Rather than trying to get an Active Directory "application" account, which would have been nice as it would have allowed me to search for roles but which would have taken forever to get because of bureaucratic reasons, I decided to use a simple bind to the AD with the entered password and username to authenticate the users.
The problem was that just binding would have allowed everyone with a valid AD account to access the web application, which is what I didn't want. To limited the users, I needed a different way to verify whether or not they were authorized to use the application and this I did by storing their roles in the application's database.
To test whether or not this approach would work and to determine the connection details, I used Apache Directory Studio as shown below.
<s:authentication-manager> <s:authentication-provider ref="ldapAuthenticationProvider"/> </s:authentication-manager> <bean id="ldapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <constructor-arg> <bean class="eu.ecb.csdb.gateway.security.UsernameBindAuthenticator"> <constructor-arg ref="contextSource" /> <!-- just keep the base class happy --> <property name="userDnPatterns"> <list> <value>sAMAccountName={0},OU=Standard User,OU=Users and Groups</value> </list> </property> </bean> </constructor-arg> <constructor-arg> <bean class="eu.ecb.csdb.gateway.security.DatabaseAuthoritiesPopulator"> </bean> </constructor-arg> </bean>
First, I configured my own authentication provider (UsernameBindAuthenticator) , which binds to AD using the entered password and username as shown here:
public class UsernameBindAuthenticator extends AbstractLdapAuthenticator {
/*...*/ public DirContextOperations authenticate(Authentication authentication) { DirContextAdapter result = null; String username = authentication.getName(); String password = (String)authentication.getCredentials(); String domainUsername = domain + "\\" + username; DirContext ctx = null; try { ctx = getContextSource().getContext(domainUsername, password); // Check for password policy control PasswordPolicyControl ppolicy = PasswordPolicyControlExtractor.extractControl(ctx); //bind was successful if we got here. result = new DirContextAdapter(); } finally { LdapUtils.closeContext(ctx); } return result; } /*...*/ }
public class DatabaseAuthoritiesPopulator implements LdapAuthoritiesPopulator { /*...*/ public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) { logger.debug(String.format("Getting roles for %s", username)); List<GrantedAuthority> result = new ArrayList<GrantedAuthority>(); try { final String query = String.format("select roles from USERS where USERNAME = '%s'", username); final String roles = this.jdbcTemplate.queryForObject(query, String.class); String splitRoles[] = null; if(roles != null && (splitRoles = roles.split(";")).length > 0){ for(String strRole : splitRoles){ result.add(new CsdbAuthority(strRole)); } } }catch(Exception ex){ logger.debug(ex); } logger.debug(String.format("%s roles found for %s", (result == null ? 0 : result.size()), username)); return result; } /*...*/ }
The CsdbAuthority is nothing but an implementation of the GrantedAuthority interface.
So if the bind was successful, then I knew that the user was a legitimate AD user and then I looked in the application's database to see if the user was authorized to use the application.
At this point, you might be asking yourself, wouldn't it have been easier just to use the FilterBasedLdapUserSearch and DefaultLdapAuthoritiesPopulator classes from Spring? First of all no because I didn't have any roles in LDAP to search for. As mentioned I wanted a quick solution and not one where I would need to do months of paper work to get the roles added to AD; this all took place within a very bureaucratic government agency. Secondly no, because I found the implementation of the FilterBasedLdapUserSearch confusing, quirky and poorly documented and I figured that rather than messing around for hours trying to configure the class it would be easier just to write my own.