Spring Security LDAP - Problems Authenticating a User - Container Issue? - spring

Let me preface this by saying I'm not well versed in Spring. I was thrown into a project at work and am trying to spin up as quickly as possible
With that in mind, I'm trying to implement spring security using Jasig's CAS and LDAP.
When I had loaded this set up from a local LDAP, things worked fine. However, since I've relocated it to the corporate LDAP, the webapp is no longer working.
At the moment, I can confirm this script successfully logs into LDAP and verifies the paths to the containers, however I get a server error before the page loads.
Code:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd" >
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<!-- The URL of the ldap server, along with the base path that all other ldap path will be relative to -->
<constructor-arg value="ldaps://141.161.99.74:636/dc=testing,dc=com"/>
<property name="userDn" value="uid=OdinAdmin,ou=Specials,dc=testing,dc=com" />
<property name="password" value="testpw" />
</bean>
<bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userSearch" ref="ldapUserSearch"/>
</bean>
</constructor-arg>
<constructor-arg ref="authoritiesPopulator" /> <!-- Populates authorities in the UserDetails object -->
<property name="userDetailsContextMapper" ref="userDetailsMapper" /> <!-- Adds OWF groups to the UserDetails object -->
</bean>
<bean id="authoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="ou=OdinRoles,ou=Odin,ou=Apps"/> <!-- search base for determining what roles a user has -->
<property name="groupRoleAttribute" value="cn"/>
<!-- the following properties are shown with their default values -->
<property name="rolePrefix" value="ROLE_"/>
<property name="convertToUpperCase" value="true"/>
<property name="searchSubtree" value="true"/>
</bean>
<bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg value="ou=people" /> <!-- search base for finding User records -->
<constructor-arg value="(uid={0})" /> <!-- filter applied to entities under the search base in order to find a given user.
this default searches for an entity with a matching uid -->
<constructor-arg ref="contextSource" />
</bean>
<!-- Custom class that goes back to the ldap database to search for OWF group records and also adds
extra attributes from the user's ldap record to the UserDetails object.
The class implementation of this will likely need to be changed out for differnt setups -->
<bean id="userDetailsMapper" class="ozone.securitysample.authentication.ldap.OWFUserDetailsContextMapper">
<constructor-arg ref="contextSource" />
<constructor-arg value="ou=OdinGroups,ou=Odin,ou=Apps" /> <!-- search base for finding OWF group membership -->
<constructor-arg value="(uniqueMember={0})" /> <!-- filter that matches only groups that have the given username listed
as a "member" attribute -->
<property name="searchSubtree" value="true"/>
</bean>
<bean id="ldapUserService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="ldapUserSearch" />
<constructor-arg ref="authoritiesPopulator" />
<property name="userDetailsMapper" ref="userDetailsMapper" />
</bean>
</beans>
My question is, am I allowed to have the subcontainers in the constructor-arg values for group and role searches? In my previous version, everything was in the same container. That way I could just have all that included in my base-dn and just reference the specific OU within that. Ie. instead of
I'm not sure if that is causing the issue, but any insight would be greatly appreciated. Thanks!

Can you provide what exactly is the error you're getting and which part actually fails? There is quite a bit of configuration in there and it'd very much help us if we narrow it down to one error or so.
P.S: I wanted this to be a comment but I'm sorry, i'm not yet allowed to comment due to the restrictions of SO.

This issue actually was based on the application I was implementing. It required specific role names (ROLE_ADMIN, ROLE_USER) to function. I had to map the existing roles to these 2 through a custom Java class.
Thanks for the help!

Related

Spring LDAP, Is it possible to configure LdapTemplate using authenticated use?

In my application I have fill some user fields from its information in a LDAP, I use LdapTemplate configured in the servlet-context.xml (with a properties file to set the values) and everything works perfect but I don't want to have the login of a user set in plain text in the application so I wonder if it is possible to configure the LDAPTemplate using the user logged in the application and if possible get a way to do it.
My actual configuration is this:
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="${ldap.url}" />
<property name="base" value="${ldap.base}" />
<property name="userDn" value="${ldap.userDn}" />
<property name="password" value="${ldap.password}" />
</bean>
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
<property name="ignorePartialResultException" value="true" />
</bean>
Any help will be appreciated, thanks in advance.

disable (or change port) for web interface of neo4j embedded?

