Spring Security LDAP与基本身份验证

Question

I've burned a few days trying to get something that should be simple to work. I have an application (web app) that works with Spring Security 3.0.5 and I'm having a hell of a time trying to switch out my authentication-manager for something that supports LDAP.

I'm using JSF and it seems like most of the tutorials out there are geared towards jsp

I'm by no means a spring expert and I've hobbled something together off some tutorials I found scattered around the web.

Servlet-context.xml

I'm not 100% sure exactly what this file does?

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"

xsi:schemaLocation="
    http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">

<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->

<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />

<!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <beans:property name="prefix" value="/WEB-INF/views/" />
    <beans:property name="suffix" value=".jsp" />
</beans:bean>

</beans:beans>

Security.xml

This file appears to define the security configuration and such as well as what parts of the web app are locked down.

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<http use-expressions="true">
    <intercept-url pattern="/ff/**"         access="isAuthenticated()" />
    <intercept-url pattern="/**" access="permitAll()" />

    <!-- Custom login page -->
    <form-login login-page="/login.jsf" authentication-failure-url="/login-fail.jsf"/>

    <!-- Custom logout page -->
    <logout logout-success-url="/login.jsf"  invalidate-session="true"/>

</http>

<!-- Use inline authentication provider. -->
<authentication-manager>
    <authentication-provider>
        <password-encoder hash="md5"/>
        <user-service>
            <user name="admin" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_ADMIN,ROLE_USER" />
            <user name="raj" password="0b438dd454bc6a17de239ebf0a46b91b" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

Web.xml

It appears this file tells the web-app which additional spring fillets parse

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee     http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/root-context.xml
        /WEB-INF/spring/security.xml
    </param-value>
</context-param>




<!-- Enable Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<!-- Allow login pages with JSF which redirects to security check, therefore we have to add the forward entry here -->
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>

<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/servlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>/spring/</url-pattern>
</servlet-mapping>

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.jsf</url-pattern>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>


<session-config>
    <session-timeout>
        30
    </session-timeout>
</session-config>
</web-app>

And lastly I have a bean (i think) that handles the security stuff

SecurityWrapper.java

import java.util.Collection;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;

/**
* Code from: http://www.baeldung.com/get-user-in-spring-security
*/
@ManagedBean
@SessionScoped
public class SecurityWrapper {

public String getUser() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    if (!(authentication instanceof AnonymousAuthenticationToken)) {
        String currentUserName = authentication.getName();
        return currentUserName;
    }
    return "NO USER DETECTED";
}

/*This is a example for to obtain the rol name for example for generate automatic menu    */
public String getRole() {

    /*This is a example for to obtain the rol name for example for generate automatic menu    */
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    String namePrincipalRol = null;
    if (auth instanceof AnonymousAuthenticationToken) {

        namePrincipalRol = "ROLE_ANONYMOUS";
    } else {

        namePrincipalRol = auth.getAuthorities().iterator().next().getAuthority();
    }
    return namePrincipalRol;
}

private void getUserDetails() {
    UserDetails userDetails = (UserDetails) SecurityContextHolder.getContext().
            getAuthentication().getPrincipal();
    System.out.println(userDetails.getPassword());
    System.out.println(userDetails.getUsername());
    System.out.println(userDetails.isEnabled());
}

private boolean hasRole(String role) {
    Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) SecurityContextHolder.getContext().getAuthentication().getAuthorities();
    boolean hasRole = false;
    for (GrantedAuthority authority : authorities) {
        hasRole = authority.getAuthority().equals(role);
        if (hasRole) {
            break;
        }
    }
    return hasRole;
}

 public String logout(){
     getUserDetails();
    SecurityContextHolder.clearContext();

    return "loggedout";
}

}

Questions

So here is where I'm running into issues. 1) This example code I put together (much came from: http://www.baeldung.com/get-user-in-spring-security ) is running Spring 3.0.5 which probably is very out of date, but I'm hoping that shouldn't matter. I've gone various routes attempting to integrate and/or switch out my authentication provider for LDAP but I keep running into issues where my tutorials are of a different version and when I try to upgrade spring things go kaboom. I'm assuming this should be a straight forward process but I would love some pointers as how to move forward.

There are various answers on stack for integrating Spring LDAP but they are all (mostly) related to .jsp and not .xhtml which may/may not matter - and I've run into much trouble trying to integrate the other ones.

Should this be a straight forward process or is it actually more involved than I realize? And if/so is it as simple as just swapping out my <authentication-manager> or do i need to add special java code as well?

Answer 1

So...assuming you have Spring security working and you wish to switch to LDAP

You need to have your authentication manager like so in your file Security.xml:

<sec:authentication-manager alias="webAuthenticationManager">
    <sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager> 

And the actual bean that does this:

<bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <constructor-arg value="yourcompany.com" />
    <constructor-arg value="ldap://yourserver.yourcompany.com:389 " />
    <property name="authoritiesMapper" ref="dataAutomationGrantedAuthoritiesMapper" />
    <property name="useAuthenticationRequestCredentials" value="true" />
</bean>   

You also need to MAP the groups to Spring security roles:

<!-- Mapping of Groups (user is member of) to Application roles used by Spring security -->
 <bean id="dataAutomationGrantedAuthoritiesMapper" class="com.deltarail.view.web.login.DataAutomationGrantedAuthoritiesMapper">        
    <property name="groupToRoleMap">
        <util:map>
            <entry key="SystemAdministrators" value="ROLE_SYSADMIN" />
            <entry key="Maint"  value="ROLE_MAINT" />
            <entry key="General"value="ROLE_USER" />

        </util:map>
    </property>
</bean>