldapSearchBean” class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <b:constructor-arg value="dc=company,dc=com" /> <b:constructor-arg value="(sAMAccountName={0})" /> <b:constructor-arg ref="ldapContextSource" /> <b:property name="searchSubtree" value="false" /> </b:bean> <!-- How to "bind" to an LDAP server, where "bind" is equivalent to logging in. You either bind using a DN pattern or perform a user account search using the above ldapSearchBean --> <b:bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator"> <b:constructor-arg ref="ldapContextSource"/> <b:property name="userSearch" ref="ldapSearchBean" /> </b:bean> <!-- This describes which LDAP user account role memberships (aks. Spring authoriteis) to return into the security token to be used by the application's authorization processes.The authorities are found by searching the LDAP directory for objects whose attributes contain the user accounts fully qualified DN as a member --> <b:bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <b:constructor-arg ref="ldapContextSource" /> <b:constructor-arg value="dc=company,dc=com" /> <!-- Where to begin searching for user group memberships in the directory service --> <b:property name="groupSearchFilter" value="(member={0})" /> <!-- Map the LDAP group object attribute name to a Spring ROLE name --> <b:property name="groupRoleAttribute" value="cn" /> <!-- How deep in the directory tree to search to user group memberships --> <b:property name="searchSubtree" value="true" /> <!-- Ignore Active Directory mapping objects --> <b:property name="ignorePartialResultException" value="false" /> <!-- Assign a Spring Role name prefix; default is ROLE_ --> <b:property name="rolePrefix" value="ROLE_" /> <!-- Convert LDAP [group] ROLE names to upper case; default is true --> <b:property name="convertToUpperCase" value="true" /> </b:bean> <!-- This describes how to map LDAP user account (object) attributes into the security token --> <b:bean class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" id="ldapUserDetailsContextMapper"> </b:bean> <!-- The LDAP authentication provider plug-in, with its references to the beans that implement binding to the service, populating roles, and how to make a connection. --> <b:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <!-- LDAP login bean--> <b:constructor-arg ref="ldapBindAuthenticator" /> <!-- LDAP user account granted [ROLE] group loader bean --> <b:constructor-arg ref="ldapAuthoritiesPopulator" /> <b:property name="useAuthenticationRequestCredentials" value="false" /> <!-- LDAP user account information loader bean --> <b:property name="userDetailsContextMapper" ref="ldapUserDetailsContextMapper" /> </b:bean> |