Spring security Ldap get user password from encrypted authentication cookie
Currently I have written an Ldap Spring Authentication and Authorization module with a basic http login, but now I need to get the username and password from the cookie in the request and bind them to ldap for authentication.
Below is my websecurity config class
@Configuration
@EnableWebSecurity
public class LdapSecurity extends WebSecurityConfigurerAdapter {
@Autowired
CustomLdapAuthoritiesPopulator customLdapAuthoritiesPopulator;
@Value("${ldap.config.url:ldap://192.168.1.50:389}")
private String LDAP_URL;
@Value("${ldap.config.managerdn:uid=admin,cn=users,cn=accounts,dc=example,dc=test}")
private String MANAGER_DN;
@Value("${ldap.config.managerpwd:admin123}")
private String MANAGER_PWD;
@Value("${ldap.config.basedn:cn=users,cn=accounts,dc=example,dc=test}")
private String SEARCH_BASE;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.httpBasic().
and().authorizeRequests().
anyRequest().permitAll().
and().
csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.ldapAuthentication().contextSource().url(LDAP_URL)
.managerDn(MANAGER_DN)
.managerPassword(MANAGER_PWD)
.and()
.userSearchBase(SEARCH_BASE)
.userSearchFilter("uid={0}")
.ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator);
}
}
Below is my CustomLdapAuthoritiesPopulator class
@Component
public class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
String[] groups = userData.getStringAttributes("memberof");
List<String> wordList = Arrays.asList(groups);
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (String string : wordList) {
if(string.toLowerCase().contains("cn=permissions")){
String parts[] = string.split(",");
String autho[]=parts[0].split("cn=");
System.out.println(autho[1]);
authorities.add(new SimpleGrantedAuthority(autho[1]));
}
}
return authorities;
}
}
Thank you in advance
+3
source to share
1 answer
Finally, I solved this by using a filter in front of the BasicAuthenticationFilter. Below is my modified LdapSecurity class.
@Configuration
@EnableWebSecurity
public class LdapSecurity extends WebSecurityConfigurerAdapter {
@Autowired
CustomLdapAuthoritiesPopulator customLdapAuthoritiesPopulator;
@Autowired
AuthFilter authFilter;
@Value("${ldap.config.url:ldap://192.168.1.50:389}")
private String LDAP_URL;
@Value("${ldap.config.managerdn:uid=admin,cn=users,cn=accounts,dc=example,dc=test}")
private String MANAGER_DN;
@Value("${ldap.config.managerpwd:admin123}")
private String MANAGER_PWD;
@Value("${ldap.config.basedn:cn=users,cn=accounts,dc=example,dc=test}")
private String SEARCH_BASE;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.addFilterBefore(authFilter,BasicAuthenticationFilter.class);
httpSecurity.httpBasic().and().
authorizeRequests().
anyRequest().authenticated().
and().
csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.ldapAuthentication().contextSource().url(LDAP_URL)
.managerDn(MANAGER_DN)
.managerPassword(MANAGER_PWD)
.and()
.userSearchBase(SEARCH_BASE)
.userSearchFilter("uid={0}")
.ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator);
}
}
Below is a custom AuthFilter class extending GenericFilter
@Component
public class AuthFilter extends GenericFilter{
private static final long serialVersionUID = 1L;
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
MutableHttpServletRequest mutableRequest = new MutableHttpServletRequest(req);
Cookie[] cookies = mutableRequest.getCookies();
if(cookies!=null)
for (int i = 0; i < cookies.length; i++) {
if(cookies[i].getName().equals("nginxauth")){
String auth=cookies[i].getValue().replace("\"", "");
System.out.println(auth);
mutableRequest.putHeader("Authorization","Basic "+auth);
}
}
chain.doFilter(mutableRequest, response);
}
}
Below is the MutableRequestClass
final class MutableHttpServletRequest extends HttpServletRequestWrapper {
// holds custom header and value mapping
private final Map<String, String> customHeaders;
public MutableHttpServletRequest(HttpServletRequest request){
super(request);
this.customHeaders = new HashMap<String, String>();
}
public void putHeader(String name, String value){
this.customHeaders.put(name, value);
}
public String getHeader(String name) {
// check the custom headers first
String headerValue = customHeaders.get(name);
if (headerValue != null){
return headerValue;
}
// else return from into the original wrapped object
return ((HttpServletRequest) getRequest()).getHeader(name);
}
public Enumeration<String> getHeaderNames() {
// create a set of the custom header names
Set<String> set = new HashSet<String>(customHeaders.keySet());
// now add the headers from the wrapped request object
Enumeration<String> e = ((HttpServletRequest) getRequest()).getHeaderNames();
while (e.hasMoreElements()) {
// add the names of the request headers into the list
String n = e.nextElement();
set.add(n);
}
// create an enumeration from the set and return
return Collections.enumeration(set);
}
}
+2
source to share