I'm having difficulties to read some operational attrs from user data coming with ldap authentication in spring. I know there's already bunch of Q&As about this subject but none of em really helped me. What I need is to get isMemberOf attrs. Our company LDAP admin says 'isMemberOf is an operational attr so it doesnt come with the regular ones from the ldap authentication response. Therefore you need to request them by name' and he gave me this shell command he uses for it to give me an idea to get them :
-bash-3.2$ ldapsearch -h XXX -p 10389 -b dc=entp,dc=tgc -e -1 -T -D "uid=XXX,ou=SpecialUsers,dc=entp,dc=tgc" -w XXX uid=XXX ismemberof
dn: uid=XXX,ou=people,o=XXX,dc=entp,dc=tgc
ismemberof: cn=3G01,ou=functionGroups,ou=Groups,dc=entp,dc=tgc
Spring versions in my project :
<spring.version>3.1.1.RELEASE</spring.version>
<spring.security.version>3.1.0.RELEASE</spring.security.version>
<spring.data.commons.version>1.3.1.RELEASE</spring.data.commons.version>
<spring.ldap.version>1.3.1.RELEASE</spring.ldap.version>
.properties file that stores ldap configuration :
app.ldap.url=ldap://XXX
app.ldap.manager.base=uid=XXX,ou=SpecialUsers,dc=entp,dc=tgc
app.ldap.manager.password=XXX
app.ldap.user.base=dc=entp,dc=tgc
app.ldap.user.filter=(uid={0})
app.ldap.user.role.key=ApplicationProfile
Beans definitons for authentication :
<beans>
<s:authentication-manager alias="authenticationManager">
<s:authentication-provider ref="ldapAuthProvider" />
</s:authentication-manager>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="${ldap.url}" />
<property name="userDn" value="${ldap.manager.base}" />
<property name="password" value="${ldap.manager.password}" />
</bean>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg ref="bindAuthenticator" />
<constructor-arg ref="authoritiesPopulator" />
<property name="userDetailsContextMapper" ref="userDetailsContextMapper" />
</bean>
<bean id="bindAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch" ref="userSearch"/>
</bean>
<bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg value="${ldap.user.base}" />
<constructor-arg value="${ldap.user.filter}" />
<constructor-arg ref="contextSource" />
</bean>
<bean id="authoritiesPopulator"
class="core.spring.security.ldap.AttributeBasedLDAPAuthoritiesPopulator">
<constructor-arg value="${ldap.user.role.key}" />
</bean>
<bean id="userDetailsContextMapper"
class="core.spring.security.ldap.CustomUserDetailsContextMapper" />
</beans>
And when I debug getGrantedAuthorities(DirContextOperations userData, String username) function that populates authorities in my AttributeBasedLDAPAuthoritiesPopulator class, userData only includes these attrs and no other like isMemberOf (XXXs are actually some real data):
birthdate=birthdate: 06/28/1983,
givenname=givenName: Dummy User,
mobile=mobile: XXX,
workflowaccess=WorkflowAccess: 0,
objectclass=objectClass: mdsMVLink, top, person, inetOrgPerson, organizationalPerson, inetUser, inetAdmin, iplanet-am-managed-person, iPlanetPreferences, iplanet-am-user-service,
mdsmvlinktype=mdsMVLinkType: MV#CV1#A,
userpassword=userPassword: XXX,
mdsentityowner=mdsEntityOwner: MV,META,
ou=ou: XXX,
applicationprofile=ApplicationProfile: XXX
uid=uid: XXX,
mail=mail: XXX,
cn=cn: XXX,
managername=managerName: XXX,
manager=manager: uid=XXX,ou=people,o=XXX,dc=entp,dc=tgc,
employeenumber=employeeNumber: TEST15,
functionalgroupname=functionalgroupname: dummy-functionalgroupname,
mdslinktocv=mdsLinkToCV: MV#CV1#uid=DUMMY,ou=Employees,
status=status: 1,
mdsmvmembership=mdsMVMembership: CV1#True,
inetuserstatus=inetUserStatus: Active,
description=description: XXX,
sn=sn: for TEA project,
organization=Organization: XXX
So my question is how can I get isMemberOf attrs too with these ones?
