Extending header pre-authentication to using LDAP?
Hi,
I have been able to configure header pre-authentication following the example configuration at:
http://static.springsource.org/sprin...e/preauth.html
At this point, my test configuration uses an in-memory userDetailsService:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- FROM OWF Context Security -->
<sec:http auto-config='true'>
<sec:intercept-url pattern="/unauthorized.jsp" filters="none" />
<sec:intercept-url pattern="/css/jblock-style.css" filters="none" />
<sec:intercept-url pattern="/js-lib/ext-*/**" filters="none"/>
<sec:intercept-url pattern="/themes/common/images/logout/**" filters="none" />
<sec:intercept-url pattern="/logout.jsp" filters="none" />
<sec:intercept-url pattern="/administration/monitoring" access="ROLE_ADMIN" />
<sec:intercept-url pattern="/admin/**" access="ROLE_ADMIN" requires-channel="https" />
<sec:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" requires-channel="https" />
<!-- From Spring HEADER pre-auth example -->
<sec:custom-filter position="PRE_AUTH_FILTER" ref="oamHeaderFilter" />
</sec:http>
<!-- From Spring HEADER pre-auth example -->
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="preauthAuthProvider" />
</sec:authentication-manager>
<!-- From Spring HEADER pre-auth example -->
<bean id="oamHeaderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="OAM_REMOTE_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<!-- From Spring HEADER pre-auth example -->
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>
<!-- CANNED userDetailsService from: http://forum.springsource.org/showthread.php?114367-SSO-PreAuthentication-with-In-Memory-User-Store& -->
<sec:user-service id="userDetailsService">
<sec:user name="0test" password="" authorities="ROLE_USER,ROLE_ADMIN,administrators,manager" />
<sec:user name="7test" password="" authorities="ROLE_USER,ROLE_ADMIN" />
</sec:user-service>
</beans>
Now, I'd like to extend this header pre-authentication configuration so that rather using the users in the above userDetailService, it'd retrieve the user and the user's role information from an LDAP server, similar to how JNDIRealm works in Tomcat (e.g., the pre-authenticated user's group membership determining roles).
However, I am really new to working with Spring security, and am at pretty much of a loss as to how to proceed to accomplish that. Are there any examples of doing something like that, or can someone offer some pointers as to how to proceed?
Also, is this usage scenario something that could be done out-of-box with Spring security, or will it require some custom code (which would be fine... I just would like to know)?
Thanks,
Jim
