What is LDAP?
The Lightweight Directory Access Protocol (LDAP) is an application protocol for reading and editing directories over an IP network. A directory is an organized set of records. For example, the telephone directory is an alphabetical list of persons and organizations, with each record having an address and phone number. A directory information tree often follows political, geographic, or organizational boundaries. LDAP directories often use Domain Name System (DNS) names for the highest levels. Deeper inside the directory might appear entries for people, departments, teams, printers, and documents.
Source: http://en.wikipedia.org/wiki/LDAP
How do we embed an LDAP server using Spring Security?
18.3.1 Using an Embedded Test ServerTo convert our previous application from using an actual LDAP server to an embedded server, all we need to do is modify the
The <ldap-server> element can also be used to create an embedded server, which can be very useful for testing and demonstrations. In this case you use it without the url attribute:
<ldap-server root="dc=springframework,dc=org"/>
Here we've specified that the root DIT of the directory should be “dc=springframework,dc=org”, which is the default. Used this way, the namespace parser will create an embedded Apache Directory server and scan the classpath for any LDIF files, which it will attempt to load into the server. You can customize this behaviour using the ldif attribute, which defines an LDIF resource to be loaded:
<ldap-server ldif="classpath:users.ldif" />
Source: Spring Security 3 Reference
Let's open the spring-security.xml file and modify the
// Old configuration
// New configuration
Here's the updated spring-security.xml:
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>For the embedded server to work, we need to include LDIF file in the classpath:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- This is where we configure Spring-Security -->
<security:http auto-config="true" use-expressions="true" access-denied-page="/krams/auth/denied" >
<security:intercept-url pattern="/krams/auth/login" access="permitAll"/>
<security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/>
<security:form-login
login-page="/krams/auth/login"
authentication-failure-url="/krams/auth/login?error=true"
default-target-url="/krams/main/common"/>
<security:logout
invalidate-session="true"
logout-success-url="/krams/auth/login"
logout-url="/krams/auth/logout"/>
</security:http>
<!--
For authentication:
user-search-filter: the attribute name that contains the user name
user-search-base: the base path where to find user information
For authorization:
group-search-filter: the attribute name that contains the full dn of a user
group-search-base: the base path where to find role information
group-role-attribute: the attribute name that contains the role type
role-prefix: the prefix to be added when retrieving role values
For server access:
manager-dn: the full dn of the person that has access to an LDAP server
manager-password: the password of the person that has access to an LDAP server
-->
<security:authentication-manager>
<security:ldap-authentication-provider
user-search-filter="(uid={0})"
user-search-base="ou=users"
group-search-filter="(uniqueMember={0})"
group-search-base="ou=groups"
group-role-attribute="cn"
role-prefix="ROLE_">
</security:ldap-authentication-provider>
</security:authentication-manager>
<!-- Use an embedded LDAP server. We need to declare the location of the LDIF file
We also need to customize the root attribute default is "dc=springframework,dc=org" -->
<security:ldap-server ldif="classpath:mojo.ldif" root="o=mojo"/>
</beans>
mojo.ldif
version: 1Then we have to modify our pom.xml to include the necessary dependencies for the embedded ApacheDS server. The depencies are big, so it might take a while to download.
dn: o=mojo
objectClass: organization
objectClass: extensibleObject
objectClass: top
o: mojo
dn: ou=users,o=mojo
objectClass: extensibleObject
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=groups,o=mojo
objectClass: extensibleObject
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: cn=User,ou=groups,o=mojo
objectClass: groupOfUniqueNames
objectClass: top
cn: User
uniqueMember: cn=John Milton,ou=users,o=mojo
uniqueMember: cn=Robert Browning,ou=users,o=mojo
uniqueMember: cn=Hugo Williams,ou=users,o=mojo
uniqueMember: cn=John Keats,ou=users,o=mojo
dn: cn=Admin,ou=groups,o=mojo
objectClass: groupOfUniqueNames
objectClass: top
cn: Admin
uniqueMember: cn=Hugo Williams,ou=users,o=mojo
uniqueMember: cn=John Keats,ou=users,o=mojo
dn: cn=Robert Browning,ou=users,o=mojo
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Robert Browning
sn: Browning
uid: rbrowning
userPassword:: cGFzcw==
dn: cn=John Keats,ou=users,o=mojo
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: John Keats
sn: Keats
uid: jkeats
userPassword:: cGFzcw==
dn: cn=Hugo Williams,ou=users,o=mojo
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Hugo Williams
sn: Williams
uid: hwilliams
userPassword:: cGFzcw==
dn: cn=John Milton,ou=users,o=mojo
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: John Milton
sn: Milton
uid: jmilton
userPassword:: cGFzcw==
pom.xml
<dependency>
<groupId>org.apache.directory.server</groupId>
<artifactId>apacheds-all</artifactId>
<version>1.5.5</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.5.6</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.5.6</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
To access the login page, enter the following URL:
http://localhost:8081/spring-security-ldap-embedded/krams/auth/loginTo logout, enter the following URL:
http://localhost:8081/spring-security-ldap-embedded/krams/auth/logoutTo access the admin page, enter the following URL:
http://localhost:8081/spring-security-ldap-embedded/krams/main/adminTo access the common page, enter the following URL:
http://localhost:8081/spring-security-ldap-embedded/krams/main/commonHere are the usernames and passwords:
rbrowning - pass
jkeats - pass
hwilliams - pass
jmilton - pass
That's it. We've managed to setup a simple Spring MVC 3 application, that's secured by Spring Security. We also used an embedded LDAP server for authenticating our users.
The best way to learn further is to try the actual application.
Download the project
You can access the project site at Google's Project Hosting at http://code.google.com/p/spring-security-ldap/
You can download the project as a Maven build. Look for the spring-security-ldap-embedded.zip in the Download sections.
You can run the project directly using an embedded server via Maven.
For Tomcat: mvn tomcat:run
For Jetty: mvn jetty:run
0 komentar:
Post a Comment