We are using Spring security LDAP authentication in our application for authentication purpose. For ldap authentication, we configure a userid and password in the applicationContext-security.xml. I would like to know if there is a way to authenticate via LDAP without specifying the User parameters for accessing the LDAP server in the configuration(applicationContext-security.xml) file .
Thanks in Advance
Jasypt supports encrypting .properties files and transparently decrypting it when Spring accesses it.
So , you can try to specify the authentication details inside a .properties file , then use Jasypt to encrypt this .properties file . Use <context:property-placeholder> to inject the authentication details from the .properties files into the applicationContext-security.xml
If your LDAP allows anonymous access you may not specify userDn and password in the configuration of contextSource. In this case Spring Security will use anonymous for read-write operations.
Related
I want to only use the the authentication part of spring security and use email instead of username with mysql. does anyone has a code for that?
or maybe without spring security how to authenticate?
Without spring security that means that you will just check if user exists in the database with correct credentials, you can follow this tutorial https://www.baeldung.com/registration-restful-api
I have a complex situation where I need to implement a security for web app on tomcat 8 that serve both static html and rest services. the app is spring mvc application (no spring boot)
the authntication ( sso ) process will go as follow:
if user jwt not exist in http header then authonticate with ldap, getting user authorities from db and create jwt back to user.
if jwt exist in header, skip ldap filtering , extract the user authorities from token.
I was thinking of first servlet filter that uses spnego library and get the windows domain name (user name to use in ldap) that filter will also check to see if ldap authontication is needed ( if token not provided) and pass it back to spring filter chine through http params..
I'm struggling to implement he ideal.
please help.
thanks
As I know, there is support for LDAP in spring security, might be it will help you.
Other than that, if you want to write your own filters then you have to add those in spring security filter chain.
I have configured spring security using ldap authentication.
I have also configured the remember me service for this.
But the LdapUserDetail returned by the LdapService doesnt contain
the password . Hence the rememberme service (TokenBasedRememberMeServices )is not able to generate the token.
Could some one help me out here as to what could be the issue .
1.Should we do any CustomUserAttributingMapping or
2.The password is restricted read at the ldap server
or any other thing
I started working on JAAS with SSO,I have some doubt about JAAS. JAAS (Java Authentication and Authorization Service) framework to cater to multiple authentication mechanisms. The SSO server validates sign-on information against its own database or an external directory server and returns the session context and list of applications that the signed-on user can execute.Here i want to implement one more web application's.As per my knowledge the SSO JAAS will return Session context. In my client web applications already, i have acegi security for authentication, using my acegi security how can i get the session context from my SSO JAAS for Authorization.I am trying to find out any configuration sample , but still I did't get any work around example.
Take a look at this spring security configuration. It is not exactly what you want but it will show you the way
Key points
Check how authentication-manager is defined by using
PreAuthenticatedAuthenticationProvider. The preAuthenticatedUserDetailsService property defines a bean that will allow you to create your spring security UserDetails object from the JAAS Authentication object
The j2eePreAuthFilter filter is the one that will delegate security from JAAS to spring security.
The rest is standard spring security configuration
Hope it helps a bit
I wonder if its possible to config spring security with a ldap as authentication provider so that only some of the users in the ldap is getting access? Is it possible to config it so that I can write in the names of the users that is giving access?
Im using Spring 3.1
Yes, it is posible, see the spring documentation. Your second question is not clear for me. Do you mean that, once the user from ldap is authenticated you want to display the user name? Thas is possible.