Announcement Announcement Module
Collapse
No announcement yet.
Extending header pre-authentication to using LDAP? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Extending header pre-authentication to using LDAP?

    Hi,

    I have been able to configure header pre-authentication following the example configuration at:

    http://static.springsource.org/sprin...e/preauth.html

    At this point, my test configuration uses an in-memory userDetailsService:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:sec="http://www.springframework.org/schema/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
    
        <!-- FROM OWF Context Security -->
    
        <sec:http auto-config='true'>
            <sec:intercept-url pattern="/unauthorized.jsp" filters="none" />
            <sec:intercept-url pattern="/css/jblock-style.css" filters="none" />
            <sec:intercept-url pattern="/js-lib/ext-*/**" filters="none"/>
            <sec:intercept-url pattern="/themes/common/images/logout/**" filters="none" />
            <sec:intercept-url pattern="/logout.jsp" filters="none" />
            <sec:intercept-url pattern="/administration/monitoring" access="ROLE_ADMIN" />
            <sec:intercept-url pattern="/admin/**" access="ROLE_ADMIN"      requires-channel="https" />
            <sec:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"  />
    
            <!-- From Spring HEADER pre-auth example -->
            <sec:custom-filter position="PRE_AUTH_FILTER" ref="oamHeaderFilter" />
        </sec:http>
    
        <!-- From Spring HEADER pre-auth example -->
        <sec:authentication-manager alias="authenticationManager">
          <sec:authentication-provider ref="preauthAuthProvider" />
        </sec:authentication-manager>
    
    
        <!-- From Spring HEADER pre-auth example -->
        <bean id="oamHeaderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
          <property name="principalRequestHeader" value="OAM_REMOTE_USER"/>
          <property name="authenticationManager" ref="authenticationManager" />
        </bean>
    
        <!-- From Spring HEADER pre-auth example -->
        <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
           <property name="preAuthenticatedUserDetailsService">
              <bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                 <property name="userDetailsService" ref="userDetailsService"/>
              </bean>
           </property>
        </bean>
    
    <!-- CANNED userDetailsService from: http://forum.springsource.org/showthread.php?114367-SSO-PreAuthentication-with-In-Memory-User-Store& -->
    <sec:user-service id="userDetailsService">
    <sec:user name="0test" password="" authorities="ROLE_USER,ROLE_ADMIN,administrators,manager" />
    <sec:user name="7test" password="" authorities="ROLE_USER,ROLE_ADMIN" />
    </sec:user-service>
    
    </beans>
    Now, I'd like to extend this header pre-authentication configuration so that rather using the users in the above userDetailService, it'd retrieve the user and the user's role information from an LDAP server, similar to how JNDIRealm works in Tomcat (e.g., the pre-authenticated user's group membership determining roles).

    However, I am really new to working with Spring security, and am at pretty much of a loss as to how to proceed to accomplish that. Are there any examples of doing something like that, or can someone offer some pointers as to how to proceed?

    Also, is this usage scenario something that could be done out-of-box with Spring security, or will it require some custom code (which would be fine... I just would like to know)?

    Thanks,
    Jim

  • #2
    Hi,

    For the record, I was able to get this working. Most of the info that I needed was from post #6 in this thread:

    http://forum.springsource.org/showth...ntication+ldap

    I had to tweak the properties, etc. for my LDAP server, and point my "PreAuthenticatedAuthenticationProvider" to the new "ldapUserDetailsService", and then it worked!!

    Jim

    Comment


    • #3
      Hi,

      For the record, I was able to get this working. Most of the info that I needed was from post #6 in this thread:

      http://forum.springsource.org/showth...ntication+ldap

      I had to tweak the properties, etc. for my LDAP server, and point my "PreAuthenticatedAuthenticationProvider" to the new "ldapUserDetailsService", and then it worked!!

      Jim

      Comment

      Working...
      X