Using Active Directory for authentication in Spring with custom permissions (roles)

1 Reply

Recently at work, I had to work on setting up a Spring application to do Active Directory authentication and use our internal permissions service. After much googling and playing around I finally figured out how to get it all working. I suspect this may not be the best way to do this, but it works.

Set this up in your config XML

1
2
3
4
5
6
7
8
9
10

<!-- Connect to AD -->
<bean id="activeDirectoryAuthenticationProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor -arg value="YOURDOMAIN"></constructor>
<constructor -arg value="ldap://YOURSERVER"></constructor>
<property name="userDetailsContextMapper" ref="customDetailsMapper"></property>
<property name="convertSubErrorCodesToExceptions" value="true"></property>
</bean>
 
<!-- add in your permissions -->
<bean id="customDetailsMapper" class="Full path to CustomDetailsMapper class"></bean>

Now, the CustomDetailsMapper

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

package mypackage;
 
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
 
import org.apache.log4j.Logger;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
 
public class CustomUserDetailsMapper extends LdapUserDetailsMapper {
 
    protected static Logger logger = Logger.getLogger("CustomUserDetailsMapper");
    private static final Collection<string> DEFAULT_PERMS = Arrays.asList("login");
 
 
    @Override
    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection< ? extends GrantedAuthority> authorities) {
        /**
         * at this point, the user has permissions based on groups in LDAP/AD. If
         * we used AD for permissions, this would be sufficient, but we want permissions
         * from elsewhere so we need to modify the permissions/authorities
         */
        logger.info(" old authorities: "+authorities);
        UserDetails user = super.mapUserFromContext( ctx, username, getPermissions(username));
        logger.info(" adjusted user: "+user);
 
        return user;
    }
 
    /**
     * gets permissions
     *
     * @param username the username to get permissions for
     * @return a Set of permissions for the user
     */
    private Set<grantedauthority> getPermissions(String username) {
        Set</grantedauthority><grantedauthority> permissions = new HashSet</grantedauthority><grantedauthority>();
 
        /**
         * get your permissions here - however you need to
         * then convert them to SimpleGrantedAuthority
         */
 
        for (String perm : permissionsFromOtherSource) {
            permissions.add(new SimpleGrantedAuthority(perm));
        }
        return permissions;
    }
}
</grantedauthority></string>

NOTE: the blog’s java code formatter is messing this code up a bit (specifically the GrantedAuthority parts), but you should be able to get the gist of it. Basically, after the user is filled out from AD, we get a handle to it and we change the permissions on it.

New side project

1 Reply

I had an idea for a website over the Christmas holiday, took a few hours over a few days and got some proof of concept code up and running. I bought a domain for it, and am now making it robust to handle some traffic. Today I played around with MongoDB and got it up and running and it works great. I’ll be hosting it on OpenShift (for now anyway). I’m hoping to launch the site later this month.

In the meantime, if you use Goodreads and Overdrive, let me know if you want to be a beta tester.

Apache Directory API with Active Directory and ObjectGUID

1 Reply

Recently I needed to access an Active Directory server via Java and get some info out of it. After poking around, I decided to see if I could use the Apache Directory API to get the job done. I hit some problems pretty quick because some of their docs out of date. The docs are unclear as to how to do the bind and I couldn’t figure out the magic incantation to get it to connect/bind until I did it this way:

1
2
3
4
5
6
7
8
9
10
11
12

  LdapConnection connection = new LdapNetworkConnection(SERVER, PORT);
  connection.setTimeOut(0);
 
  BindRequestImpl request = new BindRequestImpl();
  request.setName(USERNAME);
  request.setCredentials(PASSWORD);        
  BindResponse response = connection.bind(request);
 
  if (!connection.isAuthenticated()) {
      System.out.println("Failed to connect/authenticate");
      return;
  }

Continue reading