Grails Spring Security X509 for Authentication and LDAP for Authorities

StackOverflow https://stackoverflow.com/questions/22694153

Some pointers more than anything required here.

I'm trying to get both X509 and LDAP working in my application. I want users to be authenticated using their PKI certs and then for the APP to get their authorities from our LDAP server.

I have LDAP working with a customer userDetailsContextMapper at the moment however how to add the x509 properly stumps me a little.

I think what I want is a PreAuthenticatedAuthenticationProvider that uses an injected ldapUserDetails service.

How can I do that? Do I need a UserDetailsByNameServiceWrapper to wrap the LdapUserDetailsService up to be used within the pre-authentication provider?

I ask because unfortunately the testing platform and the development environment at the moment is detached, and I don't have local LDAP or PKI set up to test against so its about a 6 hour process getting a new war onto the dev environment... Restrictive I know... So I want to get it right first time.

Cheers!

有帮助吗?

解决方案

NOTE: THE FOLLOWING WORKS WITH Spring-Security-Core v1.2.7.3, Configuration names are different in 2.0RC2

Following a few different ideas, this is what I came up with. This assumes you already have LDAP working with a custom and UserDetailsContextMapper (see: ldap documentation):

Ensure both the LDAP and a PreAuthenticatedAuthentication Provider are in the provider list:

grails.plugins.springsecurity.providerNames = [
                                       'preAuthenticatedAutehnticationProvider',
                                       'ldapAuthProvider',
                                       'daoAutehnticationProvider',
                                       'anonymousAuthenticationProvider', 
                                       'rememberMeAuthenticationProvider']

Then in your spring resources (grails-app/conf/spring/resources.groovy) configure the following beans:

ldapUserDetailsService(org.springframework.security.ldap.userdetails.LdapUserDetailsService, 
                       ref('ldapUserSearch'),
                       ref('ldapAuthoritiesPopulator')) {
    userDetailsMapper = ref('ldapUserDetailsMapper')
}

userDetailsByNameServiceWrapper(org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper) {
    userDetailsService = ref('ldapUserDetailsService')
}

preAuthenticatedAuthenticationProvider(org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider) {
    preAuthenticatedUserDetailsService = ref('userDetailsByNameServiceWrapper')
}

And bobs your uncle and you have some aunts!

For reference the pages I used to come up with this solution are:

  1. No AuthenticationProvider found using spring security

    Wrap your LdapUserDetailsService in a UserDetailsByNameServiceWrapper Instead of the LdapAuthenticationProvider configure a PreAuthenticatedAuthenticationProvider that will be able to process the PreAuthenticatedAuthenticationToken issued by your CustomX509AuthenticationFilter. Inject the wrapped LdapUserDetailsService into the PreAuthenticatedAuthenticationProvider.

  2. http://blog.serindu.com/2011/05/26/grails-spring-security-using-preauthenticated-authentication-provider/ Covers how to wire up a preAuthenticationAuthenticationProvider in grails

  3. http://forum.spring.io/forum/spring-projects/security/108467-combine-pre-authentication-with-ldap-for-user-details-and-authorities

    there's an LdapUserDetailsService that does all the good things the LdapAuthenticationProvider does - except for authentication

  4. http://pwu-developer.blogspot.co.uk/2012/02/grails-security-with-cas-and-ldap.html more on how to wire up that ldapUserDetailsService

Hope this helps someone else!

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top