Spring Security with Active Directory and Database roles

Question

I'm trying to use Spring Security with Active Directory usernames and password. Additionally, I have a database Roles table which has a relationship with a User table that contains the usernames of Active Directory (the User table is no related in anyway with Active Directory, it's completely independent I just put the usernames in that table so I can match it with the Roles)

I'm following this example http://krams915.blogspot.com/2012/01/spring-security-31-implement_1244.html

The problem is that I fail to see where the password is used in the loadUserByUsername method of the CustomUserDetailsService class.

public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        try {
            org.krams.domain.User domainUser = userRepository.findByUsername(username);

            boolean enabled = true;
            boolean accountNonExpired = true;
            boolean credentialsNonExpired = true;
            boolean accountNonLocked = true;

            return new User(
                    domainUser.getUsername(), 
                    domainUser.getPassword().toLowerCase(),
                    enabled,
                    accountNonExpired,
                    credentialsNonExpired,
                    accountNonLocked,
                    getAuthorities(domainUser.getRole().getRole()));

        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

For what I understand this line validates the username against the database userRepository.findByUsername(username);

But how can I use an lpad validation there? Can I use something like the authentication implementes here http://www.javaxt.com/Tutorials/Windows/How_to_Authenticate_Users_with_Active_Directory

UPDATE:

I'm trying to get it work with a CustomUserDetailsContextMapper

XML

<authentication-manager >
    <authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</authentication-manager>

<beans:bean id="ldapActiveDirectoryAuthProvider" 
        class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <beans:constructor-arg value="domain" />
    <beans:constructor-arg value="ldap://NAME/"/> 
    <beans:property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
    <beans:property name="useAuthenticationRequestCredentials" value="true"/>
</beans:bean>

<beans:bean id="tdrUserDetailsContextMapper" class="com.test8.security8.service.CustomUserDetailsContextMapper"/>

Custom Class

public class CustomUserDetailsContextMapper implements UserDetailsContextMapper, Serializable{

    private static final long serialVersionUID = 3962976258168853984L;

    @Override
    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {
        String role="admin";
        System.out.println("TEST");
        if(username.equals("usuario"))role="admin";
        else role="user";
        List authList = getAuthorities(role);

        return new User(username, "", true, true, true, true, authList);
    }

    private List getAuthorities(String role) {

        List authList = new ArrayList();
        authList.add(new SimpleGrantedAuthority("ROLE_USER"));

        //you can also add different roles here
        //for example, the user is also an admin of the site, then you can add ROLE_ADMIN
        //so that he can view pages that are ROLE_ADMIN specific
        if (role != null && role.trim().length() > 0) {
            if (role.equals("admin")) {
                authList.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
            }
        }

        return authList;
    }

    @Override
    public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
        // TODO Auto-generated method stub      
    }
}

I think I'm almost there, I don´t get an error but it appears that it cannot map any user, The System.out.println("TEST") ; line is never executed. Could it be something related to the URL/Domain? I'm sure that the URL is correct because if I change it I get an error.

Answer 1

I ended up using a UserDetailsContextMapper as suggested by M. Deinum. I also created customs SpringSecurityLdapTemplate and ActiveDirectoryLdapAuthenticationProvider.

In my custom ActiveDirectoryLdapAuthenticationProvider I changed the following method:

private LdapContext bindAsUser(String username, String password) {
    // TODO. add DNS lookup based on domain
    final String bindUrl = url;

    Hashtable<String,String> env = new Hashtable<String,String>();
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    String bindPrincipal = createBindPrincipal(username);
    env.put(Context.SECURITY_PRINCIPAL, bindPrincipal);
    env.put(Context.PROVIDER_URL, bindUrl);
    env.put(Context.SECURITY_CREDENTIALS, password);
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.REFERRAL, "follow");

    try {
        return new InitialLdapContext(env, null);
    } catch (NamingException e) {
        if ((e instanceof AuthenticationException) || (e instanceof OperationNotSupportedException)) {
            handleBindException(bindPrincipal, e);
            throw badCredentials();
        } else {
            throw LdapUtils.convertLdapException(e);
        }
    }
} 

This was the important line for me: env.put(Context.REFERRAL, "follow");

And in the SpringSecurityLdapTemplate custom class

public static DirContextOperations searchForSingleEntryInternal(DirContext ctx, SearchControls searchControls,
        String base, String filter, Object[] params) throws NamingException {
    final DistinguishedName ctxBaseDn = new DistinguishedName(ctx.getNameInNamespace());
    final DistinguishedName searchBaseDn = new DistinguishedName(base);
    final NamingEnumeration<SearchResult> resultsEnum = ctx.search(searchBaseDn, filter, params, buildControls(searchControls));

   filter, searchControls);
    if (logger.isDebugEnabled()) {
        logger.debug("Searching for entry under DN '" + ctxBaseDn
                + "', base = '" + searchBaseDn + "', filter = '" + filter + "'");
    }

    Set<DirContextOperations> results = new HashSet<DirContextOperations>();
    try {

        while (resultsEnum.hasMore()) {


            SearchResult searchResult = resultsEnum.next();

            DirContextAdapter dca = new DirContextAdapter();

            //dca=(DirContextAdapter) searchResult.getObject();
            Assert.notNull(dca, "No object returned by search, DirContext is not correctly configured");

            if (logger.isDebugEnabled()) {
                logger.debug("Found DN: " + dca.getDn());
            }
            results.add(dca);
        }
    } catch (PartialResultException e) {
        LdapUtils.closeEnumeration(resultsEnum);
        logger.info("Ignoring PartialResultException");
    }

    if (results.size() == 0) {
        throw new IncorrectResultSizeDataAccessException(1, 0);
    }

    if (results.size() > 1) {
        throw new IncorrectResultSizeDataAccessException(1, results.size());
    }

    return results.iterator().next();
}

This worked for me, but it was a very particular scenario. Thanks to M. Deinum for pointing me in the right direction.