Announcement Announcement Module
Collapse
No announcement yet.
LDAP Authentication with DataSource Authorization Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP Authentication with DataSource Authorization

    I am new to Spring Security.
    I am developing an application that uses ActiveDirectory for authentication and Database tables for authorization. The database tables [users, authorities] follow the recommended spring authentication schema. I am at a loss how to use ldap for authentication only, and use the datasource for authorization. My guess is that is has something to do with changing the default populator of the ldap-authentication-provider to make use of a datasource. Below is my attempt at an appropriate security configuration:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
      xmlns:beans="http://www.springframework.org/schema/beans"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.0.xsd
               http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
    
        <global-method-security secured-annotations="enabled"/>   
    
        <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
            <beans:constructor-arg value="ldap://hodc1.company.com/dc=company,dc=com"/>
            <beans:property name="userDn" value="[email protected]"/>
            <beans:property name="password" value="1256EE"/>
            <beans:property name="baseEnvironmentProperties">
                <beans:map>
                    <beans:entry key="java.naming.referral">
                        <beans:value>follow</beans:value>
                    </beans:entry>
                </beans:map>
            </beans:property>
        </beans:bean>    
        <http auto-config="true">
            <!-- no role restrictions on login.jsp | no need to be managed by spring container at all -->
            <intercept-url pattern="/**" filters="none"/>
            <intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
            <intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
            <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    
            <!-- restrict access to all other pages -->
            <intercept-url pattern="/admin/*.do" access="ROLE_ADMIN"/>
            <intercept-url pattern="/approve/*.do" access="ROLE_SUPERVISOR"/>
            <intercept-url pattern="/**.do" access="ROLE_USER, ROLE_SUPERVISOR, ROLE_ADMIN"/>
    
            <!-- set login page and what to do if login fails -->
            <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true"/><!--  default-target-url="/index.do" always-use-default-target="true" -->
    
            <!-- handle session timeout -->
            <session-management>
                <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/sessionTimeout.do"/>
            </session-management>
    
            <logout/>
        </http>
        <authentication-manager alias="authenticationManager">
            <ldap-authentication-provider group-search-filter="member={0}" group-search-base="ou=Groups" role-prefix="ROLE_" user-search-base="cn=users" user-search-filter="sAMAccountName={0}" server-ref="contextSource">            
            </ldap-authentication-provider>
            <authentication-provider>
                <jdbc-user-service data-source-ref="dataSource"/>
            </authentication-provider>
        </authentication-manager>
        <beans:bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
            <beans:property name="dataSource" ref="dataSource"/>
            <beans:property name="authoritiesByUsernameQuery">
                <beans:value>
                    <![CDATA[
                        SELECT username, authority FROM authorities WHERE username=?
                    ]]>
                </beans:value>
            </beans:property>
            <beans:property name="usersByUsernameQuery">
                <beans:value>
                    <![CDATA[
                        SELECT username, password, enabled FROM users WHERE username=?
                    ]]>
                </beans:value>
            </beans:property>
        </beans:bean>
        <beans:bean id="populator" class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator">
            <beans:constructor-arg ref="userDetailsService"/>
        </beans:bean>
    </beans:beans>
    Last edited by joshua.ochoge; Aug 27th, 2010, 10:41 AM.

  • #2
    Did you read the FAQ entry on this? You need to be using explicit beans, not the LDAP namespace configuration. Configuring separate beans for the LDAP authorities populator etc won't make any difference unless they are injected into the LdapAuthenticationProvider.

    Comment

    Working...
    X