Merge branch '2.3'

ff91ac13 · Daniel Gerhardt · a1cd6239 · a81af1f7 · ff91ac13 · ff91ac13
Commit ff91ac13 authored 8 years ago by Daniel Gerhardt
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
 # Changelog
+## 2.3.1
+Bug fixes:
+* Case-insensitive user IDs are now correctly handled for LDAP authentication.
+* LDAP authentication does no longer request unnecessary user attributes.
 ## 2.3
 Major features:
 * Improved LDAP authentication support: Additional settings for LDAP search and
@@ -17,7 +22,7 @@ Minor features and changes:
  question format flashcard are now active by default and can no longer be
  disabled for the whole ARSnova installation.
-Bugfixes:
+Bug fixes:
 * The `security.authentication.login-try-limit` setting now works as intended.
 Changes for developers:
@@ -48,7 +53,7 @@ Major features:
 * The API has been extended to support features introduced with ARSnova Mobile
  2.2.
-Bugfixes:
+Bug fixes:
 * User content consisting of JSON could not be loaded and rendered connected
  data unloadable as well.

--- a/pom.xml
+++ b/pom.xml
@@ -7,7 +7,7 @@
 	<packaging>war</packaging>
 	<properties>
-		<io.spring.platform-version>2.0.3.RELEASE</io.spring.platform-version>
+		<io.spring.platform-version>2.0.4.RELEASE</io.spring.platform-version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<timestamp>${maven.build.timestamp}</timestamp>
 		<sonar.language>java</sonar.language>
@@ -177,7 +177,7 @@
 		<dependency>
 			<groupId>cglib</groupId>
 			<artifactId>cglib</artifactId>
-			<version>3.2.1</version>
+			<version>3.2.2</version>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
@@ -325,7 +325,7 @@
 			<plugin>
 				<groupId>org.eclipse.jetty</groupId>
 				<artifactId>jetty-maven-plugin</artifactId>
-				<version>9.2.15.v20160210</version>
+				<version>9.2.16.v20160414</version>
 				<configuration>
 					<scanIntervalSeconds>1</scanIntervalSeconds>
 					<webApp>
@@ -347,7 +347,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-site-plugin</artifactId>
-				<version>3.5</version>
+				<version>3.5.1</version>
 				<configuration>
 					<locales>en</locales>
 				</configuration>
@@ -355,7 +355,7 @@
 			<plugin>
 				<groupId>org.codehaus.mojo</groupId>
 				<artifactId>sonar-maven-plugin</artifactId>
-				<version>3.0.1</version>
+				<version>3.0.2</version>
 			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>

