Spring LdapAuthentication and Load roles from local database - spring

I have Spring Security configured to authenticate against LDAP server.
<security:authentication-manager >
<security:ldap-authentication-provider user-dn-pattern="uid={0}" />
</security:authentication-manager>
After authentication I want to load roles from local database for the same user. How can I load local database roles using "ldap-authentication-provider"?
If I add the second authentication provider as below:
<security:authentication-manager >
<security:ldap-authentication-provider user-dn-pattern="uid={0}" />
<security:authentication-provider ref="daoAuthenticationProvider" />
</security:authentication-manager>
daoAuthenticationProvider added, but Spring does not use the second provider when first auth provider authenticates the user. Only if the first auth provider fails to authenticate it goes next in the list.
So basically look like we have to customize
<security:ldap-authentication-provider user-dn-pattern="uid={0}" />
to load ROLEs from local database.
Any suggestions? How should this be implemented?

An authentication provider must deliver a fully populated authentication token on successfull authentication, so it's not possible to use one provider to check the user's credentials, and another one to assign authorities (roles) to it.
You can however customize an ldap auth provider to fetch user roles from database instead of the default behaviour (searching for the user's groups in ldap). The LdapAuthenticationProvider has two strategies injected: one that performs the authentication itself (LdapAuthenticator), and another one that fetches the user's authorities (LdapAuthoritiesPopulator). You can achieve your requirements if you supply an LdapAuthoritiesPopulator implementation that loads roles from database. In case you already have a UserDetailsService working against the database, you can easily integrate that by wrapping it in a UserDetailsServiceLdapAuthoritiesPopulator and injecting it in the LdapAuthenticationProvider.
Since this configuration is rather uncommon, the security xml namespace doesn't provide tags/attributes to set it up, but the raw bean config isn't too complicated. Here is the outline:
1) I suppose you have an ldap-server somewhere in your config. It's important to assign and id to it, which will allow us to reference it later.
<security:ldap-server url="..." id="ldapServer" .../>
2) From the authentication-manager section, you will only refer to the customized provider:
<security:authentication-manager>
<security:authentication-provider ref="customLdapAuthProvider"/>
</security:authentication-manager>
3) Now, the essential part:
<bean id="customLdapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg name="authenticator">
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg name="contextSource" ref="ldapServer"/>
<property name="userDnPatterns">
<list>
<value>uid={0}</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg name="authoritiesPopulator">
<bean class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator">
<constructor-arg name="userService" ref="userService"/>
</bean>
</constructor-arg>
</bean>
The authenticator is basically the same as the one that would be created by the namespace config. (Note the contextSource attribute referencing the ldap server.)
The authoritiesPopulator is a simple wrapper around your userService implementation which is supposed to be defined somewhere in your config.

Related

Avoid JDBCTokenStore in spring Oauth2

I was creating a spring oath2 application. It works. I have a doubt.
Based on this URL http://projects.spring.io/spring-security-oauth/docs/oauth2.html there are only 2 real options:
JdbcTokenStore, JwtTokenStore.
Is it possible to use JDBCTokenStore but not refer to it in the resourceServers?
I mean can we not have it referred directly only in the AuthorizationServer and the resource servers could use an endpoint from AuthorizationServer instead of configuring another direct JDBCTokenStore reference.
Motive: Want to avoid sharing a database between AuthorizationServer and multiple ResourceServers. Is there any other way to achieve this motive.
R
In your Resource Servers you can use RemoteTokenServices. This class queries the /check_token endpoint present in Authorization Server to verify tokens.
You can have a database only for authentication server and another databases for your resource servers.
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices">
<property name="checkTokenEndpointUrl" value="${auth.service.url:https://localhost:8443/auth-service}/oauth/check_token"/>
<property name="clientId" value="${auth.client.name:TEST_API}"/>
<property name="clientSecret" value="${auth.client.secret:password}"/>
<property name="accessTokenConverter" ref="accessTokenConverter"/>
<property name="restTemplate" ref="oauth2RestTemplate"/>
</bean>

ADFS integration using Spring SAML -SP metadata vs IDP metadata?

