What is the syntax for performing a case-insensitive match on a uid attribute? If attribute definition matters then how would that be changed?
In particular I am using ApacheDS for my LDAP store.
(uid=miXedCaseUSer) will match a uid of mixedcaseuser.
According to the OID Description for 0.9.2342.19200300.100.1.1 - Userid userId is defined to have EQUALITY MATCHING RULE caseIgnoreMatch
This means it is one of the attribute definitions that employ case-insensitive matching by default.
I think they are case insensitive by default, unless its a password attribute.
Related
The javax.ws.rs.core.UriInfo class defines getPathParameters() to return a MultivaluedMap<String,String>, and the javadoc of the interface reads:
Get the values of any embedded URI template parameters.
The "embedded URI template parameters" this is referring to are those defined in javax.ws.rs .Path, where the #Path.value() represents a URI template that contains curly-brace-delimited parameter names, specifying an optional regex pattern to match segments in a URI, or "a default value of [^/]+" is used if no regex is provided.
The URI template is compiled into a regex for the purpose of matching against request URIs.
The "path parameters" that javax.ws.rs.core.UriInfo.getPathParameters() is referring to are constructed during the matching operation between a URI template regex and a request URI. If a match is found, then each of the named groups in the URI template's regex (defined by the curly-brace-delimited parameter names) is dereferenced, and the values are stored in a map.
And so, we come to the map: a MultivaluedMap<String,String>.
From my understanding, and having read the reference implementation of this logic in org.apache.cxf.jaxrs.model.URITemplate, how is it possible that a parameter name could have multiple values?
The only way I can see that this would be possible is if a curly-brace-delimited parameter name is repeated in a #Path.value() -- i.e. something like #Path("{foo}/bar/{foo}").
Does anyone know where the spec on this subject is specified?
Is there any other way that a curly-brace-delimited parameter name could have multiple values for a single request URI?
Thank you for your help!
The tutorial at https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory explains how to set up Spring Security with authentication at Microsoft Azure Active Directory.
Disregarding from two little differences (explained here OpenID Connect log in in with Office 365 and spring security ) this works fine.
In my application.properties there is this property:
azure.activedirectory.active-directory-groups=myADUserGroup
(Hint: azure.activedirectory.active-directory-groups seems to be the deprecated version of the newer azure.activedirectory.user-group.allowed-groups ...)
I don't want to limit on particular groups. Every user with a valid Microsoft account is OK for my use case.
Leaving the property blank or even deleting the property leads to this exception:
Caused by: java.lang.IllegalStateException: One of the User Group Properties must be populated. Please populate azure.activedirectory.user-group.allowed-groups
at com.microsoft.azure.spring.autoconfigure.aad.AADAuthenticationProperties.validateUserGroupProperties(AADAuthenticationProperties.java:148) ~[azure-spring-boot-2.3.1.jar:na]
A possible workaround is to enter some arbitrary group name for the property in application.properties:
azure.activedirectory.active-directory-groups=some-arbitrary-group-name-doesnt-matter
and just do not use #PreAuthorize("hasRole('[group / role name]')").
This works (as long as your app is not interested in the role names) but it does not feel correct.
A) Is there a "right" way to set a wildcard active-directory-group?
B) org.springframework.security.core.Authentication.getAuthorities() seems to deliver only those group names / role names that are entered in that property, so the workaround delivers none (but ROLE_USER). I want to read all the groups / roles at the user. So I ask a second question: How can I get all roles from org.springframework.security.core.Authentication.getAuthorities() without knowing all of them and especially without entering all of them into the "azure.activedirectory.active-directory-groups" property?
For now, it does not support to set a wildcard for azure active directory group.
You can give you voice to azure ad feedback and if others have same demand will voteup you. Much vote will promote this feature to be achieve.
It's not a group wildcard, but if stateless processing suits your need,
azure.activedirectory.active-directory-groups=...
may be replaced with
azure.activedirectory.session-stateless=true
This will activate AADAppRoleStatelessAuthenticationFilter instead of AADAuthenticationFilter, which doesn't require specifying groups via azure.activedirectory.active-directory-groups.
The roles you want to use have to declared in the application manifest
As there is no support for a wildcard for groups at the moment, I built a workaround by ignoring whether the user group is valid or not.
For this I made a copy of com.microsoft.azure.spring.autoconfigure.aad.AzureADGraphClient and commented out this code snippet:
.filter(this::isValidUserGroupToGrantAuthority)
and I made a copy of com.microsoft.azure.spring.autoconfigure.aad.AADOAuth2UserService with
graphClient = new MyAzureADGraphClient(...
instead of
graphClient = new AzureADGraphClient(...
And in the SecurityConfiguration I injected the AAD properties:
#Autowired(required = false) private AADAuthenticationProperties aadAuthenticationProperties;
#Autowired(required = false) private ServiceEndpointsProperties serviceEndpointsProps;
and called my own AADOAuth2UserService in void configure(HttpSecurity http):
EvaAADOAuth2UserService oidcUserService = new EvaAADOAuth2UserService(aadAuthenticationProperties, serviceEndpointsProps);
httpSecurity.oauth2Login().loginPage(LOGIN_URL).permitAll().userInfoEndpoint().oidcUserService(oidcUserService);
I am using Spring and Java for an application, and I want to use the #Value annotation to inject the value of the property, my use case is that I want first to check if that property exists as system property (so it takes priority), and otherwise default to a configuration property (existing in the properties file)
In the commented code you can see what I am trying to achieve, is that possible to default to something else that a simple string? If it is not, how can I achieve this?
