I'm trying to use Spring Security with Active Directory usernames and password. Additionally, I have a database Roles table which has a relationship with a User table that contains the usernames of Active Directory (the User table is no related in anyway with Active Directory, it's completely independent I just put the usernames in that table so I can match it with the Roles)
I'm following this example http://krams915.blogspot.com/2012/01/spring-security-31-implement_1244.html
The problem is that I fail to see where the password is used in the loadUserByUsername method of the CustomUserDetailsService class.
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
try {
org.krams.domain.User domainUser = userRepository.findByUsername(username);
boolean enabled = true;
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
boolean accountNonLocked = true;
return new User(
domainUser.getUsername(),
domainUser.getPassword().toLowerCase(),
enabled,
accountNonExpired,
credentialsNonExpired,
accountNonLocked,
getAuthorities(domainUser.getRole().getRole()));
} catch (Exception e) {
throw new RuntimeException(e);
}
}
For what I understand this line validates the username against the database userRepository.findByUsername(username);
But how can I use an lpad validation there? Can I use something like the authentication implementes here http://www.javaxt.com/Tutorials/Windows/How_to_Authenticate_Users_with_Active_Directory
UPDATE:
I'm trying to get it work with a CustomUserDetailsContextMapper
XML
<authentication-manager >
<authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</authentication-manager>
<beans:bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="domain" />
<beans:constructor-arg value="ldap://NAME/"/>
<beans:property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
<beans:property name="useAuthenticationRequestCredentials" value="true"/>
</beans:bean>
<beans:bean id="tdrUserDetailsContextMapper" class="com.test8.security8.service.CustomUserDetailsContextMapper"/>
Custom Class
public class CustomUserDetailsContextMapper implements UserDetailsContextMapper, Serializable{
private static final long serialVersionUID = 3962976258168853984L;
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {
String role="admin";
System.out.println("TEST");
if(username.equals("usuario"))role="admin";
else role="user";
List authList = getAuthorities(role);
return new User(username, "", true, true, true, true, authList);
}
private List getAuthorities(String role) {
List authList = new ArrayList();
authList.add(new SimpleGrantedAuthority("ROLE_USER"));
//you can also add different roles here
//for example, the user is also an admin of the site, then you can add ROLE_ADMIN
//so that he can view pages that are ROLE_ADMIN specific
if (role != null && role.trim().length() > 0) {
if (role.equals("admin")) {
authList.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
}
}
return authList;
}
@Override
public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
// TODO Auto-generated method stub
}
}
I think I'm almost there, I don´t get an error but it appears that it cannot map any user, The System.out.println("TEST")
; line is never executed. Could it be something related to the URL/Domain? I'm sure that the URL is correct because if I change it I get an error.
I ended up using a UserDetailsContextMapper as suggested by M. Deinum. I also created customs SpringSecurityLdapTemplate and ActiveDirectoryLdapAuthenticationProvider.
In my custom ActiveDirectoryLdapAuthenticationProvider I changed the following method:
private LdapContext bindAsUser(String username, String password) {
// TODO. add DNS lookup based on domain
final String bindUrl = url;
Hashtable<String,String> env = new Hashtable<String,String>();
env.put(Context.SECURITY_AUTHENTICATION, "simple");
String bindPrincipal = createBindPrincipal(username);
env.put(Context.SECURITY_PRINCIPAL, bindPrincipal);
env.put(Context.PROVIDER_URL, bindUrl);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.REFERRAL, "follow");
try {
return new InitialLdapContext(env, null);
} catch (NamingException e) {
if ((e instanceof AuthenticationException) || (e instanceof OperationNotSupportedException)) {
handleBindException(bindPrincipal, e);
throw badCredentials();
} else {
throw LdapUtils.convertLdapException(e);
}
}
}
This was the important line for me: env.put(Context.REFERRAL, "follow");
And in the SpringSecurityLdapTemplate custom class
public static DirContextOperations searchForSingleEntryInternal(DirContext ctx, SearchControls searchControls,
String base, String filter, Object[] params) throws NamingException {
final DistinguishedName ctxBaseDn = new DistinguishedName(ctx.getNameInNamespace());
final DistinguishedName searchBaseDn = new DistinguishedName(base);
final NamingEnumeration<SearchResult> resultsEnum = ctx.search(searchBaseDn, filter, params, buildControls(searchControls));
filter, searchControls);
if (logger.isDebugEnabled()) {
logger.debug("Searching for entry under DN '" + ctxBaseDn
+ "', base = '" + searchBaseDn + "', filter = '" + filter + "'");
}
Set<DirContextOperations> results = new HashSet<DirContextOperations>();
try {
while (resultsEnum.hasMore()) {
SearchResult searchResult = resultsEnum.next();
DirContextAdapter dca = new DirContextAdapter();
//dca=(DirContextAdapter) searchResult.getObject();
Assert.notNull(dca, "No object returned by search, DirContext is not correctly configured");
if (logger.isDebugEnabled()) {
logger.debug("Found DN: " + dca.getDn());
}
results.add(dca);
}
} catch (PartialResultException e) {
LdapUtils.closeEnumeration(resultsEnum);
logger.info("Ignoring PartialResultException");
}
if (results.size() == 0) {
throw new IncorrectResultSizeDataAccessException(1, 0);
}
if (results.size() > 1) {
throw new IncorrectResultSizeDataAccessException(1, results.size());
}
return results.iterator().next();
}
This worked for me, but it was a very particular scenario. Thanks to M. Deinum for pointing me in the right direction.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.