Loading groups from LDAP using Spring Security

Question

I need to give access to users belonging to a group (ABCD) in LDAP. I am able to authenticate successfully with Spring LDAP security, but for some reason the group membership is not loaded. I get "403 access Denied" error when I try to login. I verified that the groups for the user are not populated into Authorities.

SecurityContextHolder.getContext().getAuthentication().getAuthorities();

Is there a way I can load groups of a user into authorities? Here is my spring security configuration.

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/js/**"
        access="true" />
    <security:intercept-url pattern="/css/**"
        access="true" />
    <security:intercept-url pattern="/images/**"
        access="true" />

    <security:intercept-url pattern="/**"
        access="hasRole('ABCD')" />

</security:http>

<security:ldap-server id="ldapServer" url="${ldap.url}" />

<security:authentication-manager alias="authenticationManager">
    <security:ldap-authentication-provider
        server-ref="ldapServer" user-dn-pattern="uid={0},ou=people,o=xxxx.com"
        group-search-base="ou=groups,o=xxxx.com" />

</security:authentication-manager>

Artem Bilan Artem Bilan · Accepted Answer · 2014-06-18T17:21:12

Should be like this:

<security:ldap-server id="ldapServer" url="${ldap.url}/o=xxxx.com" />

<security:authentication-manager alias="authenticationManager">
            group-search-filter="member={0}"
            group-search-base="ou=groups"
            user-search-base="ou=people"
            user-search-filter="uid={0}"
</security:authentication-manager>

The main your issue is around the group-search-filter, which should contains some attribute (with placeholder) from user, which refers to groups, where current user is a member.

See Spring Security Sample.

Loading groups from LDAP using Spring Security

1 Answers