--- a/src/main/java/de/thm/arsnova/config/SecurityConfig.java
+++ b/src/main/java/de/thm/arsnova/config/SecurityConfig.java
@@ -25,6 +25,7 @@ import de.thm.arsnova.CasUserDetailsService;
 import de.thm.arsnova.LoginAuthenticationFailureHandler;
 import de.thm.arsnova.LoginAuthenticationSucessHandler;
 import de.thm.arsnova.security.ApplicationPermissionEvaluator;
+import de.thm.arsnova.security.CustomLdapUserDetailsMapper;
 import de.thm.arsnova.security.DbUserDetailsService;
 import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
 import org.scribe.up.provider.impl.FacebookProvider;
@@ -65,6 +66,7 @@ import org.springframework.security.ldap.authentication.LdapAuthenticator;
 import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
@@ -96,6 +98,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter implements Serv
 	@Value("${security.ldap.enabled}") private boolean ldapEnabled;
 	@Value("${security.ldap.url}") private String ldapUrl;
+	@Value("${security.ldap.user-id-attr:uid}") private String ldapUserIdAttr;
 	@Value("${security.ldap.user-dn-pattern:}") private String ldapUserDn;
 	@Value("${security.ldap.user-search-base:}") private String ldapSearchBase;
 	@Value("${security.ldap.user-search-filter:}") private String ldapSearchFilter;
@@ -249,7 +252,10 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter implements Serv
 	@Bean
 	public LdapAuthenticationProvider ldapAuthenticationProvider() throws Exception {
-		return new LdapAuthenticationProvider(ldapAuthenticator(), ldapAuthoritiesPopulator());
+		LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(ldapAuthenticator(), ldapAuthoritiesPopulator());
+		ldapAuthenticationProvider.setUserDetailsContextMapper(customLdapUserDetailsMapper());
+		return ldapAuthenticationProvider;
 	}
 	@Bean
@@ -268,6 +274,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter implements Serv
 	@Bean
 	public LdapAuthenticator ldapAuthenticator() throws Exception {
 		BindAuthenticator authenticator = new BindAuthenticator(ldapContextSource());
+		authenticator.setUserAttributes(new String[] {ldapUserIdAttr});
 		if (!"".equals(ldapSearchFilter)) {
 			logger.debug("ldapSearch: {} {}", ldapSearchBase, ldapSearchFilter);
 			authenticator.setUserSearch(new FilterBasedLdapUserSearch(ldapSearchBase, ldapSearchFilter, ldapContextSource()));
@@ -284,6 +291,13 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter implements Serv
 		return new DefaultLdapAuthoritiesPopulator(ldapContextSource(), null);
 	}
+	@Bean
+	public LdapUserDetailsMapper customLdapUserDetailsMapper() {
+		logger.debug("ldapUserIdAttr: {}", ldapUserIdAttr);
+		return new CustomLdapUserDetailsMapper(ldapUserIdAttr);
+	}
 	// CAS Authentication Configuration
 	@Bean

--- a/src/main/java/de/thm/arsnova/controller/LoginController.java
+++ b/src/main/java/de/thm/arsnova/controller/LoginController.java
@@ -191,7 +191,7 @@ public class LoginController extends AbstractController {
 				try {
 					Authentication auth = ldapAuthenticationProvider.authenticate(token);
 					if (auth.isAuthenticated()) {
-						SecurityContextHolder.getContext().setAuthentication(token);
+						SecurityContextHolder.getContext().setAuthentication(auth);
 						request.getSession(true).setAttribute(
 								HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
 								SecurityContextHolder.getContext());

--- a/src/main/java/de/thm/arsnova/entities/User.java
+++ b/src/main/java/de/thm/arsnova/entities/User.java
@@ -24,6 +24,7 @@ import org.scribe.up.profile.google.Google2Profile;
 import org.scribe.up.profile.twitter.TwitterProfile;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.userdetails.UserDetails;
 import java.io.Serializable;

--- a/src/main/java/de/thm/arsnova/security/CustomLdapUserDetailsMapper.java
+++ b/src/main/java/de/thm/arsnova/security/CustomLdapUserDetailsMapper.java
+package de.thm.arsnova.security;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
+import java.util.Collection;
+/**
+ * Replaces the user ID provided by the authenticating user with the one that is part of LDAP object. This is necessary
+ * to get a consistent ID despite case insensitivity.
+ */
+public class CustomLdapUserDetailsMapper extends LdapUserDetailsMapper {
+	public static final Logger LOGGER = LoggerFactory.getLogger(CustomLdapUserDetailsMapper.class);
+	private String userIdAttr;
+	public CustomLdapUserDetailsMapper(String ldapUserIdAttr) {
+		this.userIdAttr = ldapUserIdAttr;
+	}
+	public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
+										  Collection<? extends GrantedAuthority> authorities) {
+		String ldapUsername = ctx.getStringAttribute(userIdAttr);
+		if (ldapUsername == null) {
+			LOGGER.warn("LDAP attribute {} not set. Falling back to user provided username.", userIdAttr);
+			ldapUsername = username;
+		}
+		UserDetails userDetails = super.mapUserFromContext(ctx, ldapUsername, authorities);
+		return userDetails;
+	}
+}
--- a/src/site/resources/arsnova.png
+++ b/src/site/resources/arsnova.png