spring security Authentication with Windows AD, Authorization with Spring Security ACL

Question

Spring security gurus,

I am new to spring security so please bear with me if my questions are not clear.

I am trying to implement role based access control using spring security 3.x. Individual users are stored in Windows AD without groups so we cannot simply map groups to authorities as some samples demonstrated.

So my plan is to use Windows AD for authentication purpose only, but the user <-> roles relationship to be maintained by Spring security itself.

However, mapping individual user to roles would be very tedious so my question is if possible to configure users <-> groups <-> roles in spring security but the authentication part has to be done by Windows AD?

As spring security is highly flexible I believe my requirements are achievable. Can someone give some pointers on where I should look at please?

The more details the better for newbies like me :=)

Thank you in advance.

Aaron Li

---

EDIT 1: To add onto my question in particular, can I utilize the Spring database tables authorities, groups, group_authorities, group_members to implement a simple role based authroization logic? But I can't use "users" table as ealier explained the user details will have to be stored in Windows AD so the authentication of the users need to be done using Windows AD.

Any advices?

Thanks

Aaron

Answer 1

First some clarification on the terminology: Authorities, usually consisting of roles in Spring Security, are application-wide permissions. ACLs (Access Control Lists) on the other hand, specify permissions on specific domain objects. Just as you understand the difference. AD usually contains authorities/roles, but not ACLs.

If you don't want to use the authorities from AD, you can do your own implementation of UserDetailsContextMapper and inject it in your instance of ActiveDirectoryLdapAuthenticationProvider. See the Spring Security reference documentation how to specify a custom authentication-provider.

If you want to use the tables (authorities etc) of reference schema, you can use JdbcDaoImpl to load the user details. You then have to insert the users in the users table but not any passwords since authentication is done through AD. If you want to get rid of the users table however, you must customize the implementation.