Warm tip: This article is reproduced from serverfault.com, please click
active-directory ldap security spring spring-boot

ActiveDirectoryLdapAuthenticationProvider and authentication using userDetailsService

发布于 2020-12-01 00:30:39

I have two different users in my application. Ldap users and api users. Ldap users have privilege to access an endpoint and api users a different endpoint. I have implemented the api user authentication using UserDetailsService and having the details in my application.yaml file. The issue I am facing now is, The endpoint that only Ldap users should access is now being accessed my api users as well. How can I prevent this. Please find my code snippet below

public class ServiceSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("ldapProvider")
    private AuthenticationProvider authenticationProvider;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

// security for apiuser
              http
                .authorizeRequests()
                .antMatchers(“/abcd/**).hasRole(“admin”)
                .and()
                .httpBasic().and().userDetailsService(userDetailsService());
      

// security for ldap users
        http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers(“/ghhgh” + "/**").fullyAuthenticated()
                .antMatchers("/login*").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().and()
                .authenticationProvider(authenticationProvider)
                .exceptionHandling();
    }

    public UserDetailsService userDetailsService() {

        UserDetails user = User.withUsername(“api”)
                .password(passwordEncoder().encode(“test”))
                .roles(“admin”)
              return new InMemoryUserDetailsManager(user);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
Questioner
SJB
Viewed
11
分享
Amir Schnell 2020-12-03 18:38:04

In spring security it is indeed possible to register multiple authentication mechanisms.

BUT you cannot register a specific authentication provider to a specific route.
The spring securty docs say:

ProviderManager is the most commonly used implementation of AuthenticationManager. ProviderManager delegates to a List of AuthenticationProviders. Each AuthenticationProvider has an opportunity to indicate that authentication should be successful, fail, or indicate it cannot make a decision and allow a downstream AuthenticationProvider to decide.

So in every request, the registered AuthenticationProviders are checked one after the other until one is successful, or all fail.

To solve your problem, you need to define multiple custom authorities, that you assign your users.
Then you secure your endpoints using these authorities.

E.g. you give every ldap user the authority LDAP_USER and every api user the authority API_USER. Then you configure your security accordingly:

Register all AuthenticationProviders:


@Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.authenticationProvider(ldapProvider);
        auth.userDetailsService(userDetailsService());
    }

And configure the endpoints:


@Override
protected void configure(HttpSecurity http) throws Exception {


    http
      (...)
      .authorizeRequests()

// security for apiuser
      .antMatchers(“/abcd/**).hasRole(“API_USER”)

// security for ldap users
      .antMatchers(“/ghhgh” + "/**").hasRole("LDAP_USER")
      (...)
    }
SJB 2020-12-03 18:31:16

Hi @Amir Schenell, thanks for you explanation. I tried the same but I am still able to access the ldap endpoints with apiuser

Amir Schnell 2020-12-04 08:16:02

can you post your current config into your question, so I can have a lokk at it?

SJB 2020-12-04 16:52:49

Hi @Amir Schnell , I missed adding authority to ldap and that fixed it. Thankyou so much

热门帖子

1
关于英语学习的重要性的思考
2
这里分享一个免费的在线 PDF 总结工具: NoteGPT
3
没想到 Arc 浏览器对网络要求如此严格
4
[上海] 招中级前端开发工程师
5
澳大利亚🇦🇺归来~第一次去南半球,虽然看过很多次照片,亲临大洋路时仍觉震撼
6
Apple Watch Terminal 风格表盘
7
失业三个月,面试寥寥无几,朋友失业的也很多
8
开发了一个在线批量图片压缩网站
9
路由器批量端口映射到 NAS 的问题,求教~
10
chatgpt-4o 实时语音功能入口在哪里呀

热门github

1
A multi-platform library for OpenGL, OpenGL ES, Vulkan, window and input
2
Dev tool that writes scalable apps from scratch while the developer oversees the implementation
3
shadcn/ui, but for Svelte. ✨
4
The Python Risk Identification Tool for generative AI (PyRIT) is an open access automation framework to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems.
5
Performance-portable, length-agnostic SIMD with runtime dispatch
6
ZK Credo
7
OpenCodeInterpreter: Integrating Code Generation with Execution and Refinement
8
Joplin - the secure note taking and to-do app with synchronisation capabilities for Windows, macOS, Linux, Android and iOS.
9
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention.
10
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems
11
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA...
12
🎓 Path to a free self-taught education in Computer Science!
13
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java
14
A collective list of free APIs
15
📚 Freely available programming books