Pokud je nastavené přihlašování proti LDAP nebo Active Directory, tak

lze omezit přihlašování do aplikace pouze na uživatele (z AD nebo LDAP),
ktří jsou členy nastavené skupiny.

src/main/java/info/bukova/isspst/services/users/AdUserCtxMapper.java

@@ -26,6 +26,7 @@ public class AdUserCtxMapper implements UserDetailsContextMapper {
 	
 	private UserService userService;
 	private RoleService roleService;
+	private String allowedGroup;
 	
 	private final static Logger logger = LoggerFactory.getLogger(AdUserCtxMapper.class);
 	
@@ -43,7 +44,7 @@ public class AdUserCtxMapper implements UserDetailsContextMapper {
 			return user;
 		} catch (UsernameNotFoundException e) {
 			logger.info("Importing user from Active Directory");
-			LdapUserImporter importer = new LdapUserImporter(userService);
+			LdapUserImporter importer = new LdapUserImporter(userService, allowedGroup);
 			importer.importUser(username, userData, roleService.getRoleByAuthority(Constants.ROLE_USER));
 			
 			return userService.loadUserByUsername(username);
@@ -56,4 +57,8 @@ public class AdUserCtxMapper implements UserDetailsContextMapper {
                 "use a subclass if mapUserToContext() is required.");
 	}
 
+	public void setAllowedGroup(String allowedGroup) {
+		this.allowedGroup = allowedGroup;
+	}
+
 }

src/main/java/info/bukova/isspst/services/users/LdapUserImporter.java

@@ -9,6 +9,7 @@ import javax.naming.NamingException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
 /**
  * Pomocná třída pro import uživatele z LDAP serveru (nebo Active Directory) do databáze aplikace
@@ -19,12 +20,18 @@ import org.springframework.ldap.core.DirContextOperations;
 public class LdapUserImporter {
 	
 	private UserService userService;
+	private String allowedGroup;
 	private final static Logger logger = LoggerFactory.getLogger(LdapUserImporter.class);
 	
 	public LdapUserImporter(UserService userService) {
 		this.userService = userService;
 	}
 	
+	public LdapUserImporter(UserService userService, String group) {
+		this.userService = userService;
+		this.allowedGroup = group;
+	}
+	
 	/**
 	 * Provede import uživatele z LDAP do aplikační databáze
 	 * 
@@ -37,6 +44,21 @@ public class LdapUserImporter {
 		user.setUsername(login);
 		user.addAuthority(defaultRole);
 		
+		if (allowedGroup != null && !allowedGroup.isEmpty()) {
+			boolean isAllowed = false;
+			
+			for (Object atr : userData.getObjectAttributes("memberOf")) {
+				if (atr.toString().startsWith("CN="+allowedGroup)) {
+					isAllowed = true;
+					break;
+				}
+			}
+			
+			if (!isAllowed) {
+				throw new UsernameNotFoundException("User is not member of group '" + allowedGroup + "'");
+			}
+		}
+		
 		if (userData.attributeExists("givenName")) {
 			try {
 				user.setFirstName(userData.getAttributes().get("givenName").get().toString());

src/main/webapp/WEB-INF/ad.properties

@@ -1,2 +1,3 @@
 ad.domain=bukova.net
-ad.ldapUrl=ldap://192.168.25.110/
+ad.ldapUrl=ldap://192.168.25.110/
+ad.allowedGroup=ucitele

src/main/webapp/WEB-INF/spring/ad-auth.xml

@@ -18,6 +18,7 @@
 	<bean id="adUserMapper" class="info.bukova.isspst.services.users.AdUserCtxMapper">
 		<constructor-arg name="userService" ref="userService"/>
 		<constructor-arg name="roleService" ref="roleService"/>
+		<property name="allowedGroup" value="${ad.allowedGroup}"/>
 	</bean>
 
 </beans>