org.jasig.cas.authorization.generator

Class LdapAuthorizationGenerator

java.lang.Object

org.jasig.cas.authorization.generator.LdapAuthorizationGenerator

All Implemented Interfaces:

org.pac4j.core.authorization.AuthorizationGenerator<org.pac4j.core.profile.CommonProfile>

@Component(value="ldapAuthorizationGenerator")
public class LdapAuthorizationGenerator
extends java.lang.Object
implements org.pac4j.core.authorization.AuthorizationGenerator<org.pac4j.core.profile.CommonProfile>

Provides a simple AuthorizationGenerator implementation that obtains user roles from an LDAP search. Two searches are performed by this component for every user details lookup:

1. Search for an entry to resolve the username. In most cases the search should return exactly one result, but the setAllowMultipleResults(boolean) property may be toggled to change that behavior.
2. Search for groups of which the user is a member. This search commonly occurs on a separate directory branch than that of the user search.

Since:

4.0.0

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	DEFAULT_ROLE_PREFIX Default role prefix.

Constructor Summary

Constructors

Constructor and Description
LdapAuthorizationGenerator() Instantiates a new Ldap authorization generator.
LdapAuthorizationGenerator(org.ldaptive.ConnectionFactory factory, org.ldaptive.SearchExecutor userSearchExecutor, org.ldaptive.SearchExecutor roleSearchExecutor, java.lang.String userAttributeName, java.lang.String roleAttributeName) Creates a new instance with the given required parameters.

Method Summary

Methods

Modifier and Type	Method and Description
void	generate(org.pac4j.core.profile.CommonProfile profile)
void	setAllowMultipleResults(boolean allowMultiple) Sets whether to allow multiple search results for user details given a username.
void	setRolePrefix(java.lang.String rolePrefix) Sets the prefix appended to the uppercase roleAttributeName (Spring Security convention).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_ROLE_PREFIX

public static final java.lang.String DEFAULT_ROLE_PREFIX

Default role prefix.

See Also:

Constant Field Values

Constructor Detail

LdapAuthorizationGenerator

public LdapAuthorizationGenerator()

Instantiates a new Ldap authorization generator.

LdapAuthorizationGenerator

public LdapAuthorizationGenerator(org.ldaptive.ConnectionFactory factory,
                          org.ldaptive.SearchExecutor userSearchExecutor,
                          org.ldaptive.SearchExecutor roleSearchExecutor,
                          java.lang.String userAttributeName,
                          java.lang.String roleAttributeName)

Creates a new instance with the given required parameters.

Parameters:

factory - Source of LDAP connections for searches.

userSearchExecutor - Executes the LDAP search for user data.

roleSearchExecutor - Executes the LDAP search for role data.

userAttributeName - Name of LDAP attribute that contains username for user details.

roleAttributeName - Name of LDAP attribute that contains role membership data for the user.

Method Detail

setRolePrefix

public void setRolePrefix(java.lang.String rolePrefix)

Sets the prefix appended to the uppercase roleAttributeName (Spring Security convention). The default value "ROLE_" is sufficient in most cases.

Parameters:

rolePrefix - Role prefix.

setAllowMultipleResults

public void setAllowMultipleResults(boolean allowMultiple)

Sets whether to allow multiple search results for user details given a username. This is false by default, which is sufficient and secure for more deployments. Setting this to true may have security consequences.

Parameters:

allowMultiple - True to allow multiple search results in which case the first result returned is used to construct user details, or false to indicate that a runtime exception should be raised on multiple search results for user details.

generate

public void generate(org.pac4j.core.profile.CommonProfile profile)

Specified by:

generate in interface org.pac4j.core.authorization.AuthorizationGenerator<org.pac4j.core.profile.CommonProfile>