Spring project using CAS for Authentication and LDAP for Authorities
Question
I had a Spring 3 project that was using LDAP for Authentication and Authorities. We know changed the project to use CAS for authentication but still work like to use LDAP for Authorities. can someone please look at this XML file and tell me how to get LDAP Authorities back and working
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security" xmlns:p="http://www.springframework.org/schema/p"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<http entry-point-ref="casEntryPoint" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/cas-logout.jsp" access="permitAll" />
<intercept-url pattern="/casfailed.jsp" access="permitAll" />
<intercept-url pattern="/secure/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/requests/**" access="hasRole('ROLE_MEMBER_INQUIRY')" />
<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
<custom-filter ref="casFilter" position="CAS_FILTER" />
<logout logout-success-url="/cas-logout.jsp" />
</http>
<authentication-manager alias="authManager">
<authentication-provider ref="casAuthProvider" />
</authentication-manager>
<user-service id="userService">
<user name="rod" password="rod" authorities="ROLE_SUPERVISOR,ROLE_USER" />
<user name="cpilling04@aol.com.dev" password="testing"
authorities="ROLE_MEMBER_INQUIRY" />
</user-service>
<!-- This filter handles a Single Logout Request from the CAS Server -->
<b:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />
<!-- This filter redirects to the CAS Server to signal Single Logout should
be performed -->
<b:bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter"
p:filterProcessesUrl="/j_spring_cas_security_logout">
<b:constructor-arg
value="https://${cas.server.host}/cas-server-webapp/logout" />
<b:constructor-arg>
<b:bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</b:constructor-arg>
</b:bean>
<b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"
p:service="https://${cas.service.host}/MemberInquiry/j_spring_cas_security_check"
p:authenticateAllArtifacts="true" />
<b:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
p:serviceProperties-ref="serviceProperties"
p:loginUrl="https://${cas.server.host}/cas-server-webapp/login" />
<b:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter"
p:authenticationManager-ref="authManager" p:serviceProperties-ref="serviceProperties"
p:proxyGrantingTicketStorage-ref="pgtStorage"
p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor">
<b:property name="authenticationDetailsSource">
<b:bean
class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource" />
</b:property>
<b:property name="authenticationFailureHandler">
<b:bean
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/casfailed.jsp" />
</b:property>
<b:property name="authenticationSuccessHandler">
<b:bean
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"
p:defaultTargetUrl="/requests/add.html" />
</b:property>
</b:bean>
<!-- NOTE: In a real application you should not use an in memory implementation.
You will also want to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup() -->
<b:bean id="pgtStorage"
class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<b:bean id="casAuthProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey">
<b:property name="authenticationUserDetailsService">
<b:bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<b:constructor-arg ref="userService" />
</b:bean>
</b:property>
<b:property name="ticketValidator">
<b:bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
p:acceptAnyProxy="true"
p:proxyCallbackUrl="https://${cas.service.host}/MemberInquiry/j_spring_cas_security_proxyreceptor"
p:proxyGrantingTicketStorage-ref="pgtStorage">
<b:constructor-arg value="https://${cas.server.host}/cas-server-webapp" />
</b:bean>
</b:property>
<b:property name="statelessTicketCache">
<b:bean
class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
<b:property name="cache">
<b:bean class="net.sf.ehcache.Cache" init-method="initialise"
destroy-method="dispose">
<b:constructor-arg value="casTickets" />
<b:constructor-arg value="50" />
<b:constructor-arg value="true" />
<b:constructor-arg value="false" />
<b:constructor-arg value="3600" />
<b:constructor-arg value="900" />
</b:bean>
</b:property>
</b:bean>
</b:property>
</b:bean>
<!-- Configuration for the environment can be overriden by system properties -->
<context:property-placeholder
system-properties-mode="OVERRIDE" properties-ref="environment" />
<util:properties id="environment">
<b:prop key="cas.service.host">wcmisdlin07.uftmasterad.org:8443</b:prop>
<b:prop key="cas.server.host">wcmisdlin07.uftmasterad.org:8443</b:prop>
</util:properties>
<b:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<b:constructor-arg
value="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />
<b:property name="userDn" value="cn=Manager,dc=uftwf,dc=dev" />
<b:property name="password" value="uftwf" />
</b:bean>
<b:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<b:constructor-arg>
<b:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<b:constructor-arg ref="contextSource" />
<b:property name="userDnPatterns">
<b:list>
<b:value>
uid={0},ou=webusers
</b:value>
</b:list>
</b:property>
</b:bean>
</b:constructor-arg>
<b:constructor-arg>
<b:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<b:constructor-arg ref="contextSource" />
<b:constructor-arg value="ou=groups" />
<b:property name="groupRoleAttribute" value="ou" />
</b:bean>
</b:constructor-arg>
</b:bean>
<ldap-server url="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />
</b:beans>
1 answers
solution1
2 ACCPTED 2012-06-26 18:37:38
You need to replace the in-memory UserDetailsService bean ( userService ) with an LdapUserDetailsService . If you were previously using LDAP for authentication, then the configuration should be pretty much the same, assuming the user name returned by CAS can be easily mapped into the directory.
In more detail: You currently have a bean called userService which is created using the namespace:
<user-service id="userService">
<user name="rod" password="rod" authorities="ROLE_SUPERVISOR,ROLE_USER" />
<user name="cpilling04@aol.com.dev" password="testing"
authorities="ROLE_MEMBER_INQUIRY" />
</user-service>
you need to replace it by one that looks something like this:
<ldap-user-service id="userService"
server-ref="yourLdapServer"
user-search-base="ou=people"
user-search-filter="(uid={0})"
group-search-base="ou=groups"
group-role-attribute="cn"
group-search-filter="(member={0})"
role-prefix="ROLE_" />
but with the various attributes set to match your directory configuration. They should be similar to whatever you had in your <ldap-authentication-provider> configuration before you moved to CAS. You'll also need to declare an <ldap-server> element to point to the directory server. Again that should match what you had before.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Moving Spring Web Project using LDAP Authentication and Authorities to Spring and CAS
Spring security switch to Ldap authentication and database authorities
Custom authorities with LDAP authentication
Spring ldap : not granted any authorities
LDAP Integration with CAS + Spring
Authentication in Java using Spring LDAP
Cas Ldap authentication failed : attributes are empty
Spring Boot is ignoring Group Authorities authentication
Custom LDAP authentication using Spring Security 4
Using CAS server with two different Spring Security authentication flows
Related Tags