Announcement Announcement Module
Collapse
No announcement yet.
TLS and setupAuthenticatedEnvironment Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • TLS and setupAuthenticatedEnvironment

    I am trying to connect to Active Directory over TLS. I have two questions:

    Is there a way to start (and stop) TLS through LdapTemplate?

    Under the AbstractContextSource class, can someone elaborate on the setupAuthenticatedEnvironment method and how it is used with Active Directory?

  • #2
    I'm afraid there is currently no way out of the box to handle TLS connections. I guess it would be possible to initiate TLS by subclassing ContextSource; the problem is the originial Context instance which will be lost when returning the new one to LdapTemplate.

    I guess you could do it using a custom ContextExecutor or SearchExecutor, but that way you'll need to do most of the work yourself so not very much will be gained.

    It's quite possible that support for TLS will be included in a future release. We have been discussing it, so it all basically depends on the demand.

    Comment


    • #3
      What do you want to do with TLS ?
      I'm using LdapTemplate to connect to Active Directory successfully using global SSL connections, all you have to do is to specify 'ldaps' in your URL.

      Everything works good if your server certificate is approved by the JVM.

      Comment


      • #4
        How I added TLS to LdapTemplate

        Hi, to add TLS I just created a subclass of LdapContextSource as follows. Maybe this could be integerated into Spring?

        Regards
        Ben Surgison

        Code below:

        package uk.co.ezsight.ldapdao;

        import java.io.IOException;
        import java.security.KeyStore;
        import java.util.Hashtable;

        import javax.naming.NamingException;
        import javax.naming.directory.DirContext;
        import javax.naming.ldap.LdapContext;
        import javax.naming.ldap.StartTlsRequest;
        import javax.naming.ldap.StartTlsResponse;

        import org.apache.commons.logging.Log;
        import org.apache.commons.logging.LogFactory;
        import org.springframework.ldap.support.LdapContextSource ;

        /**
        * ContextSource implementation which overrides setupAuthenticatedEnvironment to
        * allow keystore authentication.
        *
        * @author Ben Surgison
        *
        */
        public class MyLdapContextSource extends LdapContextSource {

        private static final Log log = LogFactory.getLog(MyLdapContextSource.class);

        private static final String KEYSTORE = "javax.net.ssl.keyStore";
        private static final String KEYSTORETYPE = "javax.net.ssl.keyStoreType";
        private static final String KEYSTOREPASSWORD = "javax.net.ssl.keyStorePassword";
        private static final String TRUSTSTORE = "javax.net.ssl.trustStore";
        private static final String TRUSTSTORETYPE = "javax.net.ssl.trustStoreType";
        private static final String TRUSTSTOREPASSWORD = "javax.net.ssl.trustStorePassword";

        private String keyStore;
        private String keyStoreType;
        private String keyStorePassword;
        private String trustStore;
        private String trustStoreType;
        private String trustStorePassword;

        /**
        * Overridden implementation to allow TLS to be started
        */
        public DirContext getReadOnlyContext() {
        LdapContext ctx = (LdapContext) super.getReadOnlyContext();

        // only start tls if keyStore has been set.
        if(this.keyStore==null&&this.keyStore.length()>0){
        // Start TLS
        StartTlsResponse tls;
        try {
        tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
        tls.negotiate();
        } catch (NamingException ne) {
        log.error(ne.getLocalizedMessage(),ne);
        } catch (IOException ioe) {
        log.error(ioe.getLocalizedMessage(),ioe);
        }
        }
        return ctx;
        }

        /**
        * Overridden implementation of setting the environment up to be authenticated.
        * This allows a keyStore certificate to be used for SASL security.
        *
        * @param env
        * the environment to modify.
        */
        @SuppressWarnings("unchecked")
        protected void setupAuthenticatedEnvironment(Hashtable env) {

        // revert to original if keyStore hasn't been set.
        if(this.keyStore==null&&this.keyStore.length()>0){
        super.setupAuthenticatedEnvironment(env);
        return;
        }

        // Setup keyStore system properties.
        System.setProperty(KEYSTORE, getMyQualifiedName(this.keyStore));
        System.setProperty(KEYSTOREPASSWORD, this.keyStorePassword);
        System.setProperty(KEYSTORETYPE, getMyKeyStoreType(this.keyStoreType));

