152 lines
6.0 KiB
Java
152 lines
6.0 KiB
Java
/*
|
|
* Copyright 2015 the original author or authors.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
package org.springframework.security.kerberos.docs;
|
|
|
|
import org.springframework.beans.factory.annotation.Value;
|
|
import org.springframework.context.annotation.Bean;
|
|
import org.springframework.context.annotation.Configuration;
|
|
import org.springframework.core.io.FileSystemResource;
|
|
import org.springframework.security.authentication.AuthenticationManager;
|
|
import org.springframework.security.authentication.ProviderManager;
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
|
|
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
|
|
import org.springframework.security.kerberos.client.config.SunJaasKrb5LoginConfig;
|
|
import org.springframework.security.kerberos.client.ldap.KerberosLdapContextSource;
|
|
import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
|
|
import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
|
|
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
|
|
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
|
|
import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
|
|
import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
|
|
import org.springframework.security.web.SecurityFilterChain;
|
|
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
|
|
|
|
//tag::snippetA[]
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
public class WebSecurityConfig {
|
|
|
|
@Value("${app.ad-domain}")
|
|
private String adDomain;
|
|
|
|
@Value("${app.ad-server}")
|
|
private String adServer;
|
|
|
|
@Value("${app.service-principal}")
|
|
private String servicePrincipal;
|
|
|
|
@Value("${app.keytab-location}")
|
|
private String keytabLocation;
|
|
|
|
@Value("${app.ldap-search-base}")
|
|
private String ldapSearchBase;
|
|
|
|
@Value("${app.ldap-search-filter}")
|
|
private String ldapSearchFilter;
|
|
|
|
@Bean
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = kerberosServiceAuthenticationProvider();
|
|
ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider = activeDirectoryLdapAuthenticationProvider();
|
|
ProviderManager providerManager = new ProviderManager(kerberosServiceAuthenticationProvider,
|
|
activeDirectoryLdapAuthenticationProvider);
|
|
|
|
http
|
|
.authorizeHttpRequests((authz) -> authz
|
|
.requestMatchers("/", "/home").permitAll()
|
|
.anyRequest().authenticated()
|
|
)
|
|
.exceptionHandling()
|
|
.authenticationEntryPoint(spnegoEntryPoint())
|
|
.and()
|
|
.formLogin()
|
|
.loginPage("/login").permitAll()
|
|
.and()
|
|
.logout()
|
|
.permitAll()
|
|
.and()
|
|
.authenticationProvider(activeDirectoryLdapAuthenticationProvider())
|
|
.authenticationProvider(kerberosServiceAuthenticationProvider())
|
|
.addFilterBefore(spnegoAuthenticationProcessingFilter(providerManager),
|
|
BasicAuthenticationFilter.class);
|
|
|
|
return http.build();
|
|
}
|
|
|
|
@Bean
|
|
public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
|
|
return new ActiveDirectoryLdapAuthenticationProvider(adDomain, adServer);
|
|
}
|
|
|
|
@Bean
|
|
public SpnegoEntryPoint spnegoEntryPoint() {
|
|
return new SpnegoEntryPoint("/login");
|
|
}
|
|
|
|
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
|
|
AuthenticationManager authenticationManager) {
|
|
SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
|
|
filter.setAuthenticationManager(authenticationManager);
|
|
return filter;
|
|
}
|
|
|
|
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() throws Exception {
|
|
KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
|
|
provider.setTicketValidator(sunJaasKerberosTicketValidator());
|
|
provider.setUserDetailsService(ldapUserDetailsService());
|
|
return provider;
|
|
}
|
|
|
|
@Bean
|
|
public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
|
|
SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
|
|
ticketValidator.setServicePrincipal(servicePrincipal);
|
|
ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
|
|
ticketValidator.setDebug(true);
|
|
return ticketValidator;
|
|
}
|
|
|
|
@Bean
|
|
public KerberosLdapContextSource kerberosLdapContextSource() throws Exception {
|
|
KerberosLdapContextSource contextSource = new KerberosLdapContextSource(adServer);
|
|
contextSource.setLoginConfig(loginConfig());
|
|
return contextSource;
|
|
}
|
|
|
|
public SunJaasKrb5LoginConfig loginConfig() throws Exception {
|
|
SunJaasKrb5LoginConfig loginConfig = new SunJaasKrb5LoginConfig();
|
|
loginConfig.setKeyTabLocation(new FileSystemResource(keytabLocation));
|
|
loginConfig.setServicePrincipal(servicePrincipal);
|
|
loginConfig.setDebug(true);
|
|
loginConfig.setIsInitiator(true);
|
|
loginConfig.afterPropertiesSet();
|
|
return loginConfig;
|
|
}
|
|
|
|
@Bean
|
|
public LdapUserDetailsService ldapUserDetailsService() throws Exception {
|
|
FilterBasedLdapUserSearch userSearch =
|
|
new FilterBasedLdapUserSearch(ldapSearchBase, ldapSearchFilter, kerberosLdapContextSource());
|
|
LdapUserDetailsService service =
|
|
new LdapUserDetailsService(userSearch, new ActiveDirectoryLdapAuthoritiesPopulator());
|
|
service.setUserDetailsMapper(new LdapUserDetailsMapper());
|
|
return service;
|
|
}
|
|
}
|
|
//end::snippetA[]
|