ActiveDirectoryLdapAuthenticationProvider and final modifier

Question

I've started used in my project spring ActiveDirectoryLdapAuthenticationProvider together with another one that works with DB in order authenticate users.

The main issue that I've concerned related to identical users that potentially can be created on active directory server and database side with identical credentials. After that these users will have possibility login using theirs emails into project. On this step I've stack with inconsistent situation, because users with DB and AD credentials have different access to project pages.

In order to fix this we have decided to remove possibility log in with emails for AD users because for DB provider we cannot modify existing functionality and users should login in the same way as they can before.

I've looked into spring ActiveDirectoryLdapAuthenticationProvider side then noticed that class is final and unfortunatly I haven't possibility override needed by mine method createBindPrincipal.

The next step that we decided to do was copy paste existing class into our project then remove final modifier, then we do similar things as it was in this post How to authenticate against Active Directory via LDAP over TLS?.

In general I wouldn't want to leave it as it is, because in future in would be difficult support as example when we decided to move to highest version of spring. Additionaly with this approach we should copy past ActiveDirectoryLdapAuthenticationProviderTest to keep coverage in proper form.

Can some one explain what was the main reason to do this class final?

Answer 1

There is an open issue for this: https://github.com/spring-projects/spring-security/issues/3191 There seems to be no real reason for this class to be final.