All geek questions in one place

Spring Security with LDAP and Database Roles

In our new insurance project, I am trying to implement spring-security with the Ldap active-directory .

I want to just check the username / password on AD as soon as the user finds it in AD. I want to allow him from the table of users (authorized users) with access levels in the database. Can anyone give a sample / point me to a good resource.

+4
source share
2 answers

The easiest way to achieve this now (Spring Security 3.2.5.RELEASE) is to implement a custom LdapAuthoritiesPopulator , which uses a custom JdbcDaoImpl to obtain privileges from the database.

code

Assuming that you are using the default database schema , and that you are using the same username for authentication in LDAP and as a foreign key in authorities , you only need this:

 package demo; import java.sql.ResultSet; import java.sql.SQLException; import java.util.Collection; import java.util.List; import org.springframework.jdbc.core.RowMapper; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl; import org.springframework.ldap.core.DirContextOperations; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; /* * You need to extend JdbcDaoImpl to expose the protected method loadUserAuthorities. */ public class CustomJdbcUserDetailsService extends JdbcDaoImpl { @Override public List<GrantedAuthority> loadUserAuthorities(String username) { return super.loadUserAuthorities(username); } } /* * Then, the only thing your populator needs to do is use the custom UserDetailsService above. */ public class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator { private static final Logger LOGGER = LoggerFactory.getLogger(CustomLdapAuthoritiesPopulator.class); private CustomJdbcUserDetailsService service; public CustomLdapAuthoritiesPopulator(CustomJdbcUserDetailsService service) { this.service = service; } public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations user, String username) { return service.loadUserAuthorities(username); } }

The only thing left now is to configure the LDAP authentication provider to use CustomLdapAuthoritiesPopulator .

Java configuration

In the @Configuration annotated subclass of GlobalMethodSecurityConfiguration or WebSecurityConfigurerAdapter (depending on your case) add the following:

 @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { /* other authentication configurations you might have */ /* * This assumes that the dataSource configuring * the connection to the database has been Autowired * into this bean. * * Adapt according to your specific case. */ CustomJdbcUserDetailsService customJdbcUserDetailsService = new CustomJdbcUserDetailsService(); customJdbcUserDetailsService.setDataSource(dataSource); CustomLdapAuthoritiesPopulator customLdapAuthoritiesPopulator = new CustomLdapAuthoritiesPopulator(customJdbcUserDetailsService); auth.ldapAuthentication().ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)/* other LDAP configurations you might have */; /* yet more authentication configurations you might have */ }

See https://github.com/pfac/howto-spring-security for a working example.

XML configuration

Disclaimer I worked exclusively with the Java configuration, so be careful to leak, there may be some errors.

Unlike other LDAP authentication configurations, there seem to be no pretty XML tags to configure LdapAuthoritiesPopulator . Therefore, this must be done manually. Assuming the bean contextSource LDAP server connection configuration is defined, add the following to the Spring XML configuration:

 <beans:bean id="customJdbcUserDetailsService" class="demo.CustomJdbcUserDetailsService" /> <beans:bean id="customLdapAuthoritiesPopulator" class="demo.CustomLdapAuthoritiesPopulator"> <beans:constructor-arg ref="customJdbcUserDetailsService" /> </beans:bean> <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <beans:constructor-arg> <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> <beans:constructor-arg ref="contextSource" /> <!-- other configurations you might need --> </beans:bean> </beans:constructor-arg> <beans:constructor-arg ref="customLdapAuthoritiesPopulator" /> </beans:bean> <security:authentication-manager> <security:authentication-provider ref="ldapAuthProvider" /> </security:authentication-manager>

Source: http://spapas.imtqy.com/2013/10/14/spring-ldap-custom-authorities/#spring-security-ldap-with-custom-authorities

+3
source

You will most likely have to execute a custom UserDetailsServer , as you are authenticating through LDAP, but getting roles through a DB request. UserDetailsService is an interface. You would implement the interface and then add your own implementation to the Spring security configuration by doing something like:

 <beans:bean id="userDetailsService" class="com.app.MyUserDetailsServiceImpl" /> <authentication-manager> <authentication-provider user-service-ref="userDetailsService"> <password-encoder hash="plaintext" /> </authentication-provider> </authentication-manager>

In loadUserByUsername (), you must create a UserDetails by setting the username, password and "permissions" of the role.

This blog article provides an example of how to do this using a database that you must adapt to your requirements.

+1
source

Source: https://habr.com/ru/post/1482218/

More articles:


All Articles