Spring Security LDAP Authentication and gather user details from local database

Question

In summary, user is being authenticated, but I do appear to actually have logged into the users account.

I'm currently working on implementing LDAP authentication on a project. It appears that the authentication portion of things are working in the sense that my application does accept the correct credentials. The issue I'm having is that I cant seem to access 'principal' in my jsp views. (I was able to access all of this before making the switch to LDAP). When running a trace my CustomUserDetails service is querying and pulling the correct account information. Any assistance is appreciated

This will display the proper username:

<sec:authorize access="isAuthenticated()">
   <h2><sec:authentication property="name"/></h2>
</sec:authorize>

This does not (it did work before LDAP)

<sec:authorize access="isAuthenticated()">
   <h2><sec:authentication property="principal.firstName"/></h2>
</sec:authorize>

Relevant Code SecurityConfig.java

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
    @Autowired
    private CustomUserDetailsService userDetailsService;

    @Bean
    public CustomSaltSource customSaltSource(){ return new CustomSaltSource();}

    @Bean
    public AuthenticationSuccessHandler myAuthenticationSuccessHandler(){
        return new AuthenticationSuccessHandler();
    }



    @Autowired
    void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication().contextSource()
                .url("ldap://bar.foo.com")
                .port(####)
                .and()
                .userDnPatterns("cn={0},cn=users,dc=ms,dc=ds,dc=foo,dc=com")
                .ldapAuthoritiesPopulator(new UserDetailsServiceLdapAuthoritiesPopulator(userDetailsService));
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .antMatchers("/skins/**", "/css/**", "/**/laggingComponents", "/assets/**").permitAll().and()
                .formLogin().loginPage("/login").permitAll().defaultSuccessUrl("/", true).successHandler(myAuthenticationSuccessHandler())
                .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).deleteCookies("JSESSIONID").permitAll()
                .and().authorizeRequests().antMatchers("/api/**").anonymous()
                .and().authorizeRequests().anyRequest().authenticated().and().rememberMe().key("KEY").userDetailsService(userDetailsService);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
        handler.setPermissionEvaluator(new PermissionEvaluator());
        web.expressionHandler(handler);
        web.ignoring().antMatchers( "/skins/**", "/css/**", "/api/**", "/assets/**", "/health"); //"/**/test/**"
    }
}

CustomUserDetaulsService.java

import org.hibernate.Session;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import java.util.Set;

@Service
public class CustomUserDetailsService implements UserDetailsService{

    @Override
    public CustomUserDetails loadUserByUsername(String username) throws UsernameNotFoundException{
        Session session = DBFactory.factory.openSession();
        User user = (User) session.createQuery("from User where userName =:userName")
                .setParameter("userName", username).uniqueResult();
        if(user == null){
            throw new UsernameNotFoundException("User Not Found");
        }
        //Needed to initialize permissions
        Set<Role> roles = user.getRoles();
        int i = roles.size();
        for(Role role: roles){
            int j = role.getPermissions().size();
        }
        CustomUserDetails userDetails = new CustomUserDetails(user);

        session.close();
        return userDetails;
    }


}

Yernar Arystanov · Accepted Answer · 2019-01-22T13:23:59.620

If I'm not wrong, You switched to Ldap Authorization, set url and DN patterns but still provide userDetailsService which search user in database. You need to set UserDetailsContextMapper by implementing the interface and creating your custom one. This will map data from ldap directory context to your custom UserDetails and return it through mapUserFromContext method.

Here is an example CustomUserDetailsContextMapper:

public class CustomUserDetailsContextMapper implements UserDetailsContextMapper {


    private LdapUser ldapUser = null;
    private String commonName;

    @Override
    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
        Attributes attributes = ctx.getAttributes();
        UserDetails ldapUserDetails = (UserDetails) super.mapUserFromContext(ctx,username,authorities);
        try {
            commonName = attributes.get("cn").get().toString();
        } catch (NamingException e) {
            e.printStackTrace();
        }
        ldapUser = new LdapUser(ldapUserDetails);
        ldapUser.setCommonName(commonName);
        return ldapUser;
    }

    @Override
    public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {

    }
}

My custom LdapUser:

public class LdapUser implements UserDetails
{
    private String commonName;
    private UserDetails ldapUserDetails;

    public LdapUser(LdapUserDetails ldapUserDetails) {
        this.ldapUserDetails = ldapUserDetails;
    }

    @Override
    public String getDn() {
        return ldapUserDetails.getDn();
    }

    @Override
    public void eraseCredentials() {

    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return ldapUserDetails.getAuthorities();
    }

    @Override
    public String getPassword() {
        return ldapUserDetails.getPassword();
    }

    @Override
    public String getUsername() {
        return ldapUserDetails.getUsername();
    }

    @Override
    public boolean isAccountNonExpired() {
        return ldapUserDetails.isAccountNonExpired();
    }

    @Override
    public boolean isAccountNonLocked() {
        return ldapUserDetails.isAccountNonLocked();
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return ldapUserDetails.isCredentialsNonExpired();
    }

    @Override
    public boolean isEnabled() {
        return ldapUserDetails.isEnabled();
    }
}

Then set CustomUserDetailsContextMapper in auth configuration. This is how you will be able to get your user from authentication.getPrincipal(). I hope I correctly understand your problem and answered.