I implemented the Spring SAML sample application using ssocircle and it worked fine. Now I have been trying to implement it for the client's ADFS. Following is the configuration I think that is required, please correct me if I am wrong:
Change the first parameter below, to the federationMetadata.xml url provided by client
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<constructor-arg>
<value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
</constructor-arg>
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
Replace the entity id of SP metadata below:
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="replaceWithUniqueIdentifier"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="false"/>
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
</bean>
I haven't been able to figure out the following:
All I have received is a url to adfs/../federationMetadata.xml, who is supposed to create the SP metadata?
Am I supposed to create SP metadata and provide to the client, to add it in adfs? Because, that's what I did using sample application. I added the generated metadata to ssocircle
Is my understanding, that point 1 would be adfs url, and point 2 will be SP entity id, correct?
I would be grateful if you could clarify the above to me, also if possible, point me to straightforward tutorial that helps in integrating SAML with Spring security enabled application as I haven't been able to find the same.
Many thanks
To make SAML between SP and IdP (ADFS) work, you have to mutually exchange metadata.
The ADFS metadata are available on the URL https://adfs-host/FederationMetadata/2007-06/FederationMetadata.xml and you can register them in your SP either with HTTPMetadataProvider, or download them and read them from classpath, or file system with ResourceBackedMetadataProvider.
For SP metadata, you have to configure MetadataGenerator (as you have it in your question) and then expose it via FilterChainProxy. Here is a Java configuration (it's equivalent for XML):
#Bean
public FilterChainProxy samlFilter() throws Exception {
List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();
chains.add(new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter()));
return new FilterChainProxy(chains);
}
Than, you can access SP metadata on the URL https://sp-host/saml/metadata and register them on ADFS as a Relying Party Trust. Again, you can do this either via URL, or import data from the (downloaded) file.
Basically, you should be fine if you follow Spring Security SAML Reference Documentation which uses XML configuration. In case, you'll need to switch to Java configuration, you can find handy either referenced vdenotaris/spring-boot-security-saml-sample, or my working prototype sw-samuraj/blog-spring-security.

Web app showing errors when custom authentication provider included

Hello I have a custom authentication provider but when I tried to include a password encoder in my authentication manager, It shows an error that I can not have child elements when used with ref attribute. Here's my problem code....
'
<security:authentication-provider ref="authProvider">
<security:password-encoder ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
'
When you use custom authentication provider, you need to set password encoder on the referenced bean.
Here is example for xml-config:
<bean id="authProvider"
class="me.sample.CustomAuthenticationProvider">
<property name="passwordEncoder" ref="passwordEncoder"/>
... other properties ...
</bean>
And, as error suggests, you need to remove element from <security:authentication-provider/>
<security:authentication-provider ref="authProvider"/>

Spring Security SAML autologin for user in domain

I've got application with spring security SAML filters. There is configuration with ADFS 2.0. Server is standing on machine out of domain. I try to login on my App on domain account of user (but window to input domain user principals is displayed). Is there possibility to config this to autologin for user on which domain user we're logged on windows?
Thanks a log.
You can configure custom authnContext sent in your SAML request by changing bean samlEntryPoint in the following way:
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="authnContexts"
value="urn:federation:authentication:windows"/>
</bean>
</property>
</bean>

Preauthentication with LTPA token

What is the best way to initialize a Spring context given pre-authentication through Websphere LTPA SSO token? Right now I have a custom filter that provides a PreAuthorizedAuthenticationToken to the Spring Security context. Is there an existing filter that would do this for me automatically? I have always run into trouble with GrantedAuthorities when I've tried to use the PreAuth classes.
Cheers
Best option is to have a custom preauthentication filter by extending AbstractPreAuthenticatedProcessingFilter.
You can fetch the token from request and return it in getPreAuthenticatedCredentials() method.
You can define your own AuthenticationUserDetailsService and pass it to PreAuthenticatedAuthenticationProvider, here you can fetch the granted authorities and return them in UserDetails Object
<bean id="preAuthAuthenticationProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="myUserDetailsService"
class="MyUserDetailsService">
</bean>
</property>
</bean>
If you have granted auth, not starting with default prefix ROLE, you can define your custom prefix
<bean id="myPermissionRoleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="myprefix"/>
</bean>

Resources