Spring Security LDAP Authentication

1. Introduction to LDAP

LDAP (Lightweight Directory Access Protocol) is an open, industrial standard application protocol for reading and editing distributed directories over the network. These directories contain a set of records in an organized hierarchical structure, similar to how a corporate email directory looks like or a telephone directory which has an alphabetic list of persons with their address and phone numbers. LDAP enables anyone to locate resources in a network, be it on a public internet or corporate intranet. LDAP read operations are extremely fast than any other possible alternatives.

Useful Links

2. LDAP test server details

Note that we will be using the test LDAP server provided by ForumSys for our demo.

Directory structure on the test LDAP server looks like:

LDAP test server directory structure


Let’s check out the users who are chemists

Test LDAP Server - Chemists

Let’s check out the users who are mathematicians 

Test LDAP Server - mathematicians

Based on the directory structure provided by the test LDAP server, we will try to authenticate chemists and mathematicians in our Spring MVC application with the help of Spring Security. Read more details on the test LDAP server here

We can navigate, edit and maintain the LDAP server through Apache Directory Studio, which can also be installed as an Eclipse plugin.

Note that as per the available test LDAP server and the directory screenshots above, gauss is a mathematician, whereas boyle is a chemist and we will try authenticating them individually in our demo application.

3. Implementation

Lets start with the implementation of Spring Security LDAP authentication demo application.

web.xml

Note that we have defined a web application context to be loaded through mvc-dispatcher-servlet.xml, while springSecurityFilterChain filter needs to be configured to intercept all URLs so Spring Security can get access to them. The filter must be named this to match the default bean it retrieves from the Spring context. Spring Security looks for a bean named springSecurityFilterChain (by default) in the Spring container and the filter delegates it to the doFilter() method. This means that every incoming request passes through the Spring Security filter and only passes through successfully only if the authentication/authorization is done as required.

mvc-dispatcher-servlet.xml

applicationContext.xml

spring-security.xml

In the above security context file, below are the module specific attributes.

Authentication

  1. user-search-filter: (uid={0}) resolves to the current user name.
  2. user-search-base: The base path where to find user information (can be seen the directory structure snapshot above).

Authorization

  1. group-search-filter: (uniqueMember={0}) resolves to the full dn (Distinguished Name) of the current user. LDAP uniqueMember
  2. group-search-base: The base path where to find role (can be seen the directory structure snapshot above).

After successful authentication and authorization is done, the control passes on to our controller. Let’s check out how our controller looks like –

DemoController.java

If the user tries to login to the /chemist URL i.e. localhost:8080/SpringSecurityDemo/chemist, the Spring Security basic authentication module authenticates and authorizes the user and accordingly logs-in the user to the respective page. Let’s create the chemist.jsp page where the successfully logged-in chemist user will land to after successful authentication/authorization. Same would apply for mathematician.jsp.

chemist.jsp

mathematician.jsp

3. Running the application

To run the application, make sure our application is properly deployed on the server and the server is started.

Now hit the URL – http://localhost:8080/SpringSecurityDemo/chemist

We now get to see the basic authentication popup window asking for the user credentials –

Spring Security basic authentication

Being a chemist, the user enters the credentials as – ‘boyle‘ and the password as ‘password‘. On successful authentication/authorization, the user is directed to a successfully login page chemist.jsp.

Spring Security success login page

Now let’s try if we are able to access the page for mathematician.

Spring Security unauthorized access

Note that we aren’t. This means that we are well through authorization process as well, and a chemist cannot access the pages meant for a mathematician. Try out the same by hitting the URL – http://localhost:8080/SpringSecurityDemo/mathematician

4. Download source code

Receive our updates to your inbox

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.