You probably meant `extends LdapUserDetailsMapper` instead of `implements UserDetailsContextMapper` to call `super` and enrich `LdapUser` — Ivan Baranuk, Oct 11 '19 at 07:39

score 3 · Answer 2 · answered Aug 19 '21 at 13:06

I had to test LDAP auth + different roles for devs,admins,users

Many thanks to @Yernar Arystanov

The code is not so clean but works...

public class LdapUser implements UserDetails
{
    private String commonName;
    private List<String>  groups;
    private UserDetails ldapUserDetails;

    public LdapUser(LdapUserDetails ldapUserDetails) {
        this.ldapUserDetails = ldapUserDetails;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return ldapUserDetails.getAuthorities();
    }

    @Override
    public String getPassword() {
        return ldapUserDetails.getPassword();
    }

    @Override
    public String getUsername() {
        return ldapUserDetails.getUsername();
    }

    @Override
    public boolean isAccountNonExpired() {
        return ldapUserDetails.isAccountNonExpired();
    }

    @Override
    public boolean isAccountNonLocked() {
        return ldapUserDetails.isAccountNonLocked();
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return ldapUserDetails.isCredentialsNonExpired();
    }

    @Override
    public boolean isEnabled() {
        return ldapUserDetails.isEnabled();
    }

    public String getCommonName() {
        return commonName;
    }

    public void setCommonName(String commonName) {
        this.commonName = commonName;
    }

    public List<String> getGroups() {
        return groups;
    }

    public void setGroups(List<String> groups) {
        this.groups = groups;
    }
}

Suggestion by @Ivan Baranuk was correct (extends LdapUserDetailsMapper):

public class CustomUserDetailsContextMapper extends LdapUserDetailsMapper {

    private LdapUser ldapUser = null;
    private String commonName;
    private List<String> groups = new LinkedList<String>();

    @Override
    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
        Attributes attributes = ctx.getAttributes();
        UserDetails ldapUserDetails;
        ldapUserDetails = (UserDetails) super.mapUserFromContext(ctx,username,authorities);
        try {
            commonName = attributes.get("cn").get().toString();

            Arrays.stream(ctx.getObjectAttributes("memberOf"))
                    .iterator()
                    .forEachRemaining( m -> {
                        groups.add(m.toString());
                    });

        } catch (NamingException | javax.naming.NamingException e) {
            e.printStackTrace();
        }
        ldapUser = new LdapUser((LdapUserDetails) ldapUserDetails);
        ldapUser.setCommonName(commonName);
        ldapUser.setGroups(groups);
        return ldapUser;
    }

    @Override
    public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {

    }
}

then finally in SecurityConfig:

public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
public void configure(AuthenticationManagerBuilder auth) throws Exception {
...
auth.ldapAuthentication()
                .userSearchBase("enter your search base")
                .userSearchFilter("(&(objectClass=user)(sAMAccountName={0}))")
                .userDetailsContextMapper(ldapUserDetailsMapper())
                .ldapAuthoritiesPopulator(ldapAuthoritiesPopulator())
                .contextSource()
                .url(yourProperties.getLdapUrl())
                .managerDn(yourProperties.getManagerDn())
                .managerPassword(yourProperties.getManagerPassword());
}

private LdapAuthoritiesPopulator ldapAuthoritiesPopulator() {
        return new LdapAuthoritiesPopulator() {
            @Override
            public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData,
                                                                                String username) {

                LinkedList<SimpleGrantedAuthority> res = new LinkedList();
                Arrays.stream(userData.getObjectAttributes("memberOf"))
                        .iterator()
                        .forEachRemaining( m -> {
                            if(m.toString().equals("your_dev_group"))
                                res.add(new SimpleGrantedAuthority("DEV_USER"));
                            if(m.toString().equals("your_admin_group"))
                                res.add(new SimpleGrantedAuthority("ADMIN_USER"));
                        });
                if(res.isEmpty())
                    return Arrays.asList(new SimpleGrantedAuthority("USER"));
                else
                    return res;
            }
        };
    }
@Bean
@Override
protected UserDetailsService userDetailsService() {
    return super.userDetailsService();
}

@Bean
    protected LdapUserDetailsMapper ldapUserDetailsMapper() {return new CustomUserDetailsContextMapper();}

}

At the end - some simple get method(authorized users only):

@RequestMapping("/logger")
public String testLogger(Authentication authentication) {
    if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_DEV_USER"))) {
        LdapUser userDetails = (LdapUser) authentication.getPrincipal();
        log.info("WELCOME :" + userDetails.getCommonName());
        userDetails.getGroups().iterator().forEachRemaining((g) - > log.info("group: " + g.toString()));
    }
    return ""
}

Spring Security LDAP Authentication and gather user details from local database

2 Answers2