What i've tried so far:
1- Adding another filter in .properties to include ismemberof
app.ldap.user.filter=(&(uid={0})(ismemberof=*))
2- Making isMemberOf the keyword for roles
app.ldap.user.role.key=isMemberOf
3- Tried to get it explicitly from userData in populator class
userData.getObjectAttributes("isMemberOf")
You need to add the attribute ismemberof to the requested attributes of your userSearch bean:
<bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg value="${ldap.user.base}" />
<constructor-arg value="${ldap.user.filter}" />
<constructor-arg ref="contextSource" />
<property name="returningAttributes">
<list>
<value>*</value>
<value>ismemberof</value>
</list>
</property>
</bean>
You need to specify both values (* and ismemberof) because of the behaviour of ldap server:
if you don't specify attribute names, it will return all user attributes
if you specify attribute names, it will return exactly those attribute (whether user attribute or operational attribute)
if you want all user attributes and some operational attributes, you specify * for all user attributes and list all the operational attributes you want
Related
I am pretty new for Java/Spring. If need more information, please don't hesitate to point out.
First, I tested below codes in Javascript(nodejs) which worked fine.
var ldap = require('ldapjs');
var client = ldap.createClient({
url: 'ldap://xx.xx.xx.xx:389'
});
client.bind('domain\\user1', 'user1_password', function (err) {
if (err) {
throw err;
return
}
var opts = {
filter: '(sAMAccountName=user2)',
scope: 'sub',
attributes: ['l', 'sn', 'cn', 'mail', 'displayName', 'postalCode', 'physicalDeliveryOfficeName', 'telephoneNumber' ]
};
client.search('dc=aaa,dc=bbb,dc=ccc', opts, function(err, res) {
res.on('searchEntry', function(entry) {
Object.entries(entry.object).forEach(([key, value]) => {
console.log('Found Attribute: ', key, '; value:', value)
})
});
});
Then follow this guide:
http://forum.spring.io/forum/spring-projects/security/110491-how-to-modify-authority-after-loading-it-from-ldap
I applied the configurations which are same as above into spring/security.xml, like:
<bean id="customUserContextMapper" class="com.my.own.util.CustomUserDetailsMapper"/>
<sec:authentication-manager>
<sec:ldap-authentication-provider
user-search-base="dc=aaa,dc=bbb,dc=ccc"
user-search-filter="(sAMAccountName={0})"
user-context-mapper-ref="customUserContextMapper"
/>
</sec:authentication-manager>
<sec:ldap-server url="ldap://xx.xx.xx.xx:389/"
manager-dn="domain\user1"
manager-password="user1_password"
/>
But it failed.
If submitted (http-post) one form (username uses domain\username) like username=domain%5Cuser1&password=user1_password&submit=Login, it returned Reason: Bad credentials
If submitted (http-post) one form (username doesn't enclose domain) like username=user1&password=user1_password&submit=Login, it returned 500 error:
org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; remaining name ''
For the first case, it seems the entry exists but failed to validate the password. so return bad credentials.
For the second case, the error seems to say search filter is wrong ( as CAS AD LDAP 32 error pointed out)
But I am sure I typed in correct username and password, and the search-filter is same as which already been tested in nodejs.
Already stuggled with this issue for a long time, but can't find one solution.
Appreciate for any suggestions and solutions.
Note: I set up breakpoint at the entry of the class=com.my.own.util.CustomUserDetailsMapper, but it never been triggered, so I didn't enclose its codes.
Finally, I found below configuration working well.
Below <bean id="ldapAuthProvider"> construct two arguments,
First arg: it will verify the username and password which the end user fills in at the front end.
