One very useful component of the spring java framework is spring-security since it allows consistent usage of various security providers for authentication and authorization. Although I’ve found a great number of basic spring-security tutorials on the internet, I wasn’t able to find a complete solution for my own requirements:
Logging in with LDAP but configuring the authorities [*] of the logged in user with the help of a custom method and not through LDAP.
I think that the above is a common requirement in many organizations: There is a central LDAP repository in which the usernames and passwords of the users are stored, but the groups of the users are not stored there. Or maybe the groups that are actually stored in the LDAP cannot be transformed easily to application specific groups for each application.
You may find the working spring project that uses ldap and a custom groups populator here: https://github.com/spapas/SpringLdapCustomAuthorities/
I’ve created a very basic setup for spring-security for a spring-mvc project. Please take a look here for a more thorough explanation of a simple spring-security project http://www.mkyong.com/spring-security/spring-security-hello-world-example/ and here http://www.codeproject.com/Articles/253901/Getting-Started-Spring-Security for a great explanation of the various spring-security classes.
In my setup there is a controller that defines two mappings, the “/” which is the homepage that has a link to the “/enter” and the “/enter” which is an internal page in which only authorized users have access. When the user clicks on “enter” he will be represented with a login form first. If the use logs in successfully, the enter.jsp will list the username and the authorities of the logged in user through the following spring-security tags:
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> [...] Username: <sec:authentication property="principal.username" /><br /> Authorities: <sec:authentication property="principal.authorities"/><br />
The authentication provider is an in memory service in which the username, password and authorities of each user are defined in the XML. So this is a simple spring-security example that can be found in a number of places on the internet. The security rules, login form and the authentication provider are configured with the following security-config.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http pattern="/static/**" security="none" /> <http use-expressions="true"> <intercept-url pattern="/" access="permitAll" /> <intercept-url pattern="/enter" access="hasRole('user')" /> <intercept-url pattern="/**" access="denyAll" /> <form-login default-target-url="/" /> <logout logout-success-url="/" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="spapas" password="123" authorities="admin, user, nonldap" /> <user name="serafeim" password="123" authorities="user" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
When we run this application and go to the /enter, we will get the following output:
Authorities: [admin, nonldap, user]
In the previous a complete example of configuring a custom authorities populator was represented. Using this configuration we can login through the LDAP server of our organization but use application specific roles for our logged-in users.
|[*]||Which is how spring calls the groups/roles the user belongs to|