使用Weblogic LDAP身份验证器配置Spring Security

Question

I'm trying to set up Spring Security in my application using a LDAP authenticator configured in an Oracle Weblogic Server 10.3.

I've been searching on the internet, but all I find is how to set the LDAP right into the spring-security.xml, but nothing about somehow importing the configuration I have on the server into it, so when I try to log-in, it checks the user and password with the authenticator on the server.

I want to do so because I don't have access to the configuration of the LDAP (it's on a production environment), so I have to send the data directly to it.

Is there any way to accomplish this?

Answer 1

You need to create a custom AuthenticationHandler and declare it in your Spring Security configuration or you can write your own UserDetailsService that performs the LDAP query for you.

<authentication-manager>
    <authentication-provider user-service-ref="jbossLdapController" >
       <password-encoder hash="sha" base64="true" ref="passwordEncoder">
          <salt-source ref="saltSource"/>
       </password-encoder>
    </authentication-provider>
</authentication-manager>

With this you can create a class that implements UserDetailsService to get all the functionality of this without having to implement it all by hand using a typical custom authentication handler.

public class JBossLdapController implements UserDetailsService {
      ReflectionSaltSource saltSource;
      public void setSaltSource(ReflectionSaltSource saltSource) {
         this.saltSource = saltSource;
      }

      ShaPasswordEncoder passwordEncoder;
      public void setPasswordEncoder(ShaPasswordEncoder passwordEncoder) {
         this.passwordEncoder = passwordEncoder;
      }

      // LDAP stuff

      @Override
      public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException, DataAccessException {
         // Build user details, call LDAP query.  User details functionality of Spring will automatically compare user supplied credentials with hash and salt source versus username and encrypted password in UserDetails object.
      }

Keep in mind that this is just an example of how this can be done without giving up the benefits of the Spring Security UserDetails functionality. Of course, without knowing more about your LDAP provider, the passwords may not be SHA encrypted with a salt.