I would like to add X-Frame-Options header to all but some pages in my Spring application. Spring Security 3.2 offers nice capability to add that header to all responses via <headers> <frame-options /> </headers> configuration.
But could it be possible to exclude this header from some paths? I considered subclassing XFrameOptionsHeaderWriter and do some path regexp matching inside, but it seems a bit ugly. Maybe there is more convenient way to accomplish this?
I found out how to do it with XML configuration:
<http>
<headers>
<header ref="xFrameOptionsHeaderWriter" />
</headers>
</http>
<beans:bean id="xFrameOptionsHeaderWriter" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<!-- Argument 1: RequestMatcher. This matcher will match all but some paths. -->
<beans:constructor-arg>
<beans:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher" c:pattern="/**/some-path/**" />
<beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher" c:pattern="/**/another-path/**" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
<!-- Argument 2: HeaderWriter -->
<beans:constructor-arg>
<beans:bean class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter" c:frameOptionsMode="SAMEORIGIN" />
</beans:constructor-arg>
</beans:bean>
Related
I have a maven multi-modules application where the main module depends on others. This main module is secured with Spring Security CAS and submodules required a basic authentication. This is a example of the security configuration of a submodule:
<security:http name="boobkingapiHttp" create-session="stateless" pattern="/hub/book/**"
authentication-manager-ref="apiAuthenticationManager">
<security:intercept-url pattern="/hub/book" access="ROLE_ORDER_MANAGER" />
<security:http-basic />
</security:http>
And the security configuration for the main module:
<security:http entry-point-ref="casEntryPoint" pattern="/**" realm="ecab" use-expressions="false">
<security:intercept-url pattern="/flow/googlestatistics/**" access="ROLE_ADMIN" />
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
<security:logout logout-success-url="/logout.xhtml"/>
<security:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<security:custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
</security:http>
<beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="http://localhost:8082/sso/login" />
<beans:property name="serviceProperties" ref="serviceProperties" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:constructor-arg ref="hwsAuthenticationUserDetailsService" />
</beans:bean>
</beans:property>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0" value="http://localhost:8082/sso" />
</beans:bean>
</beans:property>
<beans:property name="key" value="an_id_for_this_auth_provider_only" />
</beans:bean>
<beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service" value="http://localhost:8080/cas-client/login/cas" />
<beans:property name="sendRenew" value="false" />
</beans:bean>
The problem is, when the CAS server grants the ticket and redirects to the service url: http://localhost:8080/cas-client/login/cas?ticket=ST-19-1clKw2tZ5MVp0OznfAun the casAuthenticationProvider is not invoked. The one invoked is the submodule's authenticationProvider and the result is 401 Unauthorized error.
Why the CAS SecurityFilterChain is not invoked? I thought that was handled by Spring Security CAS but it seems not.
I use Spring Security 5.1.2.RELEASE
Thanks a lot for your help.
I found the reason why the CasAuthenticationProvider was not invoked. It's just because of this:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
I changed alias to id.
I have a requirement that on the login page I have a userId , password field and also another text entry field called customer. If a user logins in with userId and password , the spring-security configuration which I have works good.
Second login scenario is If the customer puts in only their customer Id , they are supposed to login to a different page as well. How do I make the two different logins works with the same spring-security xml configuration from the same login page.
<security:http auto-config="true" use-expressions="true" >
<!-- URL restrictions (order is important!) Most specific matches should be at top -->
<!-- Don't set any role restrictions on login.jsp. Any requests for the login page should be available for anonymous users -->
<security:intercept-url pattern="/login.jsp*" access="isAuthenticated()" />
<security:access-denied-handler error-page="/noaccess.jsp" />
<security:intercept-url pattern="/board.htm" access="hasRole('ROLE_ALL_USER')" />
<security:intercept-url pattern="/AddItems.htm*" access="hasRole('ROLE_USER')" />
<!-- Set the login page and what to do if login fails -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" />
<!-- Set the logout page and where to go after logout is successful -->
<security:logout logout-url="/logout" logout-success-url="/logoutSuccess.jsp" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="customPreAuthFilter" />
<security:custom-filter ref="switchUserFilter" position="SWITCH_USER_FILTER" />
</security:http>
<security:http>
</security:http>
<beans:bean id="customPreAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<!-- Load the UserDetails object for the user. -->
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="currentUserDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<!-- Aliasing (Switch User) -->
<beans:bean id="switchUserFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="currentUserDetailsService" />
</beans:bean>
Thanks
Dhiren
#Ritesh Thanks for the link.. I tried your solution but My Filter does not get invoked.
does web.xml need to be modified.
