Spring 3 Part 9: Spring Security LDAP integration

The expectation of this blog is to enable developer to start LDAP integration quickly and easily with Spring Security. I have used ApacheDS which is embedded in the Apache Studio. Here the steps:
  1. The DN dc=example,dc=com is a example domain controller you can easily follow the documentation.
  2. Here the ldif document 

        #[1] create domain (distinguished name)
        dn: dc=example,dc=com
        objectclass: top
        objectclass: domain
        dc: example

        #[2] create people organizational unit
        dn: ou=people,dc=example,dc=com
        objectClass: organizationalUnit
        objectClass: top
        ou: people

        #[3] create a user 
        dn: uid=ojitha,ou=people,dc=example,dc=com
        objectClass: organizationalPerson
        objectClass: person
        objectClass: inetOrgPerson
        objectClass: top
        cn: Ojitha Hewa
        sn: Hewa
        uid: ojitha

        #[4] create group
        dn: ou=groups,dc=example,dc=com
        objectClass: organizationalUnit
        objectClass: top
        ou: groups

        #[5] add the user to User group
        dn: cn=User,ou=groups,dc=example,dc=com
        objectClass: groupOfUniqueNames
        objectClass: top
        cn: User
        uniqueMember: uid=ojitha,ou=people,dc=example,dc=com
as above document shows
1.  create the example distinguished name: `dc=example,dc=com`
2.  create the group `people` under the distinguished name
3.  create an `intOrgPerson` user, in this case I created one with my name for example
4.  Now you have to add this user to the `User` group in the in the `group` as shown in the above idlf.
5.  create a `User` group and add the `uid=ojitha` user to that group.

After import the above LDAP definition from a ldif file, don't forget to add ther userPassword to the user `ojitha` .
  1. need to import the above ldif document to the apacheds studio.
Now the interesting part. Here is the security configuration of the project you can download from the GitHub. 
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd">

       <security:http auto-config="true">
              <security:intercept-url pattern="/hello/**" access="ROLE_USER"/>
       </security:http>

       <!--security:authentication-manager>
              <security:authentication-provider>
                     <security:user-service>
                            <security:user name="ojitha" password="test" authorities="ROLE_USER, ROLE_ADMIN" />
                            <security:user name="bob" password="bobspassword" authorities="ROLE_USER" />
                     </security:user-service>
              </security:authentication-provider>
       </security:authentication-manager-->

       <security:authentication-manager>
              <security:ldap-authentication-provider user-dn-pattern="uid={0},ou=people" server-ref="ldapServer" />
       </security:authentication-manager>

       <security:ldap-server id="ldapServer" url="ldap://localhost:10389/dc=example,dc=com"/>

</beans>
As shown in the above security-config.xml, The commented code shows the standard memory based user service and which has been replaced by the LDAP configuration. The most important information is written in the last line wth the ldap server information.
Browse with the url http://localhost:8080/spring3part14/hello which will direct you the page title Login Page with the heading Login with Username and Password which is not part of this project. You have to enter the User (that is ojitha) and the password you have given under the userPassword (in this case test) and press the Login button. You must be redirected to the hello.jsp which is under the WEB-INF/jsp/hello.jsp.
<%--
  Created by IntelliJ IDEA.
  User: ojitha
  Date: 7/05/2016
  Time: 6:05 PM
  To change this template use File | Settings | File Templates.
--%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title></title>
</head>
<body>
  Hello Ojitha
</body>
</html>
the location of the JPS has been configured in the follow dispatcher-servlet.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

       <context:component-scan base-package="au.com.blogspot.ojitha.part14.controller"/>

    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="WEB-INF/jsp/"/>
        <property name="suffix" value=".jsp"/>
    </bean>
</beans>
The hello.jsp is called by the controller
package au.com.blogspot.ojitha.part14.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

/**
 * Created by ojitha on 7/05/2016.
 */
@Controller
public class HelloController {
    @RequestMapping(value = "/hello", method = RequestMethod.GET)
    public String sayHello(){
        return "hello";
    }
}
When user browse the http://localhost:8080/spring3part14/hello, request will be directed to this controller an the sayHello because controller is already mapped in the dipatcher-servlet.xml.
But before reach to the sayHello method …
These resources are protected in the security-config.xml file. Before rich to this method, LDAP security was injected via filter as shown in the web.xml file:
<!DOCTYPE web-app PUBLIC
        "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
        "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
  <display-name>Archetype Created Web Application</display-name>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/security-config.xml
            /WEB-INF/applicationContext.xml
            /WEB-INF/dispatcher-servlet.xml
        </param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>
This is the simplest example so far I have created on LDAP. I found OpenDJ is another good LDAP server to play.
Here the pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

  <modelVersion>4.0.0</modelVersion>

  <groupId>au.com.blogspot.ojitha</groupId>
  <artifactId>spring3part14</artifactId>
  <packaging>war</packaging>
  <version>1.0-SNAPSHOT</version>
  <name>spring3part14 Maven Webapp</name>
  <url>http://maven.apache.org</url>

  <properties>
    <spring.version>3.2.9.RELEASE</spring.version>
    <jdk.version>1.6</jdk.version>
  </properties>

  <dependencies>

    <!-- Spring -->
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-web</artifactId>
      <version>${spring.version}</version>
    </dependency>

    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-webmvc</artifactId>
      <version>${spring.version}</version>
    </dependency>

    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-core</artifactId>
      <version>${spring.version}</version>
    </dependency>

    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-core</artifactId>
      <version>${spring.version}</version>
    </dependency>

    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-config</artifactId>
      <version>${spring.version}</version>
    </dependency>

    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-web</artifactId>
      <version>${spring.version}</version>
    </dependency>

    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-ldap</artifactId>
      <version>${spring.version}</version>
    </dependency>