//#Value("#{configProperties['local.datasource.username']}") THIS IS THE ORIGINAL CODE
//#Value("#{systemProperties['some.key'] ?: 'my default system property value'}") THIS IS HOW SPRING PROPOSE TO SET A DEFAULT VALUE
//#Value("#{systemProperties['some.key'] ?: #{configProperties['local.datasource.username']}}") THIS IS WHAT I WANT TO ACHIEVE, HOWEVER NOT COMPILING,
private String username;
What you are looking for are simple Property Palceholders.
While the Spring Expression Language supports the #{} syntax for rather complex expressions (ternary, calls, expressions, math), injecting property values and defaults is in most cases better done using a simple property placeholder ${value:defaultValue} approach:
#Property("${some.key:local.datasource.username}")
private String username;
Where some.key is being resolved (independent of its origin), and if that is null, Spring defaults to the value of local.datasource.username.
Please keep in mind, that even if some.key is present, Spring will throw an exception when it can't resolve your default property.
See also:
Spring Expression Language (SpEL) with #Value: dollar vs. hash ($ vs. #) and
A Quick Guide to Spring #Value
.userSearchBase("ou=people")
.userSearchFilter("(uid={0})")
.groupSearchBase("ou=groups")
.groupSearchFilter("member={0}")
Could anyone explain me what does it mean these filter ?
Whats the difference between base and search filter ? Moreover, whoat does it mean member={0} ?
As per documentation
public LdapAuthenticationProviderConfigurer<B> userSearchBase(String userSearchBase)
Search base for user searches. Defaults to "". Only used with userSearchFilter(String).
Parameters:
userSearchBase - search base for user searches
Returns:
the LdapAuthenticationProviderConfigurer for further customizations
user-search-base is used to point to the base path where to
find user information.
public LdapAuthenticationProviderConfigurer<B> userSearchFilter(String userSearchFilter)
The LDAP filter used to search for users (optional). For example "(uid={0})". The substituted parameter is the user's login name.
Parameters:
userSearchFilter - the LDAP filter used to search for users
Returns:
the LdapAuthenticationProviderConfigurer for further customizations
user-search-filter is the attribute name that contains the user name.
public LdapAuthenticationProviderConfigurer<B> groupSearchBase(String groupSearchBase)
The search base for group membership searches. Defaults to "".
Parameters:
groupSearchBase -
Returns:
the LdapAuthenticationProviderConfigurer for further customizations
So group-search-base is the base path where to find role information.
public LdapAuthenticationProviderConfigurer<B> groupSearchFilter(String groupSearchFilter)
The LDAP filter to search for groups. Defaults to "(uniqueMember={0})". The substituted parameter is the DN of the user.
Parameters:
groupSearchFilter - the LDAP filter to search for groups
Returns:
the LdapAuthenticationProviderConfigurer for further customizations
So group-search-filter is the attribute name that contains the full dn(distinguished name) of a user.
I've a problem with a GET operation in a REST WS. We have a Front-end panel with several filters for searching customers. The panel contains these filters:
Customer ID (Customer property)
Customer Name (Customer property)
Account number (Account property)
License plate (Vehicle property)
...
In the domain model we have 3 entities:
Customer
Account (A customer could have 1 or more accounts)
Vehicle (An account could have 1 or more vehicles)
How can I implement REST GET operation for this seach?
GET ..../customers/?name={name}&accountNum={accountNumber}&licensePlate={licensePlate} ?????
I think it is wrong because accountNumber and licensePlate don´t belong to customer resource. I don´t need these properties in the result expected.
I think about create new resource like customerFilter but It is no sense if I have to return a customer resource.
Any idea?
Thank you!
It will not pretend to be a specific answer for your question. But I think it will clarify something related to GET method.
According with URI Specification - RFC 3986 and Http Specification - RFC 7230, there are 3 kinds of ways to send data from client to server: via query, via path or via message-body.
When you are using GET method, it is not recommended to use message-body, because GET method can be cached for improving performance stuffs and these caches could ignore the message-body or reject the request:
A payload within a GET request message has no defined semantics;
sending a payload body on a GET request might cause some existing
implementations to reject the request.
So, you can choose now query or path. Both are in URL in this format:
http://example.com/{path1}/{path2}?query1=value1&query2=value2
What are the differences between these? according with RFC 3986 - Path and RFC 3986 - Query:
The path component contains data, usually organized in hierarchical
form, that, along with data in the non-hierarchical query component
(Section 3.4), serves to identify a resource within the scope of the
URI's scheme and naming authority (if any).
The query component contains non-hierarchical data that, along with
data in the path component (Section 3.3), serves to identify a
resource within the scope of the URI's scheme and naming authority
(if any).
As conclusion, you can design whatever you want. You can use for example:
GET .../customers?name={name}&accountNum={accountNumber}&licensePlate={licensePlate}
GET .../customers/{customerId}/
GET .../customers?customerId=12345
I don't see any issue with the url you have but your concern is also valid.
There is something that we need to take into consideration in this scenario. With this search what you expect to get as the response of the API call?
If you want response should contain information about customer only, when the search condition gets satisfied then /customer is right.
If you want some generic response consisting of Customer, Account and Vehicle info, you can have some generic terminology instead of customer in the url.
I hope this will help you.
Thanks :)