I have a number of small web service projects which use embedded neo4j 2.x.
Any combination of them might be deployed on a single tomcat instance, and therefore I need them NOT to all attempt to start a web service on port 7474.
Acceptable solution is either to disable web interface on all of them, or have each use a separate port. Is the first option doable via Spring configuration? If so, how?
I've tried with a config map:
<util:map id="config">
<entry key="enable_remote_shell" value="false" />
<entry key="org.neo4j.server.webserver.port" value="7475" />
</util:map>
<bean id="graphDbFactory" class="org.neo4j.graphdb.factory.GraphDatabaseFactory" />
<bean id="graphDbBuilder" factory-bean="graphDbFactory"
factory-method="newEmbeddedDatabaseBuilder">
<constructor-arg value="${neo4j.database.path}" />
</bean>
<bean id="graphDbBuilderFinal" factory-bean="graphDbBuilder"
factory-method="setConfig">
<constructor-arg ref="config" />
</bean>
<bean id="graphDatabaseService" factory-bean="graphDbBuilderFinal"
factory-method="newGraphDatabase" destroy-method="shutdown" />
<bean id="serverWrapper" class="org.neo4j.server.WrappingNeoServerBootstrapper"
init-method="start" destroy-method="stop">
<constructor-arg ref="graphDatabaseService" />
</bean>
but there's Jetty still binding the web service to port 7474... so I guess that
disabling the remote shell doesn't also disable the web admin interface?
org.neo4j.server.webserver.port is the wrong key, or
i've got the wrong recipe for the configuration (although this one seems consistent with all the neo4j 2.x Spring configuration examples I can find online)
If not, what do I set in the configuration to give each a distinct port number for the web interface? Thanks.
Remove this part
<bean id="serverWrapper" class="org.neo4j.server.WrappingNeoServerBootstrapper"
init-method="start" destroy-method="stop">
<constructor-arg ref="graphDatabaseService" />
</bean>

Spring multiple beans with same id in a factory pattern?

I have a two beans with the same id as thats the Neo4j Class it maps to internally so i can't have the id changed for both. Now for a clustered environment I need this bean:
<bean id="graphDatabaseService" factory-bean="graphDbBuilderFinal"
factory-method="newGraphDatabase" destroy-method="shutdown" />
And for a non-clustered one I need this :
<bean id="graphDatabaseService" class="org.springframework.data.neo4j.support.GraphDatabaseServiceFactoryBean"
destroy-method="shutdown" scope="singleton">
<constructor-arg value="${neo4j.database.path}" />
</bean>
Right now I comment either one of them based on environment as not all environments will have cluster setup. Is there a way where as based on environment value(a property may be) it picks one bean among these.
This is how it is used in java class.
#Autowired
private GraphDatabaseService graphDB;
Thanks,
You can use spring profile feature (since spring 3.1.X) see link
e.g
<beans profile="cluster">
<bean id="graphDatabaseService" factory-bean="graphDbBuilderFinal"
factory-method="newGraphDatabase" destroy-method="shutdown" />
</beans>
<beans profile="no_cluster">
<bean id="graphDatabaseService" class="org.springframework.data.neo4j.support.GraphDatabaseServiceFactoryBean"
destroy-method="shutdown" scope="singleton">
<constructor-arg value="${neo4j.database.path}" />
</bean>
</beans>
and active the profile in your application in this way
-Dspring.profiles.active="cluster"
Will be loaded only the beans without profile and all those with the profile activated.
I hope this solution can help to solve your problem.
You dont need to define with different Id´s just in different xml configuration files. Like
cluster.xml --->
<bean id="graphDatabaseService" factory-bean="graphDbBuilderFinal"
factory-method="newGraphDatabase" destroy-method="shutdown" />
no_cluster.xml
<bean id="graphDatabaseService" class="org.springframework.data.neo4j.support.GraphDatabaseServiceFactoryBean"
destroy-method="shutdown" scope="singleton">
And then use Spring profile to load one file or another depending of the profile
<beans profile="cluster">
<import resource="spring/cluster.xml" />
</beans>
<beans profile="no_cluster">
<import resource="spring/no_cluster.xml" />
</beans>

