In this post I talked about using Spring Security OAuth2 and MongoDB (or any database of your choice). Today we are going explore the AuthenticationProvider in spring by building LDAP or Active Directory authentication into our SSO microservice which can be used by clients or users.
What is LDAP? I’m guessing you already know what it is thats why you got here.
Spring Security supports LDAP authentication out of the box. As the title suggests we are building a custom one using Authentication Provider interface.
This explains how Spring Authentication Provider interface works read this.
For this project I forked the codes from Spring Security OAuth2 with MongoDB.
Adding our LDAP Authentication Provider would require
1. LDAP dependencies.
1
2
3
4
5
6
7
8
9
10
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
<version>2.0.4.RELEASE</version>
</dependency>
2. Implementing Auth Provider Interface.
Spring Security AuthenticationProvider can be implemented to create a custom auth provider.
The most important part of AuthenticationProvider is authenticate. Which
“Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication)”
In our custom implementation of authenticate we would use configured LDAPTemplate to validate user’s credentials and once authentication is a success we can do anything we want. In my case I check if a user exists before I persist their details.
3. Configure.
To configure our custom AuthenticationProvider we just need to let Spring Integration know our custom provider. By default it would pass all authentication details to all configured AuthenticationProviders for either a successful response or an exception.
With this configuration LDAP users would get OAuth2 tokens just as the users we created in Spring Security OAuth2 with MongoDB. So what we’ve built here is a single sign on authentication microservice that works for users in MongoDB and LDAP. In due time we would add social and other custom authentication providers.
4. Changes To Note
LDAP Bean
1
<bean id="userLDAPAuthenticationProvider" class="st.malike.auth.server.service.security.UserLDAPAuthProviderService" />
New Authentication Provider
1
2
3
4
5
6
7
8
9
<sec:authentication-manager alias="authenticationManager" >
<!--new authentication provider-->
<sec:authentication-provider ref="userLDAPAuthenticationProvider" />
<sec:authentication-provider ref="userAuthProviderService" />
<sec:authentication-provider
user-service-ref="clientDetailsUserService">
<sec:password-encoder ref="passwordEncoder" />
</sec:authentication-provider>
</sec:authentication-manager>
The actual code doing the validation is here which can you can update based on how the integration with your single sign on microservice works with the LDAP server
Finally check this LDAP injection
With AuthenticationProvider we can build custom authentication providers to validate from multiple services once we can ‘hook’ it in the AuthenticationManager. And keep that in mind not to make the overall authentication expensive because every authentication request would go through all the authentication providers.
FYI source codes on Github.