Second arg: once succeed to pass through the authenticator, it will invoke our own populator (<bean class="com.my.own.util.MyCustomLdapAuthPopulator">) to assign the appropriate roles or do something else you'd like.
<sec:authentication-manager>
<sec:authentication-provider
ref="ldapAuthProvider"
>
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider" >
<constructor-arg>
<bean id="authenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch">
<bean
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg value="dc=aaa,dc=bbb,dc=ccc" />
<constructor-arg value="(sAMAccountName={0})" />
<constructor-arg ref="contextSource" />
</bean>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="com.my.own.util.MyCustomLdapAuthPopulator">
<constructor-arg ref="contextSource" />
<constructor-arg value="dc=aaa,dc=bbb,dc=ccc" />
<property name="searchSubtree" value="true" />
<property name="ignorePartialResultException" value="true" />
<property name="groupSearchFilter" value="(member={0})" />
</bean>
</constructor-arg>
</bean>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource" >
<constructor-arg value="ldap://xx.xx.xx.xx:389/" />
<property name="userDn" value="domain\user1" />
<property name="password" value="user1_password" />
</bean>
Below is one simple implementation for our own populator.
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
public class MyCustomLdapAuthPopulator extends DefaultLdapAuthoritiesPopulator {
#Autowired
public MyCustomLdapAuthPopulator(ContextSource contextSource, String groupSearchBase) {
super(contextSource, groupSearchBase);
// TODO Auto-generated constructor stub
}
#Override
protected Set<GrantedAuthority> getAdditionalRoles(DirContextOperations user, String username) {
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
authorities.add((new SimpleGrantedAuthority("ROLE_XXX")));
return authorities;
}
}
After upgrading to Spring 4.3.3.RELEASE i get the error:
Request method 'POST' not supported
My application is a basic template and the home view is rendered via
<mvc:view-controller path="/" view-name="home.view"/>
It works fine on Spring 4.2.8.
Any hint to solve the problem?
We ran into the same problem. It turns out that, at some point, the ParameterizableViewController was changed to only support GET and HEAD requests.
We resolved this by replacing the definition with something like this:
<bean id="homeController" class="org.springframework.web.servlet.mvc.ParameterizableViewController">
<property name="supportedMethods" value="GET,POST,PUT,DELETE" />
<property name="viewName" value="home.view" />
</bean>
<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<map>
<entry key="/" value-ref="homeController"/>
</map>
</property>
</bean>
Essentially, this allows you to create a ParameterizableViewController with whatever supported HTTP methods you wish. The second bean creates the mapping so that the path "/" resolves to the defined controller.
ParameterizableViewController default supported methods are GET,HEAD we are check it with the following code snippet.
ParameterizableViewController pvc=new ParameterizableViewController();
String[] str=pvc.getSupportedMethods();
for(String x:str) {
System.out.println(x);
}
in order to add POST or any HTTP method, we need to add this XML tag in our bean tag.
<bean id="testUrl"
class="org.springframework.web.servlet.mvc.ParameterizableViewController">
<property name="supportedMethods" value="GET,POST,PUT,DELETE" />
<property name="viewName" value="success" />
</bean>
I am new to spring. Admins of my spring based web app want to configure settings from the web interface, so users can authenticate against LDAP server with their company username and password.
Change in LDAP settings should be possible without restarting the application. This might happen during a 'migration' or whatever reason. I have a couple beans, which need to be refreshed after the admin saves new settings for the LDAP server:
<bean id="ldapServer" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg>
<list>
<value>${ldap.url1}</value>
...
