Handling roles when authenticated to active directory with spring security 3.1

Question

I\'m trying to use a authenticate with an Active directory using Spring Security 3.1. I get authenticated and all is well.

Answer 1

The roles in the beans.xml must be an exact match of the CN (common name) of the memberOf value attribute. You should read a tutorial about directory basics.

Say have this user: CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net In his context exists this memberOf value CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net

The Bean will locate this memberOf value and extract Group Name. You beans.xml has to have exactly this value.

Answer 2

You can also inject a GrantedAuthoritiesMapper which was introduced in 3.1 as a general strategy for modifying the authorites. Plus you might want to use SimpleGrantedAuthority for the GrantedAuthority implementation. Alternatively, you could use an enum since you have a fixed set of values:

enum MyAuthority implements GrantedAuthority {
    ROLE_ADMIN,
    ROLE_USER;

    public String getAuthority() {
        return name();
    }
}


class MyAuthoritiesMapper implements GrantedAuthoritiesMapper {

    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
        Set<MyAuthority> roles = EnumSet.noneOf(MyAuthority.class);

        for (GrantedAuthority a: authorities) {
            if ("MY ADMIN GROUP".equals(a.getAuthority())) {
                roles.add(MyAuthority.ROLE_ADMIN);
            } else if ("MY USER GROUP".equals(a.getAuthority())) {
                roles.add(MyAuthority.ROLE_USER);
            }
        }

        return roles;
    }
}