Any way I tried to implement the entire springSecurityFilterChain but still I have not able to invoke my Filter from my login form. My filter that I need invoked is customBadgeAuthFilter
<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<beans:constructor-arg>
<beans:list>
<security:filter-chain pattern="/resources/**" filters="none"/>
<security:filter-chain pattern="/**"
filters="securityContextPersistenceFilterWithASCTrue,
logoutFilter,
customBadgeAuthFilter,
formLoginFilter,
formLoginExceptionTranslationFilter,
filterSecurityInterceptor" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="securityContextPersistenceFilterWithASCTrue"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="formLoginExceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/login"/>
</beans:bean>
</beans:constructor-arg>
<beans:property name="accessDeniedHandler">
<beans:bean
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/exception" />
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="formLoginFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="allowSessionCreation" value="true"/>
<beans:property name="authenticationSuccessHandler">
<beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<beans:constructor-arg value="/"/>
<beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
</beans:bean>
</beans:property>
<beans:property name="authenticationFailureHandler">
<beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:constructor-arg value="/login?error=true"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="runAsManager" ref="runAsManager" />
<beans:property name="securityMetadataSource">
<security:filter-security-metadata-source use-expressions="true">
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
</security:filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter"/>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="allowIfAllAbstainDecisions" value="false"/>
</beans:bean>
<beans:bean id="runAsManager"
class="org.springframework.security.access.intercept.RunAsManagerImpl">
<beans:property name="key" value="TELCO_RUN_AS"/>
</beans:bean>
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login"/>
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler">
<beans:constructor-arg>
<beans:list>
<beans:value>JSESSIONID</beans:value>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="customBadgeAuthFilter" class="com.company.security.filter.BadgeProcessingSecurityFilter">
<beans:constructor-arg value="/login.jsp"></beans:constructor-arg>
<beans:property name="authenticationManager" ref="authManager" />
</beans:bean>
<security:authentication-manager alias="authManager" >
<security:authentication-provider ref='normalAuthenticationProvider ' />
<security:authentication-provider ref='badgeAuthenticationProvider ' />
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp"/>
</beans:bean>
<beans:bean id="badgeAuthenticationProvider" class="com.company.security.filter.BadgeAuthenticationProvider">
</beans:bean>
I think I finally figured how to get my securityFilter to get invoked.
I was doing debugging to see the springsecurity flow and see that there is a method called. requestAuthorization in the subclass of AbstractAuthenticationProcessingFilter. It compares the uri which is configured for the default value for the filter to get invoked and if they don't match the filter is bypassed. For some reason even thought the POSt request is /j_security_check .. it transforms into FSS/home.htm when it is being compared and so the filter was getting bypassed.
I have an application develop on Spring 4.1.4 and Spring Security 4.0.2, deployed on a server with Apache Tomcat 8 and JDK 1.7.
It happens that after some days some users can't login anymore even if they specity correct user/password combination.
Restarting Tomcat fixes the problem.
Any suggestion?
May it be a session related issue?
