Reputation: 61
x509 authentication with Active directory using Spring security
Hi Iam new to Spring security,
My task is to authenticate a user against active directory by matching username retrieved from the x509 client certificate.
So far what i did is enabled ssl mutual authentication
That above part is working fine now i have security.xml file in which i have configured everything related to x509 reference and Active directory configuration
<global-method-security secured-annotations="enabled" />
<http >
<intercept-url pattern="/**" access="ROLE_USER,ROLE_ANONYMOUS" requires- channel="https"/>
<intercept-url pattern="/UserLogin/*" access="ROLE_ADMIN,ROLE_USER" requires-channel="https"/>
<x509 subject-principal-regex="CN=(.*?)," user-service-ref="ldapUserService" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="ldapUserService" />
</authentication-manager>
<bean:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<bean:constructor-arg value="ldap://ActiveDirectoryURL:389/CN=example,DC=net"/>
<bean:property name="userDn" value="[email protected]"/>
<bean:property name="password" value="secuera1SMK"/>
</bean:bean>
<bean:bean name="ldapUserService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<bean:constructor-arg ref="ldapUserSearch"/>
<bean:constructor-arg ref="ldapAuthoritiesPopulator"/>
</bean:bean>
<bean:bean name="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<bean:constructor-arg value=""/>
<bean:constructor-arg value="(&(sAMAccountName={0})(objectclass=Users))"/>
<bean:constructor-arg ref="contextSource" />
</bean:bean>
<bean:bean name="ldapAuthoritiesPopulator"
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<bean:constructor-arg ref="contextSource" />
<bean:constructor-arg value="" />
<bean:property name="groupSearchFilter" value="member={0}" />
<bean:property name="searchSubtree" value="true" />
</bean:bean>
Now problem i am facing is when i try to retrieve the
SecurityContextHolder.getContext().getAuthentication().getPrincipal(); it's return type is string rather than userDetails(certificate details used while logging), the string output for getPrincipal() is anonymousUser and authorities it give is ROLE_ANONYMOUS but when i call getAuthentication.isAuthenticated() it returns true.
I am using tomcat 7, Spring security 3.1
What might be the problem please help me in this regard
Upvotes: 1
Views: 2324
Answers (1)
Reputation: 22752
With your configuration, the username which is extracted from the certificate will be "Mohankumar Kanaka" and that is what Spring Security will try to use for authentication.
With your LDAP configuration, it will search for a directory entry with a sAMAccountName attribute matching this (which it doesn't find).
You will need some way of mapping the name in the certificate to an Active Directory entry. There's no way Spring Security can do that for you automatically. Ideally part of the subject name in the certificate should match to the AD user name so you can extract it easily.
Upvotes: 0
Related Questions
- LDAP authentication using Spring security 2.0.3
- Authentication with Spring-Security via Active Directory LDAP
- Spring Security With X.509 Certificate
- Spring Boot Microsoft AD Authentication
- How do you authenticate against an Active Directory server using Spring Security?
- Active Directory Authentication using Spring Security 3.2, Spring Ldap 2.0 and JavaConfig
- Spring security authentication using active directory failed
- Spring MVC application authenticating to Active Directory
- Spring Security 2.0.6 Authentication with Active Directory
- Spring Security 3.1 Active Directory Authentication