LDAP Authentication with DataSource Authorization
I am new to Spring Security.
I am developing an application that uses ActiveDirectory for authentication and Database tables for authorization. The database tables [users, authorities] follow the recommended spring authentication schema. I am at a loss how to use ldap for authentication only, and use the datasource for authorization. My guess is that is has something to do with changing the default populator of the ldap-authentication-provider to make use of a datasource. Below is my attempt at an appropriate security configuration:
Code:<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd"> <global-method-security secured-annotations="enabled"/> <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <beans:constructor-arg value="ldap://hodc1.company.com/dc=company,dc=com"/> <beans:property name="userDn" value="admin@company.com"/> <beans:property name="password" value="1256EE"/> <beans:property name="baseEnvironmentProperties"> <beans:map> <beans:entry key="java.naming.referral"> <beans:value>follow</beans:value> </beans:entry> </beans:map> </beans:property> </beans:bean> <http auto-config="true"> <!-- no role restrictions on login.jsp | no need to be managed by spring container at all --> <intercept-url pattern="/**" filters="none"/> <intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <!-- restrict access to all other pages --> <intercept-url pattern="/admin/*.do" access="ROLE_ADMIN"/> <intercept-url pattern="/approve/*.do" access="ROLE_SUPERVISOR"/> <intercept-url pattern="/**.do" access="ROLE_USER, ROLE_SUPERVISOR, ROLE_ADMIN"/> <!-- set login page and what to do if login fails --> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true"/><!-- default-target-url="/index.do" always-use-default-target="true" --> <!-- handle session timeout --> <session-management> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/sessionTimeout.do"/> </session-management> <logout/> </http> <authentication-manager alias="authenticationManager"> <ldap-authentication-provider group-search-filter="member={0}" group-search-base="ou=Groups" role-prefix="ROLE_" user-search-base="cn=users" user-search-filter="sAMAccountName={0}" server-ref="contextSource"> </ldap-authentication-provider> <authentication-provider> <jdbc-user-service data-source-ref="dataSource"/> </authentication-provider> </authentication-manager> <beans:bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <beans:property name="dataSource" ref="dataSource"/> <beans:property name="authoritiesByUsernameQuery"> <beans:value> <![CDATA[ SELECT username, authority FROM authorities WHERE username=? ]]> </beans:value> </beans:property> <beans:property name="usersByUsernameQuery"> <beans:value> <![CDATA[ SELECT username, password, enabled FROM users WHERE username=? ]]> </beans:value> </beans:property> </beans:bean> <beans:bean id="populator" class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator"> <beans:constructor-arg ref="userDetailsService"/> </beans:bean> </beans:beans>