</list>
</constructor-arg>
<constructor-arg value="${ldap.basedn}"</constructor-arg>
<property name="referral" value="${ldap.referral}" />
<property name="baseEnvironmentProperties">...</property>
<property name="userDn" value="${ldap.username}" />
<property name="password" value="${ldap.password}" />
</bean>
I am using Springframework 3.1.2. The problem is, there are constructor arguments, which I want to change and not affect other running jobs. I tried playing with Scoped proxy, but not to much success yet:
<bean id="ldapServer" scope="prototype" ...>
<aop:scoped-proxy/>
I was successful though to get ldapServer to reinstantiate, when using prototype scope by running this piece of code:
#Controller
public class LDAPSettingsController implements ApplicationContextAware {
public ModelAndView handleRequest(...) {
DefaultSpringSecurityContextSource ldap;
ldap = context.getParentBeanFactor().getBean("ldapServer");
System.out.println(ldap.hashCode());
return new ModelAndView(new RedirectView('login.jsp'));
}
...
}
Are scopes and proxies here the way to go, or is the another mechanism in Spring to reflect configuration changes into a running program instance?
UPDATE: Clear up the question.
UPDATE: The root problem with the AOP proxies was following root exception:
java.lang.IllegalArgumentException: Superclass has no null constructors but no arguments were given
What worked was adding proxy-target-class="false" attribute to the <aop:scoped-proxy/> tag. I created a new scope, which works better than prototype - It destroys beans on settings update. Now I have this in my beans.xml:
<bean class="org.springframework.beans.factory.config.CustomScopeConfigurer">
<property name="scopes">
<map>
<entry key="ldap">
<ref bean="ldapScope" />
</entry>
</map>
</property>
</bean>
<bean id="ldapScope" class="com.myapp.SettingsScope" />
<bean id="ldapServer" scope="ldap" ...>
<aop:scoped-proxy proxy-target-class="false"/>
<constructor-args>
<list><value>${ldap.url1}</value> .. </list>
</constructor-args>
...
</bean>
I also have a controller for LDAP settings into which I inject ldapScope and I call a method which destroys current life-cycle objects and starts a new life-cycle every time, user presses the apply button.
PS: Not sure if I handle the life-cycle "re-start" in the right way - people my way to look for auto-start beans and start them after such event happens (i.e.: Setting -> Apply)
I'm trying to add a simple redirect into a web application built in Restlets, and it's proving non-trivial. The task is a simple one: I want to actually redirect all missing files from a web application to the same static file.
I'm using org.restlet.routing.Redirector with the following values (I'm using Spring injection):
<bean name="router" class="org.restlet.ext.spring.SpringRouter">
<constructor-arg ref="trackerComponentChildContext" />
<property name="attachments">
<map>
<entry key="/api" value-ref="apiRouter" />
<entry key="/statics" value-ref="staticsDirectory" />
<entry key="/" value-ref="staticsRedirector" />
</map>
</property>
</bean>
<bean id="staticsRedirector" class="ca.uhnresearch.pughlab.tracker.restlets.CustomRedirector">
<constructor-arg ref="trackerComponentChildContext" />
<constructor-arg value="{o}/statics/index.html" />
<constructor-arg value="7" />
</bean>
I can play with the file hierarchy relatively simply, but I just want to send anything that doesn't match either /api or /statics to /statics/index.html within the same application.
Restlet is almost getting it, and it does seem now to pick up the reference to the correct file, it just doesn't quite serve it.
I've put a working copy of the whole thing (including Thierry's suggestions below) at: https://github.com/morungos/restlet-spring-static-files. What I'd like to happen is something like the equivalent sequential attempts below:
curl http://localhost:8080/statics/**/* to hit the corresponding /statics/**/*
curl http://localhost:8080 to hit the main /statics/index.html
curl http://localhost:8080/**/* to hit the main /statics/index.html
I made some tests regarding your issue and I can't figure out how to have your message :-(. Perhaps it's because I haven't the whole code.
In fact, I saw a problem at the level of the SpringRouter itself. I would like to attach the redirector with an attachDefault and not an attach("/", ...) / attach("", ...). The method setDefaultAttachment actually does an attach("", ...).