This is my security configuration
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jee="http://www.springframework.org/schema/jee"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
">
<http auto-config="true" use-expressions="true">
<custom-filter after="EXCEPTION_TRANSLATION_FILTER" ref="ajaxTimeoutRedirectFilter"/>
<custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />
<intercept-url pattern="/j_spring_security_switch_user" access="hasRole('ROLE_SUPERVISOR')"/>
<session-management invalid-session-url="/login.html?invalidSession=1" session-fixation-protection="newSession">
<concurrency-control max-sessions="10" error-if-maximum-exceeded="true" />
</session-management>
<intercept-url pattern="/login.html" access="hasRole('ROLE_ANONYMOUS')" requires-channel="https"/>
<intercept-url pattern="/resources/**" access="permitAll" requires-channel="any"/>
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" requires-channel="https"/>
<intercept-url pattern="/rest/**" access="hasRole('ROLE_USER')" requires-channel="https"/>
<intercept-url pattern="/index" access="hasRole('ROLE_USER')" requires-channel="https"/>
<intercept-url pattern="/upload/**" access="hasRole('ROLE_USER')" requires-channel="https"/>
<headers>
<xss-protection block="false"/>
<frame-options disabled="true"/>
<cache-control/>
</headers>
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login.html"
default-target-url="/index"
always-use-default-target="true"
authentication-failure-url="/login.html?error=1"
username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/login.html?logout=1" invalidate-session="false" delete-cookies="JSESSIONID"/>
<!-- enable csrf protection -->
<!-- <csrf disabled="true" /> -->
<port-mappings>
<port-mapping http="8080" https="8443"/>
</port-mappings>
</http>
<beans:bean id="ajaxTimeoutRedirectFilter" class="com.finconsgroup.mens.springsecurity.AjaxTimeoutRedirectFilter">
<beans:property name="customSessionExpiredErrorCode" value="419"/>
</beans:bean>
<beans:bean id="switchUserProcessingFilter" class="com.finconsgroup.mens.springsecurity.MensSwitchUserFilter">
<beans:property name="userDetailsService" ref="mensAuthenticationService"/>
<beans:property name="switchUserUrl" value="/j_spring_security_switch_user"/>
<beans:property name="exitUserUrl" value="/j_spring_security_exit_user"/>
<beans:property name="targetUrl" value="/index"/>
</beans:bean>
<beans:bean name="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<!-- Select users and user_roles from database -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="mensAuthenticationService">
<password-encoder ref="bcryptEncoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="mensAuthenticationService" class="com.finconsgroup.mens.springsecurity.MensAuthenticationProvider">
<beans:property name="dataSource" ref="mensDataSource"/>
<beans:property name="usersByUsernameQuery" value="my_query"/>
<beans:property name="authoritiesByUsernameQuery" value="my_query"/>
<beans:property name="groupAuthoritiesByUsernameQuery" value="my_query"/>
<beans:property name="enableGroups" value="true"/>
</beans:bean>
<!-- Spring Security -->
<beans:bean id="mensPermissionEvaluator" class="com.finconsgroup.mens.springsecurity.MensPermissionEvaluator">
<beans:constructor-arg ref="aclService"/>
</beans:bean>
<beans:bean id="securityExpressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="mensPermissionEvaluator"/>
</beans:bean>
<global-method-security
authentication-manager-ref="authenticationManager"
pre-post-annotations="enabled"
secured-annotations="enabled">
<expression-handler ref="securityExpressionHandler"/>
</global-method-security>
<!-- ================================================================== -->
<!-- ACL service -->
<!-- ================================================================== -->
<beans:bean id="aclService" class="org.springframework.security.acls.jdbc.JdbcMutableAclService">
<beans:constructor-arg ref="mensDataSource" />
<beans:constructor-arg ref="lookupStrategy" />
<beans:constructor-arg ref="aclCache" />
</beans:bean>
<beans:bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
<beans:constructor-arg>
<beans:bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager">
<beans:ref bean="mensEhCacheManager"/>
</beans:property>
<beans:property name="cacheName" value="aclCache"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ACL_ADMIN"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
<beans:constructor-arg ref="mensDataSource" />
<beans:constructor-arg ref="aclCache" />
<beans:constructor-arg>
<!-- Decides whether current principal can make ACL changes. See
AclAuthorizationStrategyImpl Javadoc for the rules involved. -->
<beans:bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<beans:constructor-arg>
<beans:list>
<!-- Role required to change ACL ownership -->
<beans:ref bean="adminRole" />
<!-- Role required to change auditing details -->
<beans:ref bean="adminRole" />
<!-- Role required to change other ACL/ACE details -->
<beans:ref bean="adminRole" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.acls.domain.ConsoleAuditLogger" />
</beans:constructor-arg>
</beans:bean>
<beans:bean id="adminRole" class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ADMIN" />
</beans:bean>
Thank you in advance for your help!
I fixed the problem changing the session-fixation-protection attribute to migrateSession.
Now I have no need to restart Tomcat periodically.
I am stuck at something really painful.
I am trying to use the theming of Spring WebMVC.
