How can I get users group list (as attribute) that user belongs too. I want to use LDAP server as SAML auth source and then I want to map LDAP attributes to SAML attributes and use them in spring-saml authentication for J2EE application group based role management. What I did at this moment it is LDAP->SAML->Spring-security (SAML module) authentication. But I can't get groups after login because LDAP didn't return them together with other information (cn, email, gidNumber and etc)
Unless you are using the OpenLDAP memberOf overlay you have to do a search for groups with the DN of the user as a value of the group membership attribute, which might be uniqueMember or roleOccupant, depending on how you have set up your LDAP server.
If you're using the memberOf overlay, just request the value of the memberOf attribute when you lookup the user.
Related
I need to setup authentication for our Jenkins via LDAP (AD). I was able to setup the authentication on a wide scale but I have to narrow it down to a certain members of a group and my LDAP filtering fails here.
This is the full DN that I want to target:
CN=jenkinsgroup,OU=App1,OU=Applications,OU=CompanyGroup,OU=Company,DC=my,DC=domain,DC=com
In the jenkinsgroup group I have the users stored as member attributes, only they should get access.
Jenkins LDAP plugin offers these fields:
Jenkis configuration
I'm not sure whether I should use a filter in on the User or the Group field, or which objectClass or category should I use for member attribute - I tried user and member as well.
Error message I get:
User lookup: user "username" does not exist.
Does the Manager Dn have permissions to perform user lookup?
Are the user search base and user search filter settings correct?
LDAP Group lookup: could not verify.
Please try with a user that is a member of at least one LDAP group.
Without the filtering, I can authenticate with a user from the group and it also confirms me its membership.
So I'm confused about how the write the proper query.
Thanks in advance!
As EricLavault commented:
(&(sAMAccountName={0})(memberOf=CN=jenkinsgroup,OU=App1,OU=Applications,OU=CompanyGroup,OU=Company,DC=my,DC=domain,DC=com))
I used this as the user search filter and worked.
If two users have same username in the database then how can spring security handle that?
I have two users with following login CREDENTIALS in database:-
1.Username:rohit password:1234
2.Username:rohit password:123
That means the user cannot be unique identified by the username only. So you have to think about the business requirements how to unique identify an user based on the information collected from the user request.
Enforcing the username to be unique across the system can definitely solve the problem. Ask the product owner if it is okay to do it .If not , ask him how to handle such case from the business 's point of view. Then based on the actual requirements of how to unique identify an user , you may need to customise the following classes (Assuming you are using the default username and password login form and authenticate against the user records from DB using JDBC) :
UsernamePasswordAuthenticationFilter
DaoAuthenticationProvider
UserDetailsService
Hi have an app in Spring mvc 3 and Spring Security 3. Happens that i decide promote an user( I have a database with user,role and user_role tables), but when i add the new role to database comes the problem, how updating the principal authorities without logout the user? Looking for an answer i found this:
// update database with new role
//... you fill in this part
// update the current Authentication
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority> (auth.getAuthorities());
authorities.add(new GrantedAuthorityImpl('ROLE_NEWROLE'));
Authentication newAuth = new UsernamePasswordToken(auth.getPrincipal(),auth.getCredentials(),authorities)
SecurityContextHolder.getContext().setAuthentication(newAuth);
Now, this approach looks good, but my question is, given that securitycontextholder retrieves the information concerned to the current user which calls him, how can I apply the code of above to each user in the system, from my admin account?
I am using my own authentication provider.
One option would be to implement the following strategy:
Keep a global registry of users whose roles have been modified. This could be implemented using a ConcurrentHashMap (or a distributed cache if you have multiple app servers).
As soon as an admin changes the role of a user, push the user's (whose role has been changed) principal (email address, username, etc.) to this registry.
Write a filter that checks whether the current user's principal in the registry. If the principal is in the registry, the filter refreshes the user's role and then removes the principal from the registry. The rest of the request is then handled as usual.
Grails 2.2.2, plugins spring-security core and CAS plugins.
Lets say I've set up spring-security-core using the quickstart script, so I've got User, Role and UserRole tables. CAS is set up and working fine for users who are represented in these tables.
When the user in question visits, they do the redirect tango with CAS, which says they are okay and returns a username when the CAS plugin does the ticket validation. But, because the username is not represented in my User table, the auth fails according to spring-security, so I can't get the authorizedUser or Principal, etc.
But, I want to accept the CAS authentication even if the user in question is NOT in my User table, and thus has no roles. I trust this CAS server.
How do I get access to the response from the CAS ticket validation step? If I could do that, I could create a user using the name provided by CAS and assign some reasonable default roles.
Create your own UserDetailsService that implements org.codehaus.groovy.grails.plugins.springsecurity.GrailsUserDetailsService. It should create a new UserDetails based on the username passed in to loadUserByUsername rather than check the User table. Set it up as a spring bean with the name userDetailsService and it should override the default GORM implementation.
Let's say I have users and articles.
Anonymous can list and read articles.
Only registered and logged user can create articles.
User can edit only own articles.
And, of course, admin can do anything.
I've looked at spring security, but didn't found a way to do that. My app don't need roles, and ACL will be too "heavy" for that.
Maybe I should implement my own security?
You're right, ACL would be too much for the task.
You can use Spring Security's authorize tag in JSP, which provides access to the logged in user via the principal object. Example to limit access to editing an article to the user with a given username:
<sec:authorize access="hasRole('SOME_PRIVILEGE_OR_ROLE') and ${someArticle.username} == principal.username">
...
</sec:authorize>
Note that SOME_PRIVILEGE_OR_ROLE could be some role like 'LOGGED_IN_USER', but could also rather specify a certain privilege, e.g. 'READ_ARTICLE' or 'UPDATE_ARTICLE'. Spring Security is flexible here. Whatever you choose, it needs to be in the GrantedAuthorities collection of your user object.
Note also that you can implement your own user object, adding further info to what the UserDetails interface provides, e.g. comparing the user's id rather than the username.
Finally, note that you need a recent version of Spring Security (>=3.1) for the Spring EL to work as in the example.