Spring Security 2.0.4 with Active Directory Example

Here i will explain how to authenticate and authorize users against Windows Active directory using the latest spring security version 2.0.4. The Spring security LDAP samples helped me making this work.

1. I used maven to build this , the contents of my pom.xml are as follows,
<pre name="code" class="brush:xml"><project xmlns=”http://maven.apache.org/POM/4.0.0” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v40_0.xsd”>
<modelVersion>4.0.0</modelVersion>
<groupId>com.mani</groupId>
<artifactId>loginAD</artifactId>
<packaging>war</packaging>
<version>1.0-SNAPSHOT</version>
<name>loginAD Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>2.5.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>2.0.8</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>2.0.8</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>2.0.8</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.4.3</version>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap</artifactId>
<version>1.2.1</version>
</dependency>
<!– Log4J –>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.14</version>
</dependency>
</dependencies>
<build>
<finalName>loginAD</finalName>
</build>
</project>

</pre>

2. The web.xml of my application is as follows.
<pre name="code" class="brush:xml"><?xml version=”1.0” encoding=”UTF-8”?>

<web-app xmlns=”http://java.sun.com/xml/ns/j2ee”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd” version=”2.4”>

<display-name>Active Directory Based Login Application</display-name>

<!–
- Location of the XML file that defines the root application context
- Applied by ContextLoaderListener.
–>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!–
- Loads the root application context of this web app at startup.
- The application context is then available via
- WebApplicationContextUtils.getWebApplicationContext(servletContext).
–>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!–
- Publishes events for session creation and destruction through the application
- context. Optional unless concurrent session control is being used.
–>
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>

</web-app>
</pre>

3. The last but not the least applicationContext-security.xml. I used the sAMAccountName which is my login id. Moreover i used the port 3268 to look for the entire AD. You can use the port 389 instead too(based on your AD search).

The things configured in this xml file are ,
a) Login to the AD with UserDn /passoword to get the LDAPCONTEXT and then search for the user based on the sAMAccountName in the LDAPCONTEXT. When the user is found, populate his authorities.

<pre name="code" class="brush:xml"><beans xmlns=”http://www.springframework.org/schema/beans”
xmlns:s=”http://www.springframework.org/schema/security”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd”>
<s:http>
<s:intercept-url pattern=”/secure/extreme/” access=”ROLE_eCommunications”/>
<s:intercept-url pattern=”/secure/” access=”IS_AUTHENTICATED_REMEMBERED”/>
<s:intercept-url pattern=”/**” access=”IS_AUTHENTICATED_ANONYMOUSLY”/>
<s:form-login/>
<s:anonymous/>
<s:logout/>
</s:http>


<bean id=”contextSource” class=”org.springframework.security.ldap.DefaultSpringSecurityContextSource”>
<constructor-arg value=”ldap://server.url.goes.here:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)”/>
<property name=”userDn” value=”username”/>
<property name=”password” value=”password”/>

</bean>

<bean id=”secondLdapProvider” class=”org.springframework.security.providers.ldap.LdapAuthenticationProvider”>
<s:custom-authentication-provider />
<constructor-arg>
<bean class=”org.springframework.security.providers.ldap.authenticator.BindAuthenticator”>
<constructor-arg ref=”contextSource”/>
<property name=”userSearch”>
<bean id=”userSearch” class=”org.springframework.security.ldap.search.FilterBasedLdapUserSearch”>
<constructor-arg index=”0” value=””/>
<constructor-arg index=”1” value=”(&(sAMAccountName={0})(objectclass=user))”/>
<constructor-arg index=”2” ref=”contextSource” />
</bean>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class=”org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator”>
<constructor-arg ref=”contextSource” />
<constructor-arg value=”” />
<property name=”rolePrefix” value=”ROLE”/>
<property name=”searchSubtree” value=”true”/>
<property name=”convertToUpperCase” value=”false”/>
</bean>
</constructor-arg>

</bean>
</beans>
</pre>

4. My index.jsp under my webapp is as follows.
<pre name="code" class="brush:html"><html>
<body>
<h1>Home Page</h1><p>Anyone can view this page.</p><p>Your principal object is….: <%= request.getUserPrincipal() %></p><p>Secure page</p><p>Extremely secure page</p></body>
</html>
</pre>

5.Under webapp/secure index.jsp is as follows
<pre name="code" class="brush:html"><html>
<body>
<h1>Secure Page</h1>This is a protected page. You can get to me if you’ve been remembered,
or if you’ve authenticated this session.



<%if (request.isUserInRole(“ROLE_SUPERVISOR”)) { %>
You are a supervisor! You can therefore see the extremely secure page.


<% } %>


<p>Home
<p>Logout
</body>
</html>
</pre>
6. Under secure/extreme/index.jsp its as follows
<pre name="code" class="brush:html"><html>
<body>
<h1>VERY Secure Page</h1>This is a protected page. You can only see me if you belong to SUPERVISOR

<p>Home
<p>Logout
</body>
</html>
</pre>



7. Deploy on tomcat and access using url http://localhost:8080/loginAD


Soon i will post a blog about customizing the spring security authentication provider for authentication against Active directory using domain name / username as login