DeferredCreationLdapAuthoritiesPopulator is no longer necessary because...

DeferredCreationLdapAuthoritiesPopulator is no longer necessary because filters are now created after SecurityRealm is prepared. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@14872 71c3de6d-444a-0410-be80-ed276b4c234a

DeferredCreationLdapAuthoritiesPopulator is no longer necessary because...
DeferredCreationLdapAuthoritiesPopulator is no longer necessary because filters are now created after SecurityRealm is prepared. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@14872 71c3de6d-444a-0410-be80-ed276b4c234a
3beed588 · kohsuke · 23bafefc · 3beed588 · 3beed588 · 3beed588
5 changed file
--- a/core/src/main/java/hudson/security/DeferredCreationLdapAuthoritiesPopulator.java
+++ b/core/src/main/java/hudson/security/DeferredCreationLdapAuthoritiesPopulator.java
@@ -9,7 +9,7 @@ import org.acegisecurity.ldap.LdapDataAccessException;
 import org.acegisecurity.providers.ldap.LdapAuthoritiesPopulator;
 import org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator;
 import org.acegisecurity.userdetails.ldap.LdapUserDetails;
-import org.springframework.util.Assert;
+import hudson.security.SecurityRealm.SecurityComponents;

 /**
 * Implementation of {@link LdapAuthoritiesPopulator} that defers creation of a
@@ -17,6 +17,9 @@ import org.springframework.util.Assert;
 * ensure that the groupSearchBase property can be set.
 * 
 * @author justinedelson
+ * @deprecated as of 1.280
+ *      {@link SecurityComponents} are now created after {@link SecurityRealm} is created, so
+ *      the initialization order issue that this code was trying to address no longer exists.
 */
 public class DeferredCreationLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {


--- a/core/src/main/java/hudson/security/GroupDetails.java
+++ b/core/src/main/java/hudson/security/GroupDetails.java
+package hudson.security;
+
+import org.acegisecurity.userdetails.UserDetails;
+
+/**
+ * Represents the details of a group.
+ *
+ * @author Kohsuke Kawaguchi
+ * @since 1.280
+ * @see UserDetails
+ */
+public abstract class GroupDetails {
+    /**
+     * Returns the name of the group.
+     *
+     * @return never null.
+     */
+    public abstract String getName();
+
+    /**
+     * Returns the human-readable name used for rendering in HTML.
+     *
+     * <p>
+     * This may contain arbitrary character, and it can change.
+     *
+     * @return never null.
+     */
+    public String getDisplayName() {
+        return getName();
+    }
+}
--- a/core/src/main/java/hudson/security/LDAPSecurityRealm.java
+++ b/core/src/main/java/hudson/security/LDAPSecurityRealm.java
@@ -176,7 +176,6 @@ public class LDAPSecurityRealm extends SecurityRealm {
        BeanBuilder builder = new BeanBuilder();
        builder.parse(Hudson.getInstance().servletContext.getResourceAsStream("/WEB-INF/security/LDAPBindSecurityRealm.groovy"),binding);
        final WebApplicationContext appContext = builder.createApplicationContext();
-        correctAuthoritiesPopulator(appContext);

        return new SecurityComponents(
            findBean(AuthenticationManager.class, appContext),
@@ -193,15 +192,6 @@ public class LDAPSecurityRealm extends SecurityRealm {
            });
    }

-    /**
-     * Adjust the authoritiesPopulator bean to have the correct groupSearchBase
-     * @param appContext 
-     */
-    private void correctAuthoritiesPopulator(WebApplicationContext appContext) {
-        DeferredCreationLdapAuthoritiesPopulator factory = (DeferredCreationLdapAuthoritiesPopulator) appContext.getBean("authoritiesPopulator");
-        factory.setGroupSearchBase(groupSearchBase==null ? "" : groupSearchBase);
-    }
-    
    /**
     * If the security realm is LDAP, try to pick up e-mail address from LDAP.
     */

--- a/core/src/main/java/hudson/security/SecurityRealm.java
+++ b/core/src/main/java/hudson/security/SecurityRealm.java
@@ -171,6 +171,18 @@ public abstract class SecurityRealm implements Describable<SecurityRealm>, Exten
        return getSecurityComponents().userDetails.loadUserByUsername(username);
    }

+    /**
+     * If this {@link SecurityRealm} supports a look up of {@link GroupDetails} by their names, override this method
+     * to provide the look up.
+     *
+     * <p>
+     * This information, when available, can be used by {@link AuthorizationStrategy}s to improve the UI and
+     * error diagnostics for the user.
+     */
+    public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException {
+        throw new UserMayOrMayNotExistException(groupname);
+    }
+
    /**
     * {@link DefaultManageableImageCaptchaService} holder to defer initialization.
     */

--- a/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
+++ b/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
@@ -6,7 +6,8 @@ import org.acegisecurity.ldap.DefaultInitialDirContextFactory
 import org.acegisecurity.ldap.search.FilterBasedLdapUserSearch
 import org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider
 import hudson.model.Hudson
-import hudson.security.DeferredCreationLdapAuthoritiesPopulator
+import org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator
+import hudson.Util

 /*
    Configure LDAP as the authentication realm.
@@ -35,8 +36,9 @@ bindAuthenticator(BindAuthenticator2,initialDirContextFactory) {
    userSearch = ldapUserSearch;
 }

-authoritiesPopulator(DeferredCreationLdapAuthoritiesPopulator,initialDirContextFactory,"") {
-  // groupRoleAttribute = "ou";
+authoritiesPopulator(DefaultLdapAuthoritiesPopulator, initialDirContextFactory, Util.fixNull(instance.groupSearchBase)) {
+    // see DefaultLdapAuthoritiesPopulator for other possible configurations
+    searchSubtree = true;
 }

 authenticationManager(ProviderManager) {