        // Setup trustStore system properties.
        System.setProperty(TRUSTSTORE, getMyQualifiedName(this.trustStore));
        System.setProperty(TRUSTSTOREPASSWORD, this.trustStorePassword);
        System.setProperty(TRUSTSTORETYPE, getMyKeyStoreType(this.trustStoreType));
        }

        private String getMyKeyStoreType(String keyStoreType) {
        if(keyStoreType!=null&&keyStoreType.length()>0){
        return keyStoreType;
        }
        return KeyStore.getDefaultType();
        }

        private String getMyQualifiedName(String filename) {
        String qualifiedName = null;
        if(filename.indexOf("/")>-1||filename.indexOf("\\")>-1){
        qualifiedName = filename; // use full name as entered
        }
        else{
        try{
        ClassLoader classLoader = ClassLoader.getSystemClassLoader();
        qualifiedName = classLoader.getResource(filename).toExternalForm() ; // get full name from classpath
        qualifiedName = qualifiedName.substring(6);
        }
        catch(Exception e){
        log.error("Missing file: " + filename,e);
        }
        }
        return qualifiedName;
        }

        /**
        * @param keyStore the keyStore to set
        */
        public void setKeyStore(String keyStore) {
        this.keyStore = keyStore;
        }

        /**
        * @param keyStorePassword the keyStorePassword to set
        */
        public void setKeyStorePassword(String passPhrase) {
        this.keyStorePassword = passPhrase;
        }

        /**
        * @param keyStoreType the keyStoreType to set
        */
        public void setKeyStoreType(String keyStoreType) {
        this.keyStoreType = keyStoreType;
        }

        /**
        * @param trustStore the trustStore to set
        */
        public void setTrustStore(String trustStore) {
        this.trustStore = trustStore;
        }

        /**
        * @param trustStorePassword the trustStorePassword to set
        */
        public void setTrustStorePassword(String trustStorePassword) {
        this.trustStorePassword = trustStorePassword;
        }

        /**
        * @param trustStoreType the trustStoreType to set
        */
        public void setTrustStoreType(String trustStoreType) {
        this.trustStoreType = trustStoreType;
        }

        }
        Last edited by RBS; Oct 18th, 2006, 07:37 AM.

        Comment


        • #5
          Ben,
          Good to see some code. There's a Jira issue on adding support for TLS connections to Spring LDAP. If you would attach your code there, preferrably with corresponding junit test code, we'll take it into account when starting to work on this issue.
          Cheers!

          Comment


          • #7
            You can sign up for an account directly on the site. Just click 'Log in' and then 'Signup' and you should be on your way.

            Comment


            • #8
              Thanks very much Ben. This code got things working for me.

              Just wanted to point out that I think there might have been a couple of small errors in your code, around the...

              Code:
              if(this.keyStore == null && this.keyStore.length() > 0)
              ...statements. Have put fixed version below.


              Code:
              package uk.co.ezsight.ldapdao;
              
              import java.io.IOException;
              import java.security.KeyStore;
              import java.util.Hashtable;
              
              import javax.naming.NamingException;
              import javax.naming.directory.DirContext;
              import javax.naming.ldap.LdapContext;
              import javax.naming.ldap.StartTlsRequest;
              import javax.naming.ldap.StartTlsResponse;
              
              import org.apache.commons.logging.Log;
              import org.apache.commons.logging.LogFactory;
              import org.springframework.ldap.support.LdapContextSource ;
              
              /**
              * ContextSource implementation which overrides setupAuthenticatedEnvironment to
              * allow keystore authentication.
              *
              * @author Ben Surgison
              *
              */
              public class MyLdapContextSource extends LdapContextSource {
                  private static final Log log = LogFactory.getLog(SSLLdapContextSource.class);
              
                  private static final String KEYSTORE = "javax.net.ssl.keyStore";
                  private static final String KEYSTORETYPE = "javax.net.ssl.keyStoreType";
                  private static final String KEYSTOREPASSWORD = "javax.net.ssl.keyStorePassword";
                  private static final String TRUSTSTORE = "javax.net.ssl.trustStore";
                  private static final String TRUSTSTORETYPE = "javax.net.ssl.trustStoreType";
                  private static final String TRUSTSTOREPASSWORD = "javax.net.ssl.trustStorePassword";
              
                  private String keyStore;
                  private String keyStoreType;
                  private String keyStorePassword;
                  private String trustStore;
                  private String trustStoreType;
                  private String trustStorePassword;
              
