Spring LDAP 2.0

Transcript

1. 1 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

   Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Unless otherwise indicated, these slides are © 2013-2014 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring LDAP 2.0 @SpringLDAP Mattias Hellborg Arthursson Software Mentor, Architect, Passionate Developer 261 Consulting AB @marthursson

2. 2 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

   Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Agenda  LDAP 101  Goals and Scope of Spring LDAP  New Features in 2.0  Configuration and Core API  Object-Directory Mapping  Spring Data Repository Support

3. 3 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

   Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ LDAP 101 A (really) Short Introduction

4. 4 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

   Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Core Concepts  Lightweight Directory Access Protocol  Tree Structure  Distinguished Name (DN) • Unique identifier of an entry • Describes tree path • Least significant component first  Attributes • Data bound to an entry • Valid attributes defined by ObjectClass • Single- or multi-value  Filters • Used when searching for entries

5. 5 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

   Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Simple LDAP Tree Example dc=example,dc=com ou=People uid=john.doe uid=jane.doe ou=Groups cn=Users cn=Admins

6. 6 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

   Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ User Attributes  DN: uid=john.doe,ou=People,dc=example,dc=com • objectclass=top,person,organizationalPerson,inetOrgPerson • uid=john.doe • cn=John Doe • employeeNumber=12345 • givenName=John • sn=Doe • [email protected] • telephoneNumber=555-12345 • …more attributes available, defined by objectclass

7. 7 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

   Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Group Attributes  DN: cn=Users,ou=Groups,dc=example,dc=com • objectclass=top,groupOfNames • cn=Users • member • uid=john.doe,ou=People,dc=example,dc=com • uid=jane.doe,ou=People,dc=example,dc=com

8. 8 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

   Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ LDAP Filters  Example: users whose name contains “Doe” • (&(objectclass=Person)(cn=*Doe*))

9. 9 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

   Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Goals and Scope of Spring LDAP Why Spring LDAP?

10. 10 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring LDAP: Simplifying LDAP Programming  Java LDAP programming is dull and verbose  Similar to JDBC • Lots of boilerplate • Error prone • Repeating structure • Open connection • Perform query • Extract (loop through) data • Cleanup • Exception handling  Worse than JDBC  Filter syntax is complicated

11. 11 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Inspired by Spring JDBC  LdapTemplate handles common flow  Callback interfaces and support classes  Useful abstractions and tools • E.g. for working with Distinguished Names and filters  Focus code on what is important

12. 12 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring LDAP…  …is intended to simplify LDAP data administration  ...is not intended to be used for authentication/authorization purposes • Use Spring Security • LDAP Support builds on Spring LDAP

13. 13 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Java LDAP Example (yes it’s unreadable) public List<String> getAllPersonNames() { DirContext ctx = createAnonymousContext(); LinkedList<String> list = new LinkedList<String>(); NamingEnumeration<?> results = null; try { SearchControls controls = new SearchControls(); controls.setSearchScope(SearchControls.SUBTREE_SCOPE); results = ctx.search("", "(objectclass=person)", controls); while (results.hasMore()) { SearchResult searchResult = (SearchResult) results.next(); Attributes attributes = searchResult.getAttributes(); Attribute attr = attributes.get("cn"); String cn = (String) attr.get(); list.add(cn); } } catch (NamingException e) { throw new RuntimeException(e); } finally { if (results != null) { try { results.close(); } catch (Exception e) { // Never mind this. } } if (ctx != null) { try { ctx.close(); } catch (Exception e) { // Never mind this. } } } return list; }

14. 14 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring LDAP Example public List<String> getAllPersonNames() { return ldapTemplate.search( query().where("objectclass").is("person"), new AbstractContextMapper<String>() { @Override protected String doMapFromContext( DirContextOperations ctx) { return ctx.getStringAttribute("cn"); } }); }

15. 15 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ New Features in 2.0 Why upgrade?

16. 16 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring LDAP 1.x  Java 1.4+  Centered around LdapTemplate • Along with callback interfaces  Some utilities • Filter abstractions • Attribute extraction and modification • DirContextAdapter • Distinguished Name implementation • Java 1.4 has no official LdapName class  Pooling support  ODM  Compensating LDAP transactions

17. 17 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ New in 2.0  Java version >1.6 required • Generics and varargs in core APIs • spring-ldap-tiger is deprecated  ODM moved to core • spring-ldap-odm is deprecated • LdapTemplate handles annotated classes  XML Namespace for configuration  Fluent query builder support  Spring Data Repository support  QueryDSL support  DistinguishedName is deprecated  Major overhaul of samples • https://github.com/spring-projects/spring-ldap/tree/master/samples

18. 18 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Configuration and Core API

19. 19 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Core Components  ContextSource • LDAP connection management in Java is confusing • ContextSource handles details • Similar to JDBC’s DataSource  LdapTemplate • Encapsulates boilerplate • Leaves details to callback interfaces • Lots of overloaded methods • Accommodates any usage scenario • Use simplest possible