    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-test</artifactId>
      <version>${spring.version}</version>
    </dependency>

    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>3.8.1</version>
      <scope>test</scope>
    </dependency>
  </dependencies>
  <build>
    <finalName>spring3part14</finalName>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>3.0</version>
        <configuration>
          <source>${jdk.version}</source>
          <target>${jdk.version}</target>
        </configuration>
      </plugin>
    </plugins>
  </build>
</project>
Windows Active Directory configuration is different. The spring security configuration is different as follows:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

       <context:property-placeholder location="classpath*:ldap.properties"/>

       <security:http auto-config="true" >
            <security:intercept-url pattern="/hello/**" access="ROLE_USER"/>
       </security:http>


       <security:authentication-manager>
           <security:authentication-provider ref="adAuthenticationProvider"/>
       </security:authentication-manager>


       <!-- This configuration only for the active directory, for LDAP follow the above commented configuration-->
       <bean id="adAuthenticationProvider"
             class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
              <constructor-arg value="${ad.server.domain}"/>
              <constructor-arg value="${ldap.server.url}"/>
           <property name="authoritiesMapper" ref="GAMapper"/>
           <property name="searchFilter" value="${ad.search.filter}"/>
           <property name="convertSubErrorCodesToExceptions" value="true"/>
           <property name="useAuthenticationRequestCredentials" value="true"/>

       </bean>

       <bean id="GAMapper" class="au.com.blogspot.ojitha...DGAMapper">
           <property name="userGroups" value="${ad.wssuite.group}"/>
       </bean>
May be most interesting property is searchFilter which is available since Spring 3.2.9+. The default is always (&(objectClass=user)(userPrincipalName={0})) but the problem is if your principal name is not ending with the domain, search will be failed. For example, my principle name is such as ojithak@gmail.com which is then never find because domain is incompatibility. But as shown in the following properties file if extensionAttrib = ojithak@ad.ojitha.blogspot.com.auin the AD, then search will be successful because domain ad.ojitha.blogspot.com.au is compatible. Now you have to login with the username ojithak.
    ldap.server.url=ldap://12.25.192.246:389
    ad.server.domain=ad.ojitha.blogspot.com.au
    ad.search.filter=(&(objectClass=user)(extensionAttrib={0}))
    ad.wssuite.group=auth_users
Here the DGMapper for authorites
    public class IDGAMapper implements GrantedAuthoritiesMapper {

    final Logger logger = LoggerFactory.getLogger(IDGAMapper.class);
    private String userGroup;


    @Override
    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
        Set<GrantedAuthority> roles = new HashSet<GrantedAuthority>();
        if (authorities.contains(new SimpleGrantedAuthority(this.userGroup)) ){
            roles.add(UserRoels.ROLE_USER);
            logger.debug("user is successfully authorized.");
        } else logger.warn("User is unauthorized");

        return roles;
    }

    public String getUserGroup() {
        return this.userGroup;
    }

    public void setUserGroups(String userGroup) {
        this.userGroup = userGroup;
    }
}
And
    public enum UserRoels implements GrantedAuthority {

    ROLE_USER; // read only role.

    @Override
    public String getAuthority() {
        return name();
    }
}
Download from the GitHub.

Comments

Post a Comment

commented your blog

Popular posts from this blog

How To: GitHub projects in Spring Tool Suite

Image
The first step is sign up in the GitHub and create a  new project. For example I’ve created a new project Spring3part7 in the GitHub. Before add the projects you need to configure STS for GitHub access. For example, you need to add configuration as shown in the following picture Git local repository also important Now you are ready to pull the project from the GitHub, in the STS import menu select the following Now type the project name and click the ‘Search’ as shown in the following. However, when you select the found project click ‘Finish’ nothing will change in the STS interface. Now you are going to create real project. Here I am going to create simple utility project. This template project need to be created inside the imported GitHub project You have to give the same project name of the GitHub project as shown in the following project Now your project is ready to push. Before that you need to add ignore flag to all the folders and files except pom.xm
Continue »

Spring 3 Part 7: Spring with Databases

Image
This is the 7 th part of the Spring 3 Series . Create MySQL 5.6 database ‘payroll’, CREATE DATABASE payroll; Next create a user for example, user ‘ojitha’ CREATE USER 'ojitha'@'localhost' IDENTIFIED BY 'ojitha'; Need to grant the ‘payroll’ access to user ‘ojitha’ as shown in the following. GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON payroll.* TO 'ojitha'@'localhost'; You can download freeware of TOAD for MySQL from here . Let create a first table, that contains all the states in Australia. You can create a table using visually using the icon given directly below the Tables tab in the Object Explorer as shown in the above diagram. CREATE TABLE payroll.STATE ( CODE CHAR(3) ASCII COMMENT 'State code', STATE VARCHAR(30), PRIMARY KEY (CODE) ) ENGINE = InnoDB COMMENT = 'Australian states' ROW_FORMAT = DEFAULT; In the my sql console you can the newly added table using the following command SHOW
Continue »

Parse the namespace based XML using Python

In this blog, I am considering how to parser and modify the xml file using python. For example, I need to parser the following xml 1 (slightly modified for this blog) and need to write the modified xml to out.xml file. Here the country.xml <?xml version="1.0"?> <actors xmlns:fictional="http://characters.example.com" xmlns="http://people.example.com"> <actor type='T1'> <name>John Cleese</name> <fictional:character>Lancelot</fictional:character> <fictional:character>Archie Leach</fictional:character> </actor> <actor type='T2'> <name>Eric Idle</name> <fictional:character>Sir Robin</fictional:character> <fictional:character>Gunther</fictional:character> <fictional:character>Commander Clement</fictional:character> </actor> </actors> In
Continue »