                  /**
                   * Overridden implementation to allow TLS to be started
                   */
                  public DirContext getReadOnlyContext() {
                      LdapContext ctx = (LdapContext) super.getReadOnlyContext();
              
                      // only start tls if keyStore has been set.
                      if (this.keyStore != null && this.keyStore.length() > 0) {
                          // Start TLS
                          StartTlsResponse tls;
                          try {
                              tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
                              tls.negotiate();
                          } catch (NamingException ne) {
                              log.error(ne.getLocalizedMessage(), ne);
                          } catch (IOException ioe) {
                              log.error(ioe.getLocalizedMessage(), ioe);
                          }
                      }
                      return ctx;
                  }
              
                  /**
                   * Overridden implementation of setting the environment up to be authenticated. This allows a keyStore certificate
                   * to be used for SASL security.
                   * 
                   * @param env
                   *            the environment to modify.
                   */
                  @SuppressWarnings("unchecked")
                  protected void setupAuthenticatedEnvironment(Hashtable env) {
                      super.setupAuthenticatedEnvironment(env);
                      
                      // revert to original if keyStore hasn't been set.
                      if (this.keyStore == null || this.keyStore.length() == 0) {
                          return;
                      }
              
                      // Setup keyStore system properties.
                      System.setProperty(KEYSTORE, getMyQualifiedName(this.keyStore));
                      System.setProperty(KEYSTOREPASSWORD, this.keyStorePassword);
                      System.setProperty(KEYSTORETYPE, getMyKeyStoreType(this.keyStoreType));
              
                      // Setup trustStore system properties.
                      System.setProperty(TRUSTSTORE, getMyQualifiedName(this.trustStore));
                      System.setProperty(TRUSTSTOREPASSWORD, this.trustStorePassword);
                      System.setProperty(TRUSTSTORETYPE, getMyKeyStoreType(this.trustStoreType));
                  }
              
                  private String getMyKeyStoreType(String keyStoreType) {
                      if (keyStoreType != null && keyStoreType.length() > 0) {
                          return keyStoreType;
                      }
                      return KeyStore.getDefaultType();
                  }
              
                  private String getMyQualifiedName(String filename) {
                      String qualifiedName = null;
                      if (filename.indexOf("/") > -1 || filename.indexOf("\\") > -1) {
                          qualifiedName = filename; // use full name as entered
                      } else {
                          try {
                              ClassLoader classLoader = ClassLoader.getSystemClassLoader();
                              qualifiedName = classLoader.getResource(filename).toExternalForm(); // get full name from classpath
                              qualifiedName = qualifiedName.substring(6);
                          } catch (Exception e) {
                              log.error("Missing file: " + filename, e);
                          }
                      }
                      return qualifiedName;
                  }
              
                  /**
                   * @param keyStore
                   *            the keyStore to set
                   */
                  public void setKeyStore(String keyStore) {
                      this.keyStore = keyStore;
                  }
              
                  /**
                   * @param keyStorePassword
                   *            the keyStorePassword to set
                   */
                  public void setKeyStorePassword(String passPhrase) {
                      this.keyStorePassword = passPhrase;
                  }
              
                  /**
                   * @param keyStoreType
                   *            the keyStoreType to set
                   */
                  public void setKeyStoreType(String keyStoreType) {
                      this.keyStoreType = keyStoreType;
                  }
              
                  /**
                   * @param trustStore
                   *            the trustStore to set
                   */
                  public void setTrustStore(String trustStore) {
                      this.trustStore = trustStore;
                  }
              
                  /**
                   * @param trustStorePassword
                   *            the trustStorePassword to set
                   */
                  public void setTrustStorePassword(String trustStorePassword) {
                      this.trustStorePassword = trustStorePassword;
                  }
              
                  /**
                   * @param trustStoreType the trustStoreType to set
                   */
                  public void setTrustStoreType(String trustStoreType) {
                      this.trustStoreType = trustStoreType;
                  }
              }

              Comment


              • #9
                Please note that as of Spring LDAP 1.3.0 (Spring LDAP 1.3.0.RC1 is out now) extensions to the context authentication mechanism should be done using a DirContextAuthenticationStrategy rather than from subclassing LdapContextSource. More specifically there are two different implementations for working with TLS connections: DefaultTlsDirContextAuthenticationStrategy and ExternalTlsDirContextAuthenticationStrategy included with the distribution.