So I made work something with the following updates:
Create a custom SpringRouter
public class CustomSpringRouter extends SpringRouter {
public void setDefaultAttachment(Object route) {
if (route instanceof Redirector) {
this.attachDefault((Restlet) route);
} else {
super.setDefaultAttachment(route);
}
}
}
Create a custom Redirector. I got the context from the component instead of a child context.
public class CustomRedirector extends Redirector {
public CustomRedirector(Component component, String targetPattern, int mode) {
super(component.getContext(), targetPattern, mode);
}
}
I then use the following Spring configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="myComponent" class="org.restlet.ext.spring.SpringComponent">
<property name="defaultTarget" ref="router" />
</bean>
<bean name="router" class="test.CustomSpringRouter">
<property name="attachments">
<map>
<entry key="/api" value-ref="apiRouter" />
<entry key="/statics" value-ref="staticsDirectory" />
</map>
</property>
<property name="defaultAttachment" ref="staticsRedirector" />
</bean>
<bean id="staticsRedirector" class="test.CustomRedirector">
<constructor-arg ref="myComponent" />
<constructor-arg value="{o}/statics/index.html" />
<constructor-arg value="7" />
</bean>
<bean name="apiRouter" class="org.restlet.ext.spring.SpringRouter">
(...)
</bean>
(...)
</beans>
Hope it helps you,
Thierry
I am using both Spring security and Spring i18n. This is my security config:
<security:http access-denied-page="/denied.htm">
<security:form-login login-page="/login.htm"
authentication-failure-url="/login.htm?login_error=true" />
<security:intercept-url pattern="/denied.htm" filters="none"/>
<security:intercept-url pattern="/login.htm*" filters="none"/>
<security:intercept-url pattern="/*" access="IS_AUTHENTICATED_FULLY" />
<security:logout/>
</security:http>
Besides that, I have set authenticationManager for database with MD5 encoding for password. Security work just fine. My i18n config is:
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="messages" />
</bean>
It works fine with reading locales from web browser's HTTP request, but I want it to change locale if I click on the link on the page (adds ?lang=hr parameter to current page). So when I add this, locale doesn't change at all:
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.SessionLocaleResolver">
<property name="defaultLocale" value="en"/>
</bean>
<bean id="handlerMapping" class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping">
<property name="interceptors">
<ref bean="localeChangeInterceptor" />
</property>
</bean>
So I have few questions.
Why the locale interception suddenly doesn't work and how to fix it?
How to read the current chosen locale for user's session from java class? I have java class where I need to fetch spring's message from message_en.properties or message_hr.properties file. Jasper report.
I need to add some interceptor (or something like that) to restrain user with default password only to work with /changePassword.htm page. What is the simplest solution?
Many thanks
Why the locale interception suddenly doesn't work and how to fix
it?
I guess: To "fix" you local interceptor, you should check, that the local interceptor can be invoked even if the user is not logged in.
_2. How to read the current chosen locale for user's session from java
class?
Use the RequestContext.getLocale() method.
#see http://static.springsource.org/spring/docs/2.0.x/reference/mvc.html#mvc-localeresolver
added
The best place (in design/architecure) to obtain the local form the request is the web controller. If you are using Spring 3.0 you can obtain the HttpServletRequest directly if you put an parameter of this type to your Controller Request Handler Method. But you have an better choise: just add a Local parameter to your controller handler method
#see http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/mvc.html#mvc-ann-requestmapping-arguments
_3. I need to add some interceptor (or something like that) to restrain user
with default password only to work
with /changePassword.htm page. What is
the simplest solution?
One way (may not the simplest, and a one that needs documentation) is to give a user with the default passwort not the full set of priveleges (ony the privileges that he need to set the new password), after chaning tha password, give the user the full set of privileges, which allow him to do all the other stuff.
Try registering localeChangeInterceptor this way. It worked for me.
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"></property>
</bean>
</mvc:interceptors>