Currently developing an spring application and integrating with OUD through LDAP. I am new to LDAP. Is there is any provision to add the values in spring configuration
Group Object Class: companyPerson
User Object Class: groupOfUniqueNames
My understanding is these are object classes in ldap. Pl. Help me to understand
'groupOfUniqueNames' is the LDAP marker objectclass for LDAP static groups, not for user entries, please see https://www.rfc-editor.org/rfc/rfc4519
'companyPerson' is not an LDAP standardized objectclass ,but seems to be a custom one.
Related
In my current project, I have a scenario where user will login into portal and authenticated via TAM(Tivoli). After login into portal there will be a link from which user will be redirected to our application (spring mvc) hosted on JBOSS.
Now the information we have is, user role and group info will be available within our container and we have to make JAAS api call to retrieve user roles and group info which further will be used by spring security for authorization purpose.
I can imagine that this will be a spring pre-authentication scenario where user will already been authenticated (SSO) and for authorization we need to retrieve his role and group info .
Could you please assist me to correct my understanding and how to get those user role/group from JBOSS container using JAAS API?
Any code snippet or link (spring implementation) will be helpful.
Thanks,
CD
It seems you need to create a SSO structure, isn't the Spring documentation useful enough?
You can find the SSO part here: Spring Security Reference: Chapter 9
What ApplicationServer are you using? Can you do a more specific question on some implementation instead?
I'm currently creating a new application that requires users to login. I want to use the Spring Security Core plugin for this, but the only problem is that the credentials of the users are stored in a centralized system, and not locally in the database. This system can only be accessed by an API, and will tell me whether the credentials are correct or not.
Is there any way to override the credentials check of the Spring Security Code plugin, so I can check the credentials myself? Or in case this is not possible, is there any other workaround?
It belongs on what your system looks like.
You can write your own Authentication Provider.
Here is answer.
You can create your own User class with datasource set on your centralized system database.
Or you can use Spring Security CAS Plugin
I want to get the list of all users in a specific group of an LDAP directory, and also I'm using Spring Security LDAP; and I cant find any thing that could solve my issue.
I'm already have Spring Security LDAP and I can get context and principal and so on.
I also read my Spring Security LDAP plugin functions but found nothing to get list of all users.
What should I do? Did I have to make a query? If yes, how?
In context of spring security, the framework only aims to find the LDAP user and then verifies if the passwords are correct.
The loading of roles can be done multiple ways, but usually boils down to:
Specifying which LDAP User attributes should be loaded as Roles
Provide your own custom 'role' mapper, as described in Handling roles when authenticated to active directory with spring security 3.1
If you want to do some plain LDAP Search outside of the Spring security context, I would suggest you take a look at the example in chapter 1.2 of the Spring LDAP Reference guide.
http://docs.spring.io/spring-ldap/docs/current-SNAPSHOT/reference/#traditional-java-ldap-v-s-ldaptemplate
Spring security gurus,
I am new to spring security so please bear with me if my questions are not clear.
I am trying to implement role based access control using spring security 3.x. Individual users are stored in Windows AD without groups so we cannot simply map groups to authorities as some samples demonstrated.
So my plan is to use Windows AD for authentication purpose only, but the user <-> roles relationship to be maintained by Spring security itself.
However, mapping individual user to roles would be very tedious so my question is if possible to configure users <-> groups <-> roles in spring security but the authentication part has to be done by Windows AD?
As spring security is highly flexible I believe my requirements are achievable. Can someone give some pointers on where I should look at please?
The more details the better for newbies like me :=)
Thank you in advance.
Aaron Li
EDIT 1: To add onto my question in particular, can I utilize the Spring database tables authorities, groups, group_authorities, group_members to implement a simple role based authroization logic? But I can't use "users" table as ealier explained the user details will have to be stored in Windows AD so the authentication of the users need to be done using Windows AD.
Any advices?
Thanks
Aaron
First some clarification on the terminology: Authorities, usually consisting of roles in Spring Security, are application-wide permissions. ACLs (Access Control Lists) on the other hand, specify permissions on specific domain objects. Just as you understand the difference. AD usually contains authorities/roles, but not ACLs.
If you don't want to use the authorities from AD, you can do your own implementation of UserDetailsContextMapper and inject it in your instance of ActiveDirectoryLdapAuthenticationProvider. See the Spring Security reference documentation how to specify a custom authentication-provider.
If you want to use the tables (authorities etc) of reference schema, you can use JdbcDaoImpl to load the user details. You then have to insert the users in the users table but not any passwords since authentication is done through AD. If you want to get rid of the users table however, you must customize the implementation.
I have been searching on google the list of available roles in spring security, but I haven't been able to get the complete list.
¿Could someone help me with this?
This is what I've found: ROLE_ADMIN, ROLE_USER, ROLE_VISITOR.
The list of roles is not dictated by Spring Security, but is entirely up to what is required in a particular application.
The list of roles could for example be stored in the application's database. See for an example Spring Security's JdbcUserDetailsManager class which can be readily used to manage users, roles and authorities (privileges) in the database.
As Markus said there are no fixed number of roles in spring security.
Have a look at the javadoc for org.springframework.security.core.GrantedAuthority.
Extending it allows you to override the getAuthority method from which you can return any role string you like.