                Comment


                • #10
                  Usage of DefaultTlsDirContextAuthenticationStrategy

                  Hi Rasky,

                  Recently i switched to 3.0 and thanks for all your efforts, the code looks much better.
                  Before switching i had customized the contextSource as exemplified in this thread for change password functionality and could set the trust store related information by overriding the setupEnivorment method. It was working fine.
                  How is it possible to achieve the same with DefaultTlsDirContextAuthenticationStrategy as setupEnvironment() is final and the applyAuthentication method is not getting invoked. Result of which i get sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target

                  Please let me know how to pass trustore information using DefaultTlsDirContextAuthenticationStrategy?

                  thanks and regards,
                  Veena

                  Comment


                  • #11
                    I have been using 1.2 version and we finally decided to support TLS since 1.3 now provides a way to do this. We have been using ldaptemplate for all the queries. Here is what I have:

                    final LdapContextSource context = configureContextSource();
                    final SpringSecurityLdapTemplate template =
                    new SpringSecurityLdapTemplate( context );

                    // Active Directory doesn’t transparently handle referrals. This fixes that.
                    template.setIgnorePartialResultException(true);

                    // Searching for classSchema since we expect this to be present as a part of all the LDAP Schemas.
                    // This should help us confirm that the LDAP connection related params are all fine.
                    template.searchForSingleAttributeValues(…..);

                    ——————————-
                    private LdapContextSource configureContextSource() throws DirectoryServiceConfigurationException {

                    MyTlsDirContextAuthenticationStrategy authenticationStrategy =
                    new MyTlsDirContextAuthenticationStrategy();

                    final String url = buildLdapURL();
                    LdapContextSource ctxSrc = new LdapContextSource();
                    ctxSrc.setUrl(url);
                    ctxSrc.setCacheEnvironmentProperties(false);

                    if(!ldapConfig.get(LDAP_USE_ANONYMOUS_BIND).getPre ferenceValueBoolean()) {
                    ctxSrc.setUserDn(ldapConfig.get(LDAP_BIND_DN).getP referenceValue());
                    ctxSrc.setPassword(ldapConfig.get(LDAP_BIND_PASSWO RD).getPreferenceValue());
                    }

                    ctxSrc.setAuthenticationStrategy(authenticationStr ategy);

                    try {
                    ctxSrc.afterPropertiesSet();
                    } catch (final Exception ex) {
                    log.error(ErrorCode.LDAP_INIT_SECURITYCONTEXT_FAIL ED.getCodeString() +
                    ErrorCode.LDAP_INIT_SECURITYCONTEXT_FAILED.getDesc ription(), ex);
                    throw new DirectoryServiceConfigurationException(ErrorCode.L DAP_INIT_SECURITYCONTEXT_FAILED.getDescription(),
                    ErrorCode.LDAP_INIT_SECURITYCONTEXT_FAILED.getCode ());
                    }

                    return ctxSrc;
                    }

                    ——————-

                    MyTlsDirContextAuthenticationStrategy is extended from DefaultTlsDirContextAuthenticationStrategy only to set the system properties for keystore and other related properties.

                    I have a open Ldap server setup to support TLS. Code looks much more clean to me. However, when the template.searchForSingleAttributeValues(…..); is invoked, it complains of TLS already started.

                    I drilled down more and found that,

                    LdapTemplate.search(……) –> AbstractContextSource.getReadOnlyContext() –> AbstractContextSource.getContext(String principal, String credentials) –> authenticationStrategy.processContextAfterCreation (…)

                    will now try to Start TLS again and fails since it is already started and the exception is thrown which results in search failure.

                    I am not seeing a way I can bypass this issue since every operation on the LdapTemplate will try to obtain a ReadOnlyContext and will fail at the same place since TLS is already started. I don’t think this will go away since LdapTemplate is very specific to Spring-ldap.

                    However, please suggest a workaround if possible or other ideas/suggestions.

