I am running a Spring-boot application which authenticates users via our internal LDAP with spring-security-ldap.
By default it binds with LDAP anonymously.
Property 'userDn' not set - anonymous context will be used for read-write operations
But I want the first bind to be with current username.
Where should I specify the userDn attribute?
Thank you for your advice
When using spring ldap maybe you started from one many tutorials on the web but main of them uses embedded ldap server; embdedded server uses ldif file and doesn't need the manager credetials.
When connecting to an external ldap server you need to specify userDn setting it via managerDn method. Here the snippet of code
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication().contextSource().managerDn("uid=admin,ou=system")
.managerPassword("secret")
.......
}
Obviously you need to provide also all the other infos like url, port, etc (and userSearchBase like mvreijn told).
I am not the most knowledgeable person regarding Spring-boot, more so regarding LDAP.
That said, your LDAP configuration properties should be mentioned in your application.properties file and are named spring.ldap.*.
They are mentioned in the documentation here.
When initializing your authentication provider, you can pass important properties like the Base DN (root to search from) and the filter using:
.userSearchBase("ou=<your users container>").userSearchFilter("(uid={0})")
Most likely, your search filter will be uid={0} or cn={0}.
Related
I have an existing resource server that is configured to use Spring user rules as security methods. I am trying to migrate onto the Spring Authorization server and trying to figure out how these roles can be accessed in the resource server.
When the user is authentication, I can see in debug logs that my roles are part of the authorized user details. But in the resource server, I am getting default roles from OidcService and scopes as granted authorities.
I know Spring Authorization server 0.21 has implemented the User Info endpoint, but there seems to be no sample or documentation available on how to configure that, and I am sure implementing it will solve my issue.
Another option that I am thinking about is to configure oauth2TokenCustomizer in the server and then add roles in JWT's claims. Then in the resource server think about overriding default OidcService and parse claims to add roles as granted authorities. But issue is with OidcUserService i don't see any code which can give me access to JWT claims.
public class CustomOAuth2Token implementsOAuth2TokenCustomizer<JwtEncodingContext> {
#Override
public void customize(JwtEncodingContext context) {
// Load user details and add roles to claims
}
}
Probably will have to provide a custom extension for OidcAuthorizationCodeAuthenticationProvider and then modify authenticated principal details.
I was facing the same issue.
Customizing the response of the "well-known" openid-configuration endpoint is somewhat tricky because the filter handling this endpoint has hardcoded mappings for which field go and do not go in the response.
I worked around this by:
copying this class into my codebase and giving it another name, in my case CustomOidcProviderConfigurationEndpointFilter
using my custom class as an objectPostProcessor for OidcProviderConfigurationEndpointFilter replacing it entirely instead of just customizing it.
This means your custom filter will supply the OidcProviderConfiguration object from now on.
You could then call the claim method on this object to add properties such as "userinfo_endpoint".
Note: I was unable to properly format the code snippet in the second link inside this post. If someone with administrative rights could edit this in, this would be nice.
I am using spring-security-ldap to add LDAP authentication to my application. It is configured like so:
auth.ldapAuthentication()
.userSearchBase(ldapConfigProperties.getUserSearchBase())
.userSearchFilter(ldapConfigProperties.getUserSearchFilter())
.contextSource()
.managerDn(ldapConfigProperties.getManagerDn())
.managerPassword(ldapConfigProperties.getManagerPassword())
.url(ldapConfigProperties.getUrl())
.and()
.userDetailsContextMapper(ldapContextMapper);
The ldapContextMapper is an instance of a custom class called LdapUserContextMapper that implements UserDetailsContextMapper.
Inside mapUserFromContext() I use the DirContextOperations to retrieve several attributes from the LDAP user to construct a concrete User POJO. However, I just can't get access to operational attributes like memberOf. I tried every solution I could possible find on the web, but nothing seems to have worked.
For instance, ctx.getObjectAttributes("memberOf") returns null. Attempting to call ctx.search("", "", searchControls) with custom SearchControls with SUBTREE_SCOPE yields a not implemented exception from DirContextAdapter.
Any ideas?
I eventually ended up instantiating my own ContextSource and then using a custom ObjectPostProcessor, just as described in this issue.
I'm using a Filter in a Spring Boot web application to log all my user requests to a database. One of the things I'd like to log is the username, but when I try to get the current user using:
SecurityUtils.getSubject().getPrincipal()
I get the following error:
No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.
What do I need to do so that my Filter is able to retrieve the current user?
You need to have at least one url defined for your filter mapping:
https://github.com/apache/shiro/blob/1.4.x/samples/spring-boot-web/src/main/java/org/apache/shiro/examples/WebApp.java#L96-L101
And of course the Shiro servlet filter configured (which I'm guessing you already have)
Take a look at the above example.
So I already success implement SSO using spring session and redis on development localhost domain.
But when I deploy to server using two sub domain.
login.example.com
apps.example.com
They always create new session Id on each sub domain.
I already try to configure using Context in tomcat configuration.
<Context sessionCookieDomain=".example.com" sessionCookiePath="/">
But no luck.
Spring session moves the session management on application level, so no surprise that trying to configure the container (in your case tomcat) has no effect. Currently there is a TODO in spring-session code to allow setting the domain, but is not implemented.
Maybe it is best to open an issue to allow setting the domain or comment/vote on https://github.com/spring-projects/spring-session/issues/112.
Meanwhile a workaround would be to go with your own implementation of MultiHttpSessionStrategy based on CookieHttpSessionStrategy.
Finally I succeeded to setdomain on application level.
You're right, I hope in the future they implement the feature to set domain.
For now I create CustomCookieHttpSessionStrategy for my own implmentation.
private Cookie createSessionCookie(HttpServletRequest request,
Map<String, String> sessionIds) {
...
sessionCookie.setDomain(".example.com");
// TODO set domain?
...
}
And then register bean as HttpSessionStrategy.
Im using Spring 3.1.1 with Spring Security 3.2.0 with LDAP authencitation.
I have gotten it to a point that works fine and I can log in using my LDAP username and password, I can even display the username with this
<security:authentication property="principal.username" />, is currently logged in.
I want to know how, if at all possible, can I get the first name, surname, email address or other information like that stored in my LDAP credentials.
I've tried property="credentials" but this returns null...
PLEASE HELP!!
This is eerily similar to my question a few days ago:
How do I use a custom authorities populator with Spring Security and the ActiveDirectoryLdapAuthenticationProvider?
If you're not using Active Directory, you can simply extend the LdapAuthenticationProvider class and override the loadUserAuthorities method, in which you can capture the relevant user information based on the LDAP attributes for the user:
String firstName = userData.getStringAttribute("givenName");
String lastName = userData.getStringAttribute("sn");
//etc.
You can store these wherever or however you like, and you're only limited to the attributes available via LDAP. Then, you'd have to specify your LdapAuthoritiesProvider in the appropriate bean (ldapAuthoritiesPopulator, if memory serves).
I believe the above will work for non-AD LDAP, but you'll obviously need to test it to be sure. I recommend the LDAP browser for Eclipse provided by Apache Studios, if you're not already using it.
Implement your own UserDetailsContextMapper and load LDAP user properties into the UserDetails object
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#ldap-custom-user-details