Spring Security, Kerberos extension and AD

Question

I'm trying to use on my project a Kerberos authentication. It's for my company an internal service, and I want to authenticate the users, and retrieve from our Active Directory the groups of the users. For this, I'm using Spring Security, Kerberos extension and our company's AD.

The problem : I can authenticate with Kerberos, but our domain on AD is "WAN.CORP.COM". So I get my users with username@WAN.CORP.COM, and there's no filter I can ask with this on AD (userPrincipalName are like username@corp.com).

My security.xml contains :

<sec:ldap-user-service id="ldapUserService" server-ref="ldapCorp" user-search-filter="(userPrincipalName={0})" />
<sec:ldap-server id="ldapCorp" url="ldap://ldap.wan.corp.com:389/DC=wan,DC=corp,DC=com" manager-dn="CN=ldap read,OU=CORP,DC=wan,DC=corp,DC=com" manager-password="pass" />

But Spring Security sends an exception, because it can't retrieve user@WAN.CORP.COM...

Anyone can help me ? I'd like to make it by Spring Security directly, if not, I think I can get informations in a DummyUserDetailsService, I'm right ?

Thanks a lot, and sorry for my poor english...

Answer 1

Spring security 3.1 already has implementation of LDAP / AD auth.

see it here: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ldap.html#d0e6795 http://javarevisited.blogspot.com/2011/11/ldap-authentication-active-directory.html

Answer 2

You could provide your own UserDetailsService implementation into which you inject LdapUserDetailsService.

In loadUserByUsername method you can modify the username and then call LdapUserDetailsService's loadUserByUsername with the modified username.