LDAP role names and permissions in mh_default_org.xml

Steps to reproduce

We reported this on the opencast mailing list, but Chris Brooks asked me to post the issue in Jira, with our solution for review and consideration to be added to the 1.2.x branch.

The problem we reported on the mailing list:
We're setting up our LDAP to work with MH, but I've discovered what looks to be a problem when setting permissions in mh_default_org.xml for access based on our LDAP roles.

For example, instead of

<sec:intercept-url pattern='/info/me.json' method="GET" access='ROLE_ANONYMOUS, ROLE_USER' />

We'd like to use

<sec:intercept-url pattern='/info/me.json' method="GET" access='ROLE_ANONYMOUS, ROLE_CN=UOFS_STAFF,OU=ANCILLARYGROUPS,OU=GROUPS,DC=USASK,DC=CA' />

Because USER isn't a role in our LDAP.

However, when I set this in the configuration, I get this error:

13:38:09 ERROR (SpringSecurityConfigurationArtifactInstaller:121) - Unable to refresh spring security configuration file /opt/matterhorn/felix/conf/security/mh_default_org.xml: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [DC=CA, OU=ANCILLARYGROUPS, DC=USASK, OU=GROUPS]

When going to localhost:8080 in the browser, I don't get the CAS log in screen, but a 403 Forbidden error.

The role name displayed in /info/me.json is ROLE_CN=UOFS_STAFF,OU=ANCILLARYGROUPS,OU=GROUPS,DC=USASK,DC=CA

Josh Holtzman recommended on the mailing list we replace = with _ in the role name in LdapUserProvider, which we did in the loadUserFromLdap method. We also replaced , with _ as well.


for(GrantedAuthority authority: authorities) {
roles[i++] = authority.getAuthority();


for (GrantedAuthority authority : authorities) {
String role = authority.getAuthority();
role = role.replaceAll("=", "_");
role = role.replaceAll(",", "_");
roles[i++] = role;




Collene Hansen


Incorrectly Functioning With Workaround

Tags (folksonomy)


Fix versions

Affects versions