Thursday, May 29, 2008

Integrating Spring Security 2 with Active Directory

Recently I worked on getting newly released Spring Security (formerly known as Acegi Security) to work with Microsoft Active Directory LDAP server. Although the configuration for Spring Security has massively improved comparing to the early days of Acegi, however since Active Directory has its own format plus some bugs in the early release (I am using 2.0.1 right now since thats the latest one in public Maven repository) therefore integration is not as straightforward as I expected. Thats why I decided to record the finding here in my Daylog.

Firstly we need to setup http security:









here it was configured to protect everything under protected folder using Basic authentication and also forcing the HTTPS protocol.

Secondly, we need to connect to the LDAP server:





Then, we need to let Spring Security know where to search for the users:






in my case the search base is "ou=Offices" but based on your LDAP setting it might be different. The strange looking "(sAMAccountName={0})" is the Active Directory specific syntax for matching the user name.

Last but definitely not least, we need to setup our authentication provider:


class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"
autowire="default">


class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">


class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">

value="(sAMAccountName={0})">






class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">










If you are familiar with Spring 2.x configuration you probably will start asking why all of sudden I switched from name space based security configuration to manual bean based approach. The reason is that a known bug (SEC-836 - its fixed in 2.0.2 release which is currently not yet available in Maven) in Spring Security prevent the group search from scanning the sub-tree
, therefore if your group tree has multiple levels the search will not return the right result.

Last note, all your roles defined in your directory will be returned in upper case with "ROLE_" prefix appended. This configuration was created and tested with Spring 2.5.2 and Spring Security 2.0.1.

2 comments:

Brad Pitt said...

the lowest code is write not right?is it?

Brad Pitt said...

maybe it's not the right code, but still let me kwon about the ldap