/** * Configure AuthenticationManager with inMemory credentials. * * NOTE: * Due to a known limitation with JavaConfig: * <a href="https://jira.spring.io/browse/SPR-13779"> * https://jira.spring.io/browse/SPR-13779</a> * * We cannot use the following to expose a {@link UserDetailsManager} * <pre> * http.authorizeRequests() * </pre> * * In order to expose {@link UserDetailsManager} as a bean, we must create @Bean * * @see {@link super.userDetailsService()} * @see {@link com.packtpub.springsecurity.service.DefaultCalendarService} * * @param auth AuthenticationManagerBuilder * @throws Exception Authentication exception */ @Override public void configure(final AuthenticationManagerBuilder auth) throws Exception { auth .ldapAuthentication() .userSearchBase("") .userSearchFilter("(uid={0})") .groupSearchBase("ou=Groups") .groupSearchFilter("(uniqueMember={0})") .userDetailsContextMapper(new InetOrgPersonContextMapper()) .contextSource(contextSource()) // .contextSource() // .managerDn("uid=admin,ou=system") // .managerPassword("secret") // .url("ldap://localhost:33389/dc=jbcpcalendar,dc=com") // .root("dc=jbcpcalendar,dc=com") // .ldif("classpath:/ldif/calendar.ldif") // .and() .passwordCompare() // Supports {SHA} and {SSHA} .passwordEncoder(new LdapShaPasswordEncoder()) .passwordAttribute("userPassword") ; }
/** * Configures the {@link org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder} for LDAP authentication. * @param auth the {@link org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder} used to configure LDAP authenticaton. * @throws Exception if an error occurs when adding the LDAP authentication. */ @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{ auth .ldapAuthentication() .userDnPatterns("uid={0},ou=managers") .groupSearchBase("ou=managers") .contextSource(contextSource()) .passwordCompare() .passwordEncoder(new LdapShaPasswordEncoder()) .passwordAttribute("userPassword"); }
/** * Default constructor. * @param ldapSettings LDAP config map for an app */ public LDAPAuthenticator(Map<String, String> ldapSettings) { if (ldapSettings != null && ldapSettings.containsKey("security.ldap.server_url")) { String serverUrl = ldapSettings.get("security.ldap.server_url"); String baseDN = ldapSettings.get("security.ldap.base_dn"); String bindDN = ldapSettings.get("security.ldap.bind_dn"); String basePass = ldapSettings.get("security.ldap.bind_pass"); String searchBase = ldapSettings.get("security.ldap.user_search_base"); String searchFilter = ldapSettings.get("security.ldap.user_search_filter"); String dnPattern = ldapSettings.get("security.ldap.user_dn_pattern"); String passAttribute = ldapSettings.get("security.ldap.password_attribute"); boolean usePasswordComparison = ldapSettings.containsKey("security.ldap.compare_passwords"); DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(Arrays.asList(serverUrl), baseDN); contextSource.setAuthenticationSource(new SpringSecurityAuthenticationSource()); contextSource.setCacheEnvironmentProperties(false); if (!bindDN.isEmpty()) { contextSource.setUserDn(bindDN); } if (!basePass.isEmpty()) { contextSource.setPassword(basePass); } LdapUserSearch userSearch = new FilterBasedLdapUserSearch(searchBase, searchFilter, contextSource); if (usePasswordComparison) { PasswordComparisonAuthenticator p = new PasswordComparisonAuthenticator(contextSource); p.setPasswordAttributeName(passAttribute); p.setPasswordEncoder(new LdapShaPasswordEncoder()); p.setUserDnPatterns(new String[]{dnPattern}); p.setUserSearch(userSearch); authenticator = p; } else { BindAuthenticator b = new BindAuthenticator(contextSource); b.setUserDnPatterns(new String[]{dnPattern}); b.setUserSearch(userSearch); authenticator = b; } } }
/** * Configure AuthenticationManager with inMemory credentials. * * NOTE: * Due to a known limitation with JavaConfig: * <a href="https://jira.spring.io/browse/SPR-13779"> * https://jira.spring.io/browse/SPR-13779</a> * * We cannot use the following to expose a {@link UserDetailsManager} * <pre> * http.authorizeRequests() * </pre> * * In order to expose {@link UserDetailsManager} as a bean, we must create @Bean * * @see {@link super.userDetailsService()} * @see {@link com.packtpub.springsecurity.service.DefaultCalendarService} * * @param auth AuthenticationManagerBuilder * @throws Exception Authentication exception */ @Override public void configure(final AuthenticationManagerBuilder auth) throws Exception { auth .ldapAuthentication() // .ldapAuthoritiesPopulator(ldapAuthoritiesPopulator()) .userSearchBase("") .userSearchFilter("(uid={0})") .groupSearchBase("ou=Groups") .groupSearchFilter("(uniqueMember={0})") // .userDetailsContextMapper(new InetOrgPersonContextMapper()) .contextSource(contextSource()) .passwordCompare() // Supports {SHA} and {SSHA} .passwordEncoder(new LdapShaPasswordEncoder()) .passwordAttribute("userPassword") ; /* <ldap-authentication-provider server-ref="ldapServer" user-search-filter="(uid={0})" group-search-base="ou=Groups" user-details-class="inetOrgPerson"> <bean id="ldapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <constructor-arg ref="ldapBindAuthenticator"/> <constructor-arg ref="ldapAuthoritiesPopulator"/> <property name="userDetailsContextMapper" ref="ldapUserDetailsContextMapper"/> </bean> <bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator"> <constructor-arg ref="ldapServer"/> <property name="userSearch" ref="ldapSearch"/> </bean> // <bean id="ldapSearch" // class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> // <constructor-arg value=""/> <!-- use-search-base --> // <constructor-arg value="(uid={0})"/> <!-- user-search-filter --> // <constructor-arg ref="ldapServer"/> // </bean> // <bean id="ldapAuthoritiesPopulator" // class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> // <constructor-arg ref="ldapServer"/> // <constructor-arg value="ou=Groups"/> // <property name="groupSearchFilter" value="(uniqueMember={0})"/> // </bean> */ }
/** * Configure AuthenticationManager with inMemory credentials. * * NOTE: * Due to a known limitation with JavaConfig: * <a href="https://jira.spring.io/browse/SPR-13779"> * https://jira.spring.io/browse/SPR-13779</a> * * We cannot use the following to expose a {@link UserDetailsManager} * <pre> * http.authorizeRequests() * </pre> * * In order to expose {@link UserDetailsManager} as a bean, we must create @Bean * * @see {@link super.userDetailsService()} * @see {@link com.packtpub.springsecurity.service.DefaultCalendarService} * * @param auth AuthenticationManagerBuilder * @throws Exception Authentication exception */ @Override public void configure(final AuthenticationManagerBuilder auth) throws Exception { auth .ldapAuthentication() .userSearchBase("") .userSearchFilter("(uid={0})") .groupSearchBase("ou=Groups") .groupSearchFilter("(uniqueMember={0})") .userDetailsContextMapper(new InetOrgPersonContextMapper()) .contextSource(contextSource()) .passwordCompare() // Supports {SHA} and {SSHA} .passwordEncoder(new LdapShaPasswordEncoder()) .passwordAttribute("userPassword") ; }
private static String generateSaltedPassword(String vpnPassword) { LdapShaPasswordEncoder ldapShaPasswordEncoder = new LdapShaPasswordEncoder(); return ldapShaPasswordEncoder.encodePassword(vpnPassword, CryptoUtil.getRandomBytes(64)); }