Mixing Namespace and bean config in getting authorities from AD LDAP server
I am currently using Spring security 3.0.7 to authenticate and authorize users in our webapp.
We authenticate with x509 client certs and want to get authorities from our 2008 AD/LDAP server.
I can authenticate with my client cert but the getting of authorities fails with a "Unprocessed Continuation Reference; remaining name '' " exception
I am attempting to work through the fixes for this but I think I am incorrectly wiring up the beans portion. I think this because I stepped the code and saw that my settings for the authoritiesPopulator were not being used and rather the defaults were being used.
Despite using the Spring Security 3 book by Peter Mularien I am still lost.
security config below . Any help appreciated.
Code:<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"/> <http auto-config="true" use-expressions="true"> <intercept-url pattern="/css/**" filters="none" /> <intercept-url pattern="/js/**" filters="none" /> <intercept-url pattern="/img/**" filters="none" /> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/logout" access="permitAll" /> <intercept-url pattern="/**" access="hasRole("ROLE_ADMIN")" /> <intercept-url pattern="/**" access="hasRole("ROLE_USER_GROUPA")" /> <intercept-url pattern="/**" access="hasRole("ROLE_USER_GROUPB")" /> <x509 subject-principal-regex="CN(.*?)," user-service-ref="ladpUserService"/> </http> <authentication-manager alias="authenticationManager"> <authentication-provider> <user-service> <!-- A User with this cert name can authenticate and get this role correctly --> <user authorities="ROLE_ADMIN" name="test_user"> <!-- I would really like to be able to add authorities for groups similar to this construct, where group=AD group <user authorities="ROLE_USER_GROUPA" group="GROUPA"> <user authorities="ROLE_USER_GROUPB" group="GROUPB">--> </user-service> </authentication-provider> </authentication-manager> <ldap-user-service id="ldapUserService" server-ref="ldapServer" user-search-filter="(cn={0})"/> <ldap-server id="ldapServer" url="x.x.x.x:389/DC=com,DC=test,DC=server" manager-dn="CN=LookupUser,CN=Users,DC=com,DC=test,DC=server" manager-password="secret"/> <beans:bean id="authoritiesPopulator" class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <beans:constructor-arg ref="contextSource" /> <beans:constructor-arg value="CN=Users" /> <beans:property name="searchSubtree" value="true" /> <beans:property name="groupSearchFilter" value="(memberOf={0})" /> </beans:bean> <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <beans:constructor-arg value=""x.x.x.x:389/DC=com,DC=test,DC=server"/> <beans:property name="userDn" value="CN=LookupUser,CN=Users,DC=com,DC=test,DC=server"/> <beans:property name="password" value="secret"/> <beans:property name="base" value=""/> <beans:property name="baseEnvironmentProperties"> <beans:map> <beans:entry key="java.naming.refferal" value="follow"/> </beans:map> </beans:property> </beans:bean> </beans:beans>
Reply With Quote