Obtaining User Authorities

When roles are synchronized in accordance with LDAP, they are obtained in a few steps:

  • Obtaining roles from groups a user is a member of

    The resulting list of authorities consists of group names a user is a member of. By default, the cn attribute of the group is used to obtain the authority name. You can change this attribute in the jmix.ldap.group-role-attribute.

  • Obtaining roles from user attributes

    Optionally user roles can be added based on their own attributes. This can be implemented by overriding the getAdditionalRoles() method of AbstractLdapUserDetailsSynchronizationStrategy.

  • Applying default roles

    The jmix.ldap.default-roles property contains a comma-separated list of roles that will be assigned to every user authenticated in LDAP.

The resulting list of authorities is passed through JmixLdapGrantedAuthoritiesMapper in order to get the final collection of authorities. This mapper is used to map previously obtained authorities to Jmix RoleGrantedAuthority.

For example, consider that the initial list contains a simple authority with the value of Administrators. First, the mapper tries to find a resource role with the same role code. If the role hasn’t been found, it searches for a row-level role with the same code. If the role isn’t found, it won’t be added to the final list.

Also, it is possible to specify a mapping function with the setAuthorityToRoleCodeMapper() method in order to describe the matching of authorities names, for example:

@Autowired
private LdapProperties ldapProperties;

@Bean
@Primary (1)
JmixLdapGrantedAuthoritiesMapper customAuthoritiesMapper() { (2)
    JmixLdapGrantedAuthoritiesMapper authoritiesMapper = new JmixLdapGrantedAuthoritiesMapper();
    authoritiesMapper.setDefaultRoles(ldapProperties.getDefaultRoles());
    Map<String, String> authorityMap = new HashMap<>();
    authorityMap.put("Mathematicians", "system-full-access"); (3)
    authoritiesMapper.setAuthorityToRoleCodeMapper(s -> authorityMap.getOrDefault(s, s));
    return authoritiesMapper;
}
1 Put the @Primary annotation to use your bean instead of grantedAuthoritiesMapper.
2 Give your bean a name that differs from grantedAuthoritiesMapper.
3 Map an authority name and role code, which will be used to obtain a resource role or row-level role.