                    --------------------------------------

                    On a different note, extending the LdapContextSource in 1.2 to support TLS worked fine in the first instance of starting TLS. However, subsequent changes to the properties or removing the keystore has no effect on the context that was established in the first attempt.

                    Seems to me like something is being cached. I tried removing pooling and not caching environment properties, but the issue doesn’t seem to go away. On restarting my server, the issue gets resolved and the new context I obtain behaves as expected.

                    Can’t seem to understand what may be going wrong. Suggestions are welcome.

                    Comment


                    • #12
                      TLS and setupAuthenticatedEnvironment (spring 3.0)

                      Hi Shanka,

                      We shouldn't be sub classing the DefaultTlsDirContextAuthenticationStrategy but add it as attribute to the MyLdapContextSource in config file.

                      <bean id="securedContextSource" class ="MyLdapContextSource "
                      <property name="url" value="<your ldap server>" />
                      <property name="base" value="<OU base>" />
                      <property name="userDn" value="<userDn>" />
                      <property name="password" value="<password>" />
                      <property name="pooled" value="false" />
                      <property name="authenticationStrategy">
                      <bean class="org.springframework.ldap.core.support.Defau ltTlsDirContextAuthenticationStrategy">
                      <property name="shutdownTlsGracefully" value="true"></property>
                      </bean>


                      let me know if this helps you.
                      best regards,
                      Veena

                      Comment


                      • #13
                        TLS and setupAuthenticatedEnvironment

                        Hi Veena,

                        Thank you for the reply. I was only extending the DefaultTlsDirContextAuthenticationStrategy to add environment properties. It wasn't really doing anything more than that.

                        I have already tried using the the Default strategy and it doesn't work as expected. I tried it again following your suggestion.

                        The reason is the following. I don't land into this 1.2 since my extension handles the naming exception for TLS already started, which is being thrown in 1.3.

                        Caused by: javax.naming.NamingException: [LDAP: error code 1 - TLS already started]; remaining name ''
                        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.jav a:3081)
                        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2987)
                        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2794)
                        at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCt x.java:3166)
                        at javax.naming.ldap.InitialLdapContext.extendedOpera tion(InitialLdapContext.java:164)
                        at org.springframework.ldap.core.support.AbstractTlsD irContextAuthenticationStrategy.processContextAfte rCreation(AbstractTlsDirContextAuthenticationStrat egy.java:104)
                        at org.springframework.ldap.core.support.AbstractCont extSource.getContext(AbstractContextSource.java:10 9)

                        Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - TLS already started]; remaining name '']
                        org.springframework.ldap.UncategorizedLdapExceptio n: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - TLS already started]; remaining name ''
                        at org.springframework.ldap.support.LdapUtils.convert LdapException(LdapUtils.java:215)
                        at org.springframework.ldap.core.support.AbstractCont extSource.getContext(AbstractContextSource.java:11 4)
                        at org.springframework.ldap.core.support.AbstractCont extSource.getReadOnlyContext(AbstractContextSource .java:125)
                        at org.springframework.ldap.core.LdapTemplate.search( LdapTemplate.java:287)
                        at org.springframework.ldap.core.LdapTemplate.search( LdapTemplate.java:259)
                        at org.springframework.ldap.core.LdapTemplate.search( LdapTemplate.java:606)
                        at org.springframework.ldap.core.LdapTemplate.search( LdapTemplate.java:524)
                        at org.springframework.security.ldap.SpringSecurityLd apTemplate.searchForSingleAttributeValues(SpringSe curityLdapTemplate.java:170)

                        Comment


                        • #14
                          TLS already started

                          Hi Shanka,

                          I have the same problem. The business requirement is that I authenticate user supplied credentials with our directory server via LDAP. I first set up the following in Spring configuration XML:
                          Code:
                          	<bean id="SSLKeyStoreAccess" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
                          		<property name="targetObject">
                          			<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
                          				<property name="targetClass" value="java.lang.System" />
                          				<property name="targetMethod" value="getProperties" />
                          			</bean>
                          		</property>
                          		<property name="targetMethod" value="putAll" />
                          		<property name="arguments">
                          			<util:properties>
                          				<!-- JKS trustStore contains server public key -->
                          				<prop key="javax.net.ssl.trustStore">C:/servercacerts</prop>
                          				<prop key="javax.net.ssl.trustStorePassword">servercertspwd</prop>
                          				<prop key="javax.net.ssl.trustStoreType">JKS</prop>
                          				<!-- PKCS12 keyStore contains client's (ldapuser) private key -->
                          				<prop key="javax.net.ssl.keyStore">C:/ldapuser-certificate.PFX</prop>
                          				<prop key="javax.net.ssl.keyStorePassword">ldapuserpwd</prop>
                          				<prop key="javax.net.ssl.keyStoreType">PKCS12</prop>
                          			</util:properties>
                          		</property>
                          	</bean>
                          