Spring Security 3 - Add information to (role) voters

I am pretty new to Spring security and just going through the reference, doing some examples. One feature that I am strongly missing (and I wonder that hardly anybody else seems to miss it) is to provide custom information to the user why or for what reason access was denied. E.g. I would like to inform the user that he has no access to module A or that he needs to needs to be granted role-access B, etc.
I took at a look at the role interface, but this information seems to get lost:
int vote(Authentication authentication, Object object, List<ConfigAttribute> config);
Spring Security Access Denied logging with missing role
This says, that I have to provide a custom implementation of AccessDecisionManager.
But how could an actual implementation look like which provides specific information if access is denied? And how to hook it into spring security?
For starters simple role-based access would be sufficient. Can anybody provide any examples on this?
Have a look at the AffirmativeBased - DecisionManager. You can enhance it an add some additional information to the AccessDeniedException.
But it seams to be not so easy to get the reasons from the Voters why they dendied the access. (I hope you will find some naming pattern, or you have even to extend the voters).
And this is an example how to configure your custom DecisionManager
<security:http auto-config="true" access-decision-manager-ref="myDecisionManager">
<bean id="myAccessDecisionManager"
class="MyAffirmativeBasedDecisionManager">
<constructor-arg name="decisionVoters">
<list>
<ref bean="roleVoter" />
<ref bean="authenticatedVoter" />
<ref bean="preAdviceVoter" />
</list>
</constructor-arg>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
<bean id="authenticatedVoter"
class="org.springframework.security.access.vote.AuthenticatedVoter" />
<bean id="preAdviceVoter"
class="org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter">
<constructor-arg ref="exprPreInvocationAdvice" />
</bean>
<bean
class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice"
id="exprPreInvocationAdvice">
<property name="expressionHandler" ref="methodExprHandler" />
</bean>
<bean id="methodExprHandler"
class="org.springframework.security.access.expression.method.ExtensibleMethodSecurityExpressionHandler">
<property name="methodSecurityExpressionRootFactory">
<bean
class="com.queomedia.infrastructure.security.spring.MethodSecurityExpressionRootFactoryImpl" />
</property>
</bean>

host/role dependent spring configuration

I have a cluster of servers running a spring application. Some of the spring components need to be configured differently depending on the role their server is playing (primary, secondary, etc). I don't want to maintain separate spring config files for each role, rather I want to dynamically detect this when the application is started. Its almost like I want conditional bean instantiation (which doesn't exist in spring).
Q: What is the best way to achieve this type of configuration?
Example: Only the primary node in a cluster should create durable subscription to a JMS broker (which requires a globally unique JMS clientID). I can detect if the current host has this role by looking up the running server's hostname in a database and start this container manually (if my node happens to be primary); however, I don't want every node in the cluster to create a durable subscription (by instantiating this bean).
<bean id="auditrecordListenerContainer"
class="org.springframework.jms.listener.DefaultMessageListenerContainer">
<property name="concurrentConsumers" value="1" />
<property name="clientID" value="${server-hostname}" />
<property name="durable" value="true" />
<!-- only started on the primary node: via application listener -->
<property name="autoStartup" value="false" />
</bean>
Note, however there is no ${server-hostname} property in the spring container (at least that I know of)
If your code already conditionally starts the appropriate services based on object properties, you can use utility methods in the following manner:
<!-- Factory methods to determine properties -->
<bean id="hostname" class="MyUtil" factory-method="determineHostName"/>
<bean id="isHost" class="MyUtil" factory-method="isHost"/>
<bean id="auditrecordListenerContainer"
class="org.springframework.jms.listener.DefaultMessageListenerContainer">
<property name="concurrentConsumers" value="1" />
<property name="durable" value="true" />
<!-- Reference properties here -->
<property name="hostname" ref="hostname" />
<property name="autoStartup" ref="isHost" />
</bean>
To use a property of a singleton bean instead, use a PropertyPathFactoryBean:
<bean id="config" class="MyConfig"/>
<util:property-path id="hostname" path="config.hostname"/>
<util:property-path id="isHost" path="config.host"/>
You can implement a conditional instantiation logic
as a FactoryBean

Resources