Announcement Announcement Module
Collapse
No announcement yet.
Authenticate Role Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authenticate Role

    I'm using LDAP authentication and want only allow members of a certain group or that contain a certain role to be able to login. I see the following in the logs:

    DEBUG DefaultLdapAuthoritiesPopulator - Roles from search: [IT Dept]

    The user that has this role should be able to login. Users with other roles should fail login. How can I restrict login to only users with the above role? My config file has the following entry:

    Code:
         <authentication-manager>
            <ldap-authentication-provider user-search-base="cn=Users,dc=some,dc=local" user-search-filter="(samAccountName={0})"
              group-search-base="cn=IT Dept,cn=Users,dc=sam,dc=local" role-prefix="ROLE_" group-search-filter="(member={0})"/>
        </authentication-manager>

    Thanks in advance for your help.

  • #2
    You can lock it down in the http setup like the following. However I don't know if it will work with a group that has spaces in the group name.

    Code:
    <http auto-config='true'>
         <intercept-url pattern="/**" access="ROLE_USER" />
    </http>

    Comment


    • #3
      Thanks pgrimard. I had tried setting the access attribute to a role, and I was getting an exception. Then I realized that the use-expressions attribute of the http element was set to true. When I set it to false, it worked.

      However, the behavior of denied access is a bit problematic. When I try to login with an user without the role, I get redirected back to the login page with address bar containing the url of the protected resource. That's ok.

      But if I login with an user with the role, the protected resource get's cached. Then, if that user logs out and the other user (without the role) tries to log in, they get to the protected resource.

      Is there anyway for the user to be denied access without being redirected from the protected resource?

      Comment

      Working...
      X