Obtaining User Authorities
When roles are synchronized in accordance with LDAP, they are obtained in a few steps:
-
Obtaining roles from groups a user is a member of
The resulting list of authorities consists of group names a user is a member of. By default, the
cn
attribute of the group is used to obtain the authority name. You can change this attribute in the jmix.ldap.group-role-attribute. -
Obtaining roles from user attributes
Optionally user roles can be added based on their own attributes. This can be implemented by overriding the
getAdditionalRoles()
method ofAbstractLdapUserDetailsSynchronizationStrategy
. -
Applying default roles
The jmix.ldap.default-roles property contains a comma-separated list of roles that will be assigned to every user authenticated in LDAP.
The resulting list of authorities is passed through JmixLdapGrantedAuthoritiesMapper
in order to get the final collection of authorities. This mapper is used to map previously obtained authorities to Jmix GrantedAuthority
.
For example, consider that the initial list contains a simple authority with the value of Administrators
. First, the mapper tries to find a resource role with the same role code. If the role hasn’t been found, it searches for a row-level role with the same code. If the role isn’t found, it won’t be added to the final list.
Also, you can implement the LdapAuthorityToJmixRoleCodesMapper
interface to map LDAP authorities and Jmix role codes. It is available to map several role codes to one LDAP group. Roles can be either resource or low-level.
In the example below, the bean implements mapping the mathematician
and scientists
LDAP groups to Jmix role codes:
@Component("l_CustomAuthorityMapperBean")
public class CustomAuthorityMapperBean implements LdapAuthorityToJmixRoleCodesMapper {
@Override
public Collection<String> mapAuthorityToJmixRoleCodes(String authority) { (1)
Collection<String> roleCollection = new ArrayList<>();
if (authority.equals("mathematicians")) { (2)
roleCollection.add("system-full-access");
} else {
roleCollection.add(authority + "-resource-role"); (3)
roleCollection.add(authority + "-row-level-role");
}
return roleCollection;
}
}
1 | Overrides the method that takes an LDAP authority as input parameter and returns a collection of role codes that matches the given authority. |
2 | In case of the mathematicians group, an LDAP user obtains the system-full-access role. |
3 | In case of the scientists group, an LDAP user obtains two roles: scientists-resource-role and scientists-row-level-role . |