spring authorizations and roles management with Ldap

3
votes

I'm devoloping a spring java based application and I want to use apache directory studio ldap to manage users ,so I want to give each user a role and to manage that I used spring security .

This is my security-context.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">


<security:authentication-manager>
    <security:ldap-authentication-provider
        user-search-filter="(uid={0})" user-search-base="ou=users"
        group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
        group-role-attribute="cn" role-prefix="ROLE_" />

</security:authentication-manager>
<security:ldap-server url="ldap://localhost:8389/o=mojo"
    manager-dn="uid=admin,ou=system" manager-password="secret" />
<security:http use-expressions="true">
    <security:intercept-url pattern="/" access="hasRole('ROLE_Admin')" />
    <security:form-login />
</security:http>

and this is my ldap hierarchy

and this is my ldap hierarchy

That doesn't work for me and gives me a 403 error for access denied even when I log in with an admin credentiels.

Any help ?

2
springspring-securityldapauthorizationspring-ldap
Not sure if it helps but last time I was dealing with spring-security LDAP I had to use hasAuthority instead of hasRole. Give it a chance... - Martin Čuka
no doesn't work for me - Wassim Makni

2 Answers

3
votes

Try setting your role in <security:intercept-url pattern="/" access="hasRole('ROLE_ADMIN')" /> capitalized this way.

By default <security:ldap-authentication-provider />, which automatically configures a org.springframework.security.ldap.authentication.LdapAuthenticationProvider creates an instance of org.springframework.security.ldap.userdetails.LdapUserDetailsMapper which by default has this properties:

public class LdapUserDetailsMapper implements UserDetailsContextMapper {
    // ~ Instance fields
    // ================================================================================================

    private final Log logger = LogFactory.getLog(LdapUserDetailsMapper.class);
    private String passwordAttributeName = "userPassword";
    private String rolePrefix = "ROLE_";
    private String[] roleAttributes = null;
    private boolean convertToUpperCase = true;

And so on, as convertToUpperCase is setted to true, this method

/**
     * Creates a GrantedAuthority from a role attribute. Override to customize authority
     * object creation.
     * <p>
     * The default implementation converts string attributes to roles, making use of the
     * <tt>rolePrefix</tt> and <tt>convertToUpperCase</tt> properties. Non-String
     * attributes are ignored.
     * </p>
     *
     * @param role the attribute returned from
     * @return the authority to be added to the list of authorities for the user, or null
     * if this attribute should be ignored.
     */
    protected GrantedAuthority createAuthority(Object role) {
        if (role instanceof String) {
            if (this.convertToUpperCase) {
                role = ((String) role).toUpperCase();
            }
            return new SimpleGrantedAuthority(this.rolePrefix + role);
        }
        return null;
    }

finally converts your ou:groups Admin to ROLE_ADMIN, which does not match ROLE_Admin

0
votes

the error was that in My LDAP hierarchy I should name the group cn=ROLE_ADMIN not cn=Admin because I have role-prefix="ROLE_"in my security-context.xml file