Spring Security 3.1 using Active Directory - spring

I'm trying to secure my Spring 3.1 web app with Spring Security 3.1, and I need to use Active Directory for user authentication.
However, I cant seem to find the complete configuration steps. I tried different bits of suggestions but they didn't work for me.
What are the complete steps of configuration to enable a Spring 3.1 web app to use Spring Security 3.1 with Active Directory?

<beans:bean id="adAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="[your domain]" />
<beans:constructor-arg value="ldap://[your AD server]:389" />
<beans:property name="userDetailsContextMapper">
<beans:bean class="[your user-details context mapper]" />
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="adAuthProvider" />
</authentication-manager>
If you need to provide custom logic for mapping user and authorities from the AD entry, you can implement your own UserDetailsContextMapper implementation and specify it in the userDetailsContextMapper property on the adAuthProvider bean.

Related

Spring 4.3.25.RELEASE OAuth2 Configuration Problem

I am working on a system that uses Spring 4.3.25.RELEASE and xml based configuration. I need to integrate with another system using OAuth2, and therefore trying to configure the system as an OAuth2 Client, but it's proving difficult to find examples and documentation.
I can redirect to the IdP ok, but on return I am seeing this error:
Possible CSRF detected - state parameter was required but no state
could be found
This is the configuration I have in place, which is obviously incomplete. Can you please help me identify what is missing?
Thanks.
<custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
<custom-filter ref="oauth2AuthenticationFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
...
<oauth:client id="oauth2ClientFilter" />
<beans:bean id="oauth2AuthenticationFilter" class="org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter">
<beans:constructor-arg name="defaultFilterProcessesUrl" value="/oauth2/callback"/>
<beans:property name="restTemplate" ref="restTemplate"/>
</beans:bean>
<oauth:rest-template id="restTemplate" resource="oauth2Token"/>
<oauth:resource id="oauth2Token"
type="authorization_code"
client-id="my-client-id"
client-secret="my-client-secret"
access-token-uri="https://http://myurl/token"
user-authorization-uri="http://myurl/authorize"/>

I'm very new to the spring security and OAuth2

Hi I'm very new to Spring Security and OAUTH2 can any one help .... I'm using the example provided in this example http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html
What I'm trying to do is create 2 web applications where one app(mainApp) stores all the protected resources and does not know about the users and it needs to make a rest call to another app to get the details
Currently in my security config
<authentication-manager id="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service>
<user name="abcd" password="1234" authorities="ROLE_APP" />
</user-service>
</authentication-provider>
</authentication-manager>
In my case, I want to let our custom API which is in another app do the authentication, then return a custom UserDetails object containing the roles and other attributes
Have you tried to follow https://spring.io/guides/tutorials/spring-security-and-angular-js/#_sso_with_oauth2_angular_js_and_spring_security_part_v? I think the guide is quite interesting and offers a wide perspective of implementing OAuth2 and other security methods. Is there any reason because you need to use OAuth2? I mean, you can maybe start using Basic Authorization or token based approaches before to start with OAuth2 (which maybe is so complicated if you have no much experience).

to use salt-source bean, which domain do I need to implement?

I am trying to implement a salt source as part of my security in Spring security 3. I want to salt the username, but in order to use this as shown below, which domain do I need to implement in order to take advantage of spring security's default implementations???
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="sha-256">
<salt-source user-property="username" />
</password-encoder>
</authentication-provider>
</authentication-manager>
I guess with domain you're referring to the Security Namespace. The location of the Spring Security Namespace Configuration is: http://www.springframework.org/schema/security/spring-security.xsd (don't specify the version to resolve against the latest one). Have a look at the documentation: Spring Security Namespace Configuration

Can't get Ehcache to work with spring 3

I am new to Spring so please forgive me if my question is foolish...
I am trying to follow some examples for configuring security on a spring web application. I have configured it to work with ldap directory. Now I need to add caching to the process so that the credentials are not fetched from the ldap directory every time they are requested.
For this I have added cache-ref="userCache" as shown in the tutorial:
<authentication-manager>
<authentication-provider>
...
<ldap-user-service server-ref="ldapServer"
user-search-filter="uid={0}" user-search-base="ou=people"
group-search-filter="member={0}" group-search-base="ou=groups"
cache-ref="userCache" />
</authentication-provider>
</authentication-manager>
The bean userCache is defined like this :
<beans:bean id="userCache"
class="org.springframework.security.providers.
dao.cache.EhCacheBasedUserCache">
<beans:property name="cache" ref="userEhCache" />
</beans:bean>
<beans:bean id="userEhCache"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager" ref="cacheManager" />
<beans:property name="cacheName" value="userCache" />
</beans:bean>
The cache manager is defined as follows:
<bean id="cacheManager"
class="org.springframework.security.core.userdetails.cache.EhCacheManagerFactoryBean" />
The problem with this configuration is that I couldn't get the jars because they are based on an old version of spring 2. The cache manager I got it using
<bean id="cacheManager"
class="net.sf.ehcache.CacheManager" />
but the org.springframework.cache.ehcache.EhCacheFactoryBean and org.springframework.security.providers.dao.cache.EhCacheBasedUserCache I don't know where to get them beside from spring 2 which if I add to my project it brakes everything.
I would appreciate any help in this matter. If you have some other solution please make some suggestions. Thanks!
In Spring 3.0.x org.springframework.cache.ehcache.EhCacheFactoryBean is located in spring-context-support-3.0.x.RELEASE.jar.
There is no class org.springframework.security.providers.dao.cache.EhCacheBasedUserCache but there is class org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache located in spring-security-core-3.0.x.RELEASE.jar.

Blazeds and Spring security, can remember-me be used in this combination?

I'm using the latest release of Spring Blzeds integration which has some features making it easier to secure invocations on destination objects. However the basic setup I use which uses the ChannelSet login approach form the flex side looses the authentication information (sessions) on each page refresh. Here's the configuration I'm using:
<http entry-point-ref="preAuthenticatedEntryPoint" >
</http>
<beans:bean id="preAuthenticatedEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
<beans:bean id="userAccountManager" class="com.comp.service.managers.jpa.UserAccountJpaManager" />
<beans:bean id="userService" class="com.comp.auth.JpaUserDetailsService" />
<beans:bean id="defaultPasswordEncoder" class="com.comp.auth.DefaultPasswordEncoder" />
<authentication-provider user-service-ref="userService">
<password-encoder ref="defaultPasswordEncoder"/>
</authentication-provider>
<flex:message-broker>
<flex:secured />
</flex:message-broker>
<bean id="testService" class="com.comp.service.TestService">
<flex:remoting-destination channels="comp-amf" />
<security:intercept-methods>
<security:protect method="say*" access="ROLE_USER" />
</security:intercept-methods>
</bean>
Is there another way to configure/implement this so I could get persistent sessions (remember me). Is it possible to do the logins from flex over standard HTTP POST (like forms) and still get the same level of granularity for protecting remote object calls?
Try adding this to your config:
<http entry-point-ref="preAuthenticatedEntryPoint" create-session="always">

Resources