Announcement Announcement Module
Collapse
No announcement yet.
Integrating Preauth with LDAP user details Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Integrating Preauth with LDAP user details

    I am trying to integrate Spring Security into an environment with Oblix, WebSphere 6, and Active Directory. Oblix and WebSphere provide authentication within the J2EE container, but I need to pull roles from Active Directory. I have studied the Spring Security samples (specifically the preauth sample), and I'm still digesting the application context file.

    What is the proper way to integrate both container authentication (preauth) with LDAP user details? Can it be done using the namespace configuration?

    Thanks in advance,
    Shannon Kendrick

  • #2
    Preauth with Siteminder, details from LDAP

    I don't know if it's the correct implementation, but this is how I did it and it was pretty easy.

    securityContext.xml
    Code:
    	<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
    		<security:filter-chain-map path-type="ant">
    		<security:filter-chain pattern="/siteminderLogin**" filters="httpSessionContextIntegrationFilterWithASCTrue, logoutFilter, exceptionTranslationFilter, siteminderFilter"/>
    	</bean>
    
    	<bean id="siteminderFilter" class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
    		<security:custom-filter position="PRE_AUTH_FILTER" />
    		<property name="authenticationManager" ref="authenticationManager" />
    	</bean>
    	
    	<bean id="preauthAuthProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    		<security:custom-authentication-provider />
    		<property name="preAuthenticatedUserDetailsService" ref="userDetailsService"/>
    	</bean>
    
    	<bean id="userDetailsService" class="my.package.MyUserServiceImpl">
    		<!-- Used Spring LDAP to connect -->
    		<property name="ldapTemplate" ref="ldapTemplate"/>
    	</bean>
    MyUserServiceImpl
    Code:
    public class MyUserServiceImpl implements AuthenticationUserDetailsService {
    
    	private LdapTemplate ldapTemplate;
    	private static final String[] LDAP_ATTRIBUTES = 
    		new String[]{"uid", "cn", "sn"};
    	
    	private final MyContextMapper CONTEXT_MAPPER = new MyContextMapper();
    
    	public UserDetails loadUserDetails(Authentication authentication)
    			throws UsernameNotFoundException {
    		String userID = (String)authentication.getPrincipal();
    		return getUserFromLdap(userID);
    	}
    
    	private UserDetails getUserFromLdap(String userID) {
    		DistinguishedName dn = buildDN(userID);
    		UserDetails user = null;
    		try {
    			user = (UserDetails) ldapTemplate.lookup(dn, LDAP_ATTRIBUTES, CONTEXT_MAPPER);
    		} catch (NameNotFoundException e) {
    			throw new UsernameNotFoundException("User not found in LDAP");
    		}
    
    		return user;
    	}
    
    	private class MyUserContextMapper implements ContextMapper {
    		public UserDetails mapFromContext(Object ctx){
    			DirContextOperations context = (DirContextAdapter)ctx;
    
    			String username = context.getStringAttribute("uid");
    			String firstName = context.getStringAttribute("cn");
    			String lastName = context.getStringAttribute("sn");
    
    			UserDetails user = new MyUserDetails(username, firstName, lastName);
    	
    			return user;
    		}
    	}
    }

    Comment


    • #3
      Hi MMJQ,

      I am trying to get the exact thing working, but I am still not able to get the whole picture. I can connect using LDAP but I want to preauth a user as well.

      Can you send me your entire security config and beans? I tried to get your sample working but it seems there are some parts missing.

      Thanks!
      Coen

      Comment


      • #4
        Coenos,

        I would, but unfortunately, I had to relinquish that code due to a client agreement. I believe I've shared the most relevant parts. If you're hitting an error, post it in the forum and I can definitely help.

        Comment

        Working...
        X