Spring LDAP Authentication (Automatic or not?)

Question

I read through the Spring LDAP reference docs and was unable to figure out whether user authentication against the LDAP server is automated or not.

By "automated" I mean that it happens automatically on bean instantiation if you provide userDn and password in your ContextSource. That is to say, the programmer never has to call LdapTemplate.authenticate(...) - it happens "behind-the-scenes".

So I would like to know

1. If Spring LDAP authentication is automatic
2. If there are fields I can set to change this behavior

Thanks,
ktm

---

EDIT: I ask this question in the context of some code that I wrote. The following ContextSource is one of the context sources in my beans file, which the user can opt to use. It is used to configure the userDn and password at runtime (for security reasons). I want to know whether the LDAP application will actually use the userDn/password that I collect at runtime in the authentication. (Does the authentication precede the execution of my code? Does it ignore the userDn/password fields that my code configures?)

public class RuntimeContext extends LdapContextSource {

    public RuntimeContext() {
        super();
        if (!resolveAuthInfo()) {
            System.out.println("Failed to resolve auth info. Exiting...");
            System.exit(1);
        }
    }

    public boolean resolveAuthInfo()
    {
        String myUserDn, myPassword;
        try {
            BufferedReader br = new BufferedReader(
                    new InputStreamReader(System.in));
            System.out.print("userDn: ");
            myUserDn = br.readLine();
            System.out.print("password: ");
            myPassword = br.readLine();
        } catch (IOException e) {
            return false;
        }
        super.setUserDn(myUserDn);
        super.setPassword(myPassword);
        return true;
    }
}

Answer 1

I want to know whether the LDAP application will actually use the userDn/password that I collect at runtime in the authentication.

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ldap.html

It will use the userDn and password that you collect at runtime. Based on how you configure your beans, LDAP authentication will use one of two paths in Spring:

1. Bind Authentication (using BindAuthenticator)
2. Password Comparison (using PasswordComparisonAuthenticator)

These authenticators are called within the context of the LdapAuthenticationProvider which can be configured as an authenticator in the security namespace configuration:

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="usernamePasswordUserDetailsService">
        <password-encoder ref="passwordEncoder">
            <salt-source ref="saltSource"/>
        </password-encoder>
    </authentication-provider>
    <authentication-provider ref="ldapAuthenticationProvider"/>
</authentication-manager>

When the UsernamePasswordAuthenticationFilter is invoked (via the /auth/login page):

<http auto-config="true">
    <form-login login-page="/auth/login"
                login-processing-url="/auth/j_security_check"/>
    <logout invalidate-session="true" logout-url="/auth/logout"/>
</http>

a token is created with the username and password. The LdapAuthenticationProvider responds to that token type:

public class LdapAuthenticationProvider implements AuthenticationProvider, MessageSourceAware {

    ...

    public boolean supports(Class<?> authentication) {
        return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
    }
}

And uses the information you stored in the LdapContextSource to do the authentication.