                          	<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
                          		<property name="url" value="ldaps://192.168.1.10:636" />
                          		<property name="pooled" value="false" />
                          		<!-- Setting authentication strategy seems to be causing a problem that does not exist without this property setting -->
                          		<property name="authenticationStrategy">
                          			<bean class="org.springframework.ldap.core.support.ExternalTlsDirContextAuthenticationStrategy">
                          				<property name="shutdownTlsGracefully" value="true" />
                          			</bean>
                          		</property>
                          	</bean>
                          
                          	<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
                          		<constructor-arg ref="contextSource" />
                          	</bean>
                          In Java code, I first determine the actual DN for the user with this method, before invoking the authenticate method on ldapTemplate. This is where I am running into the same error as you, i.e. "TLS already started". If I remove the setAuthenticationStrategy(externalTlsDirContextAut henticationStrategy) in Spring configuration, this method below works just fine.
                          Code:
                          	public String getUserDNByUserName(String userName) {
                          
                          		AndFilter filter = new AndFilter()
                          					.and(new EqualsFilter("objectclass", "person"))
                          					.and(new EqualsFilter("cn", userName));
                          
                          		List result = ldapTemplate.search(DistinguishedName.EMPTY_PATH, filter.encode(), new AbstractContextMapper() {
                          
                          			@Override
                          			protected Name doMapFromContext(DirContextOperations ctx) {
                          				return ctx.getDn();
                          			}
                          		});
                          
                          		if (result == null || result.size() != 1) {
                          			throw new RuntimeException("User not found or not unique");
                          		}
                          
                          		return result.get(0).toString();
                          	}
                          Were you able to resolve this eventually?

                          Thanks.

                          Ashwin

                          Comment


                          • #15
                            TLS started already

                            Hi Ashwin,

                            Why are you using ldaps and 636 port. Ldaps is for app which are accessed via https.
                            For TLS we don't need ldaps and port 636.


                            You need to subclass the DefaultSpringSecurityContextSource like this

                            /**
                            * ContextSource implementation which overrides setupAuthenticatedEnvironment to allow TLS.
                            *
                            * */
                            public class SecuredLdapContextSource extends DefaultSpringSecurityContextSource {


                            /**
                            * Provider url is used in the default constructor of this class. The value for this property is set up from
                            * ContextSourceHelper bean.
                            *
                            * @see ContextSourceHelper
                            */
                            public static String providerUrl;

                            // default constructor is required by proxy
                            // DO NOT REMOVE
                            public SecuredLdapContextSource() {
                            // for some reason the super class does not have a default constructor
                            // but the ldap url is autowired in the bean definition
                            super(providerUrl);
                            }

                            }

                            and your config will be

                            <bean id="securedContextSource" class ="security.helper.SecuredLdapContextSource">
                            <property name="url" value=" ldap://servername:389" />
                            <qualifier value="secured"/>
                            <property name="base" value="ou=networks,dc=com" />
                            <property name="userDn" value="cn=test,dc=com" />
                            <property name="password" value="passMe!" />
                            <property name="pooled" value="false" />
                            <property name="authenticationStrategy">
                            <bean class="org.springframework.ldap.core.support.Defau ltTlsDirContextAuthenticationStrategy">
                            <property name="shutdownTlsGracefully" value="true"></property>
                            </bean>
                            </property>

                            Keep in mind that using secure connection to ldap server brings down the speed of your app, hence we need to swtich between secured and non-secured contexts. hence qualifier secure is used, you can have contextSource extending org.springframework.security.ldap.DefaultSpringSec urityContextSource with qualified nonsecured.
                            use secured connection only for password change.

                            hope it helps,
                            Best regards,
                            Veena

                            Comment

                            Working...
                            X