Use Ldap for authentication, and database for authorities

[cbonneau]

I need to use Ldap for authentication and database for authorization with spring security. When I enter login/password on login page, nothing appends !
What am I doing wrong?

applicationcontext-spring.xml

Code:

	 <security:http auto-config="false" access-denied-page="/accessDenied.jspx">
       <security:intercept-url pattern="/secured/**"
                                access="ROLE_ALLACCESS, ROLE_URLACCESS"/>
       <security:form-login login-page="/springSecurityLogin.jspx"
       						default-target-url="/secured/welcome.jspx"/>
       <security:anonymous />
       <security:http-basic />
       <security:logout logout-success-url="/logoutSuccess.jspx" />
       <security:concurrent-session-control max-sessions="1" />     
    </security:http>

	<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
			<constructor-arg  value="ldap://name:389"/>
			<property name="userDn" value="uid=login,ou=people,o=compagny"/>
			<property name="password" value="password"/>
	</bean>
	
	<bean id="ldapAuthProvider"
		class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
			<constructor-arg ref="authenticator"/>
	        <constructor-arg ref="populator"/>
	        <security:custom-authentication-provider/>
	</bean> 

	<bean id="authenticator" class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
	            <constructor-arg ref="contextSource"/>
	            <property name="userDnPatterns">
	                <list>
	                    <value>uid={0},ou=people,o=compagny</value>
	                </list>
	            </property>
	</bean>

	<bean id="populator" class="com.app.security.UserDetailsAuthoritiesPopulator">
		 <constructor-arg ref="userService" />
	</bean>

Authorities Populator

Code:

public class UserDetailsAuthoritiesPopulator implements
		LdapAuthoritiesPopulator {

	private IUserService userService;

	public UserDetailsAuthoritiesPopulator(IUserService userService) {
		this.userService = userService;
	}

	public GrantedAuthority[] getGrantedAuthorities(
			DirContextOperations userData, String username) {
		Set<GrantedAuthorityImpl> userPerms = new HashSet<GrantedAuthorityImpl>();
		
		System.out.println("entering getGrantedAuthorities");

		// get users permissions from service
		User user = userService.findUser(username);
		List<Role> permissions = user.getRoleList();

		for (Role perm : permissions) {
			System.out.println("perm : " + permissions);
			userPerms.add(new GrantedAuthorityImpl(perm.getName()));
		}
		return userPerms.toArray(new GrantedAuthority[userPerms.size()]);
	}

}

JSF login bean

Code:

public class LoginBean {
    private String userId;
    private String password;

    public LoginBean() {

        Exception ex = (Exception) FacesContext
                .getCurrentInstance()
                .getExternalContext()
                .getSessionMap()
                .get(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY);

        if (ex != null)
            FacesContext.getCurrentInstance().addMessage(
                    null,
                    new FacesMessage(FacesMessage.SEVERITY_ERROR, ex
                            .getMessage(), ex.getMessage()));

    }

    public void login(ActionEvent e) throws java.io.IOException {
        FacesContext.getCurrentInstance().getExternalContext().redirect("/app/j_spring_security_check?j_username=" + userId + "&j_password=" + password);
    }

[cbonneau]

If I do a netstat -a after login I can see LDAP connection.
But the eclipse console remains empty and there are no error messages !

[nightWolf]

Set your logging to TRACE level, and you should see a bit more info.

[honeybunny]

I'm guessing root DN problem

Code:

<value>uid={0},ou=people,o=compagny</value>

[cbonneau]

Thanks 4 all ! I have set the searchSubtree property to true for the ldap authorities populator and it works !
Now I have another problem.
I have read the FAQ, but I don't understand how to login in with more information than just the username. Has anybody an example ? I try to develop a jsf app with spring. Spring is really good but it is difficult to learn and find examples.
http://static.springframework.org/sp...a-login-fields

[springilu]

What other information do you need from the login. Authentication object should contain most of the details.

[cbonneau]

Access rights are based on roles but also on job competencies. So the login form is composed of three fields: username, password and competency.
user1 role1 competency1
user1 role2 competence1
user 1 role1 competency2
So to retrieve the granted authority of a user, I must do the following :
select * from user_role where user = 'login' and competency ='competency'
I have another problem, it seems impossible to display spring security exceptions (like bad credential) with the tag h:messages. So the integration of spring security within a jsf web app is complicated.

[springilu]

Access rights are based on roles but also on job competencies. So the login form is composed of three fields: username, password and competency.
user1 role1 competency1
user1 role2 competence1
user 1 role1 competency2
So to retrieve the granted authority of a user, I must do the following :
select * from user_role where user = 'login' and competency ='competency'
I have another problem, it seems impossible to display spring security exceptions (like bad credential) with the tag h:messages. So the integration of spring security within a jsf web app is complicated.

I have solved a similar problem where, in place of competencyX, I have FacilityX.

My solution is as follows.

On successful authentication all the roles from all the competencies are fetched from the database using a custom implementation of org.acegisecurity.providers.ldap.LdapAuthoritiesPo pulator. And the user is promted to select the preferred competency. The selected competency roles are populated into the security context in the session.

For your case the above solution can be modified such that the prefered competency is fed along with login information.