Spring LdapAuthentication and Load roles from local database -

i have spring security configured authenticate against ldap server.

<security:authentication-manager >     <security:ldap-authentication-provider user-dn-pattern="uid={0}" />  </security:authentication-manager> 

after authentication want load roles local database same user. how can load local database roles using "ldap-authentication-provider"?

if add second authentication provider below:

<security:authentication-manager >     <security:ldap-authentication-provider user-dn-pattern="uid={0}" />             <security:authentication-provider ref="daoauthenticationprovider" /> </security:authentication-manager> 

daoauthenticationprovider added, spring not use second provider when first auth provider authenticates user. if first auth provider fails authenticate goes next in list.

so have customize

<security:ldap-authentication-provider user-dn-pattern="uid={0}" /> 

to load roles local database.

any suggestions? how should implemented?

an authentication provider must deliver populated authentication token on successfull authentication, it's not possible use 1 provider check user's credentials, , 1 assign authorities (roles) it.

you can customize ldap auth provider fetch user roles database instead of default behaviour (searching user's groups in ldap). ldapauthenticationprovider has 2 strategies injected: 1 performs authentication (ldapauthenticator), , 1 fetches user's authorities (ldapauthoritiespopulator). can achieve requirements if supply ldapauthoritiespopulator implementation loads roles database. in case have userdetailsservice working against database, can integrate wrapping in userdetailsserviceldapauthoritiespopulator , injecting in ldapauthenticationprovider.

since configuration rather uncommon, security xml namespace doesn't provide tags/attributes set up, raw bean config isn't complicated. here outline:

1) suppose have ldap-server somewhere in config. it's important assign , id it, allow reference later.

<security:ldap-server url="..." id="ldapserver" .../> 

2) authentication-manager section, refer customized provider:

<security:authentication-manager>     <security:authentication-provider ref="customldapauthprovider"/> </security:authentication-manager> 

3) now, essential part:

<bean id="customldapauthprovider" class="org.springframework.security.ldap.authentication.ldapauthenticationprovider">     <constructor-arg name="authenticator">         <bean class="org.springframework.security.ldap.authentication.bindauthenticator">             <constructor-arg name="contextsource" ref="ldapserver"/>             <property name="userdnpatterns">                 <list>                     <value>uid={0}</value>                 </list>             </property>         </bean>     </constructor-arg>     <constructor-arg name="authoritiespopulator">         <bean class="org.springframework.security.ldap.authentication.userdetailsserviceldapauthoritiespopulator">             <constructor-arg name="userservice" ref="userservice"/>         </bean>     </constructor-arg> </bean> 

the authenticator same 1 created namespace config. (note contextsource attribute referencing ldap server.)

the authoritiespopulator simple wrapper around userservice implementation supposed defined somewhere in config.