Spring authorization and role management with Ldap

I am devoloping a spring java app and I want to use ladp for apache directories to manage users, so I want to give each user a role and manage what I was using spring.

This is my security-context.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">

        user-search-filter="(uid={0})" user-search-base="ou=users"
        group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
        group-role-attribute="cn" role-prefix="ROLE_" />

<security:ldap-server url="ldap://localhost:8389/o=mojo"
    manager-dn="uid=admin,ou=system" manager-password="secret" />
<security:http use-expressions="true">
    <security:intercept-url pattern="/" access="hasRole('ROLE_Admin')" />
    <security:form-login />


and this is my ldap hierarchy

and this is my ldap hierarchy

This doesn't work for me and gives me a 403 error for access denied even when I'm logged in with administrator privileges.

Any help?


source to share

2 answers

Try to set up your role in <security:intercept-url pattern="/" access="hasRole('ROLE_ADMIN')" />

this way.

By default <security:ldap-authentication-provider />

, which automatically configures org.springframework.security.ldap.authentication.LdapAuthenticationProvider creates an instance of org.springframework.security.ldap.userdetails.LdapUserDetailsMapper , which by default has the following properties:

public class LdapUserDetailsMapper implements UserDetailsContextMapper {
    // ~ Instance fields
    // ================================================================================================

    private final Log logger = LogFactory.getLog(LdapUserDetailsMapper.class);
    private String passwordAttributeName = "userPassword";
    private String rolePrefix = "ROLE_";
    private String[] roleAttributes = null;
    private boolean convertToUpperCase = true;


And so on, since convertToUpperCase is set to true, this method

     * Creates a GrantedAuthority from a role attribute. Override to customize authority
     * object creation.
     * <p>
     * The default implementation converts string attributes to roles, making use of the
     * <tt>rolePrefix</tt> and <tt>convertToUpperCase</tt> properties. Non-String
     * attributes are ignored.
     * </p>
     * @param role the attribute returned from
     * @return the authority to be added to the list of authorities for the user, or null
     * if this attribute should be ignored.
    protected GrantedAuthority createAuthority(Object role) {
        if (role instanceof String) {
            if (this.convertToUpperCase) {
                role = ((String) role).toUpperCase();
            return new SimpleGrantedAuthority(this.rolePrefix + role);
        return null;


finally converts your ou:groups



which doesn't matchROLE_ADMIN



the error was that in my LDAP hierarchy I have to name the group cn=ROLE_ADMIN

not cn=Admin

because I have role-prefix="ROLE_"

in the security-context.xml file



All Articles