This is the end of my web-context.xml file :
<beans:bean id="themeChangeInterceptor" class="org.springframework.web.servlet.theme.ThemeChangeInterceptor" >
<beans:property name="paramName" value="theme" />
</beans:bean>
<beans:bean id="themeSource" class="org.springframework.ui.context.support.ResourceBundleThemeSource">
<beans:property name="basenamePrefix" value="theme-" />
</beans:bean>
<beans:bean id="themeResolver" class="org.springframework.web.servlet.theme.CookieThemeResolver" >
<beans:property name="defaultThemeName" value="default" />
</beans:bean>
<beans:bean id="handlerMapping" class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<beans:property name="interceptors">
<beans:list>
<beans:ref bean="themeChangeInterceptor" />
</beans:list>
</beans:property>
</beans:bean>
In my header file, I have something like :
<span style="float: right">
Default
|
Other
</span>
And to finish, my html head has (imported in all views) :
<link rel="stylesheet" href="<spring:theme code="css"/>" type="text/css" />
I got the two properties files in src/main/resources, which leads to my css. For example in theme-default.properties, there is :
css=static/css/dev.css
My css are in src/webapp/static/css/.
When I load the website for the first time, the theme is default, so I think that the property files and the css are correctly found by the Theme resolver.
But when I click on Default or Other in the header, nothing happens.
Do you know where the problem is ?
Thank you very much beforehand !
Olivier.
I think you are registering the interceptor wrongly. If you are configuring Spring-MVC by using <mvc:annotation-driven/> then having a separate handlerMapping will not work as a default handlerMapping is register by the custom mvc namespace also. Try registering it this way instead:
<mvc:interceptors>
<ref bean="themeChangeInterceptor"/>
</mvc:interceptors>
You should have <mvc:interceptors> declaration. And your ThemeChangeInterceptor bean should be there
<mvc:interceptors>
<beans:bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<beans:property name="paramName" value="lang" />
</beans:bean>
<beans:bean class="org.springframework.web.servlet.theme.ThemeChangeInterceptor">
<beans:property name="paramName" value="theme" />
</beans:bean>
</mvc:interceptors>
I have an application which uses spring security 3.0. The application uses my company's Active directory for login. I borrowed some of the code from the examples on the net and now I am able to successfully perform a bind. But the remember-me functionality is not working. To be more specific, I am able to sign into the application but when I close the browser and open the application it is redirecting to the login page again. Can anyone please tell me what is wrong in my configuration.
Security.xml
<http path-type="regex" use-expressions="true" auto-config="true">
<form-login
login-page="/Login.html"
login-processing-url="/j_spring_security_check"
default-target-url="/home.html"
authentication-failure-url = "/Login.html?login_error=1"
/>
<logout logout-success-url="/Login.html" invalidate-session="true"
delete-cookies="JSESSIONID" />
<intercept-url pattern="\A/Login\Z" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="\A/(?!Login).*\Z" access="isAuthenticated()" />
<remember-me key="_spring_security_remember_me" token-validity-seconds="3600" user-service-ref="ldapUserDetailsService"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="ldapAuthProvider"/>
</authentication-manager>
<beans:bean class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider" id="ldapAuthProvider">
<beans:constructor-arg ref="ldapBindAuthenticator"/>
<beans:property name="userDetailsContextMapper" ref="ldapUserDetailsContextMapper"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.DefaultSpringSecurityContextSource" id="ldapServer">
<!-- MS Active Directory -->
<beans:constructor-arg value="ldap://hostname/DC=myCompany,DC=com"/>
<beans:property name="userDn" value="CN=user,OU=Users,DC=mycompany,DC=com"/>
<beans:property name="password" value="xxxxxx"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator" id="ldapBindAuthenticator">
<beans:constructor-arg ref="ldapServer"/>
<beans:property name="userSearch" ref="ldapSearchBean"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch" id="ldapSearchBean">
<beans:constructor-arg value="OU=Users"/>
<beans:constructor-arg value="(sAMAccountName={0})"/>
<beans:constructor-arg ref="ldapServer"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" id="ldapUserDetailsContextMapper"/>
<beans:bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg index="0">
<beans:ref local="ldapSearchBean" />
</beans:constructor-arg>
</beans:bean>
<!-- Bean used for LDAP querying. -->
<beans:bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<beans:constructor-arg ref="ldapServer" />
</beans:bean>
<beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" id="expressionHandler"/>