If you want to control the access to a web application and make it secure within a Spring environment, a good approach is to apply the Microsoft Active Directory (LDAP) authentication.
However, when I tried to apply this approach I found it was not easy to put all the elements together. The online documentation for Spring Security was not clear enough to my understanding and the synchronisation of dependencies not properly explained; I found a good reference on this ComDynamics article, but again with some missing parts.
After hours of research and test I realised that the Spring Security framework allows high flexibility and lets you customise
the way you authenticate and secure your web applications. Once I managed to get it all working I decided to write this new entry on my blog to have everything in one place.
Include your dependencies
The next Spring Security 3.1.0.RELEASE dependencies are required in your pom.xml file to perform the security checks:
- spring-security-core
- spring-security-config
- spring-security-web
- spring-security-ldap
ActiveDirectoryLdapAuthenticationProvider is the core class in Spring Security 3.1 to allow the integration with LDAP, and one of my first problems was that the versions of Spring Security 3.1 I was using did not include this class in their classpaths, so make sure the version of your dependencies includes it (version 3.1.0.RELEASE does).
Apart from these dependencies, you will also need to include the next one:
- spring-ldap-core (version 1.3.1.RELEASE worked for me)
Configure your files within the WEB-INF folder
In this case, the security configuration is specified in the security.xml file, under WEB-INF, so in order for the security context to be loaded, your web.xml file should look as shown next:
The application configuration needs to also provide the security filter chain, by specifying the set of URLs that will be processed by the security filter. In this case, all the URLs will require to be secured, so the web.xml file should include the following:
Configure your security context
As stated above, the security context in this example will be detailed in the security.xml file (under WEB-INF), which will look like shown in the following snippet:
As stated above, the security context in this example will be detailed in the security.xml file (under WEB-INF), which will look like shown in the following snippet:
It is important to describe some of the elements in the security context:
Configure your login page - ldapActiveDirectoryAuthProvider: This bean will use the core Spring Security 3.1 class to integrate with LDAP: ActiveDirectoryLdapAuthenticationProvider, which accepts a list of parameters as shown in the example
- Constructor arguments: ${ldap.domain} and ${ldap.url} represent your Active Directory configuration, that is the domain to which the users belong and the url to connect to the LDAP server
- authoritiesMapper: This bean is needed to filter the roles within the LDAP groups; it will check whether the users belong to certain LDAP groups or not. The bean uses the customised class com.targetapp.webapp.security.ActiveDirectoryGrantedAuthoritiesMapper, which is explained below
- security:http: This section specifies your login/logout policy, as well as your security zones:
- form-login, where you detail the login page, the login processing url and the redirections in case of success or failure in the authentication
- logout, redirection on sucessful logout
- itercept-url, which allows you to create as many security zones as you need in your web application, specifying the roles that have permission to access each of the security zones; for simplicity in this example there is only one role, ROLE_ADMIN, that has access to all the sites in the web application, but your LDAP configuration could have different roles with access to different zones in your web application
Make sure that your form uses the login-processing-url specified in the security.xml file, in this case "/j_spring_security_check".
Configure your role mappings
In order to match the nomenclature used in your security context (security.xml) you need to create the customised mapper class that will be used to implement the authoritiesMapper bean previously declared in the security context.
This will imply the creation of two classes:
com.targetapp.webapp.security.SecurityContextAuthority
This class implements the Spring interface GrantedAuthority; it provides the set of the roles used in the security context, that will be mapped by the next class
com.targetapp.webapp.security.ActiveDirectoryGrantedAuthoritiesMapper
This class implements the Spring interface GrantedAuthoritiesMapper; the method mapAuthorities
gets as argument the set of authorities in the LDAP nomenclature which is mapped to the set of authorities defined in the previous class (in the security context nomenclature); the method will provide the ActiveDirectoryLdapAuthenticationProvider class with the list of roles available for the user that is trying to login
At this point you should have all your configuration ready to provide your web application with Active Directory security.