Spring的ActiveDirectoryLdapAuthenticationProvider类是final，所以我唯一的真实的选择（如果有人愿意的话，我会考虑更好的选择）是fork这个类。我复制并粘贴了它的内容，稍微重构了一下，并删除了final名称。然后，我创建了forked类的一个单独的子类，覆盖了loadUserAuthorities()方法，并添加了自己的代码来构建权限掩码。
然后，我可以编辑我的ldap.xml文件，如下所示：

<bean id="ldapAuthenticationProvider"
            class="my.project.package.OverrideActiveDirectoryLdapAuthenticationProvider">   
        <constructor-arg value="test.server"/>
        <constructor-arg value="ldap://192.168.0.2:389"/>
        <property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>

字符串
对于像我这样的任何其他n00b，子类看起来像这样：

public class OverrideActiveDirectoryLdapAuthenticationProvider extends TestActiveDirectoryLdapAuthenticationProvider {

//my assignments

public OverrideActiveDirectoryLdapAuthenticationProvider(String domain,
        String url) {
    super(domain, url);
}

@Override
protected Collection<? extends GrantedAuthority> loadUserAuthorities(DirContextOperations userData, String username, String password) {
//original code with my own additions
//in my case, I injected code into the for(group : groups) loop
}

型
效果很好。
非常感谢zagyi的帮助。

由于类ActiveDirectoryLdapAuthenticationProvider是final的，不能扩展，所以我编写了自己的AuthenticationProvider类，它接受ActiveDirectoryLdapAuthenticationProvider作为参数，并将其用作实际的身份验证。身份验证后，我将现有权限Map到我自己的权限。
AuthenticationProvider类：

public class AuthorityMappingActiveDirectoryLdapAuthenticationProvider implements AuthenticationProvider {

    private final ActiveDirectoryLdapAuthenticationProvider provider;

    private Function<Collection<? extends GrantedAuthority>, Collection<? extends GrantedAuthority>> authorityMapper;

    public AuthorityMappingActiveDirectoryLdapAuthenticationProvider(ActiveDirectoryLdapAuthenticationProvider provider) {
        this(provider, null);
    }

    public AuthorityMappingActiveDirectoryLdapAuthenticationProvider(ActiveDirectoryLdapAuthenticationProvider provider,
        Function<Collection<? extends GrantedAuthority>, Collection<? extends GrantedAuthority>> authorityMapper) {
        this.provider = provider;
        this.authorityMapper = authorityMapper;
    }

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Authentication auth = provider.authenticate(authentication);
        if (authorityMapper == null) {
            return auth;
        }
        Collection<? extends GrantedAuthority> authorities = authorityMapper.apply(auth.getAuthorities());
        return UsernamePasswordAuthenticationToken.authenticated(auth.getPrincipal(), auth.getCredentials(), authorities);
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return provider.supports(authentication);
    }
}

字符串
使用情况

@Bean
public AuthenticationProvider ldapAuthenticationProvider() {
    return new AuthorityMappingActiveDirectoryLdapAuthenticationProvider(
        new ActiveDirectoryLdapAuthenticationProvider(domain, ldapUrl, rootDn), authorities -> {
        List<GrantedAuthority> mappedAuthorities = new ArrayList<>();
        mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_USER"));
        if (mappedAuthorities.stream()
            .map(a -> a.getAuthority())
            .filter(a -> a.startsWith("SUDO_USERS"))
            .count() > 0) {
            mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
        }
        return mappedAuthorities;
    });
}

型