20. 20 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Configuration  Include Spring LDAP namespace definition • xmlns:ldap="http://www.springframework.org/schema/ldap“ • xsi:schemaLocation=”http://www.springframework.org/schema/ldap/spring-ldap.xsd”  Configure core components and use DI

21. 21 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo Unless otherwise indicated, these slides are © 2013-2014 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Configuring Spring LDAP SPRING LDAP

22. 22 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Callback Interfaces and Main Support Classes  AttributesMapper  ContextMapper (use AbstractContextMapper)  DirContextAdapter • Simplifies working with LDAP attributes  LdapQueryBuilder • Fluent builder for LDAP queries • Eliminates need to know anything about search filters  LdapNameBuilder • Fluent builder for Distinguished Names  LdapUtils • General utility functions • E.g. for manipulating Distinguished Names

23. 23 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Working with Distinguished Names  Spring LDAP DistinguishedName is now deprecated • Java 1.5 and higher has LdapName  Use Spring LDAP utilities to work with LdapName • Avoid mutability • Get rid of checked exceptions • LdapNameBuilder • LdapUtils • newLdapName(dnString) • prepend() • Extract RDN values • …

24. 24 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo Unless otherwise indicated, these slides are © 2013-2014 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Working with Distinguished Names SPRING LDAP

25. 25 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Building LDAP Queries  Avoid constructing hardcoded LDAP filters • Impossible syntax • Avoid ‘LDAP injection’  Use LdapQueryBuilder • Fluent API • Specify search configuration • Base path • Search scope • Timeouts • Attributes to return • Append filter conditions • Use with ODM mapping or core interfaces

26. 26 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo Unless otherwise indicated, these slides are © 2013-2014 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Building LDAP Queries SPRING LDAP

27. 27 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Object-Directory Mapping ODM

28. 28 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Why ODM?  A more modern approach  Simplify attribute-to-POJO mapping • Inspired by JPA/Hibernate • Declarative mapping  Annotation-based

29. 29 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ ODM Annotations  @Entry • Marks a managed class • Defines object classes and (optional) base LDAP path  @Id • Marks the field containing the DN • Needs to be of type javax.naming.Name  @Attribute • Marks a field as a managed LDAP Attribute • (Optionally) defines attribute name • Defaults to field name  @DnAttribute • Marks a field for inclusion in DN • Specify DN component name and index

30. 30 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Using ODM Entities  LdapTemplate recognizes annotated classes • findByDn() • create() • update() • delete() • findAll() • find() • findOne()

31. 31 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo Unless otherwise indicated, these slides are © 2013-2014 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ ODM SPRING LDAP

32. 32 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Repository Support Aligning with Spring Data

33. 33 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring LDAP Repository Support  Based on Spring Data Commons and ODM  LDAP Repositories without a single line of code (basically) • Annotate entity classes • Extend LdapRepository • Optionally define additional finders • Scan for repositories • Repository implementation is automatically generated

34. 34 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ LdapRepository  Based on Spring Data CrudRepoository • save() • findOne(DN) • exists() • findAll() • delete() • LDAP specific: • findOne(LdapQuery) • findAll(LdapQuery)

35. 35 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo Unless otherwise indicated, these slides are © 2013-2014 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring LDAP Repository Support SPRING LDAP

36. 36 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Automatically Generated Finders  Based on support from Spring Data Commons  Finders are automatically generated based on names • E.g. findByEmployeeNumber  Explicit queries defined by @Query annotation • value – filter format string, e.g.: • (employeeNumber={0}) • base – search base • scope

37. 37 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo Unless otherwise indicated, these slides are © 2013-2014 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Automatically Generated Finders SPRING LDAP

38. 38 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DirContextAdapter Take Detailed Control

39. 39 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DirContextAdapter  Helps with attribute access and modifications • No need to work with Java Attributes and ModificationItems  ContextMapper  Used extensively internally • Useful if you don’t want to use ODM

40. 40 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo Unless otherwise indicated, these slides are © 2013-2014 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Using DirContextAdapter SPRING LDAP

41. 41 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DirContextAdapter and Distinguished Name Attributes  Group membership modifications are tricky • member and uniqueMember attributes contain DNs • DN equality is liberal • Space inensitive • Case insensitive • String equality is not suitable for comparing DNs • uid=john.doe,ou=People • UID=john.doe, OU=People  DirContextAdapter handles this • addAttributeValue(Name) • removeAttributeValue(Name) • Note: Name instances

42. 42 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo Unless otherwise indicated, these slides are © 2013-2014 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Membership Modification with DirContextAdapter SPRING LDAP

43. 43 Unless otherwise indicated, these slides are © 2013-2014 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Learn More. Stay Connected.  Check out the samples  projects.spring.io/spring-ldap  github.com/spring-projects/spring-ldap  jira.spring.io/browse/LDAP  Need more help? • Hire an expert consultant • 261consulting.com • @marthursson Twitter: twitter.com/springldap YouTube: spring.io/video LinkedIn: spring.io/linkedin Google Plus: spring.io/gplus