...
The instructions below describe how to implement nested roles or groups by describing the nesting structure (the child to parent mapping) outside of the LDAP directory. Why would you want to describe the nesting (i.e. what role is an occupant of what other role) outside of the LDAP directory? Because it is potentially prohibitive to repeatedly query the directory to recursively find all parents of a given child role. So for performance reasons, the nesting is described outside of the LDAP directory.The
Note: For 2.x, you need to use the two classes (
NestedLdapAuthoritiesPopulatorandExtraRoles)
...
attached to this page. For 3.x, the classes are included in the distribution.
Describing the Nesting
Notice the populator is no longer DefaultLdapAuthoritiesPopulator. Instead, we've defined NestedLdapAuthoritiesPopulator which subclasses DefaultLdapAuthoritiesPopulator and adds a mapping for extra roles. In the extraRolesMapping, the keys are child roles and the values are parent roles.
...