diff --git a/spring-security-kerberos-docs/modules/ROOT/examples/AuthProviderConfig.java b/spring-security-kerberos-docs/modules/ROOT/examples/AuthProviderConfig.java
index 103f064..2b166a5 100644
--- a/spring-security-kerberos-docs/modules/ROOT/examples/AuthProviderConfig.java
+++ b/spring-security-kerberos-docs/modules/ROOT/examples/AuthProviderConfig.java
@@ -15,55 +15,104 @@
*/
package org.springframework.security.kerberos.docs;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.core.io.FileSystemResource;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider;
+import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient;
+import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
+import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
+import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
//tag::snippetA[]
@Configuration
-@EnableWebMvcSecurity
-public class AuthProviderConfig extends WebSecurityConfigurerAdapter {
+@EnableWebSecurity
+public class WebSecurityConfig {
- @Override
- protected void configure(HttpSecurity http) throws Exception {
- http
- .authorizeRequests()
- .antMatchers("/", "/home").permitAll()
- .anyRequest().authenticated()
- .and()
- .formLogin()
- .loginPage("/login").permitAll()
- .and()
- .logout()
- .permitAll();
- }
+ @Value("${app.service-principal}")
+ private String servicePrincipal;
- @Override
- protected void configure(AuthenticationManagerBuilder auth) throws Exception {
- auth
- .authenticationProvider(kerberosAuthenticationProvider());
- }
+ @Value("${app.keytab-location}")
+ private String keytabLocation;
- @Bean
- public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
- KerberosAuthenticationProvider provider =
- new KerberosAuthenticationProvider();
- SunJaasKerberosClient client = new SunJaasKerberosClient();
- client.setDebug(true);
- provider.setKerberosClient(client);
- provider.setUserDetailsService(dummyUserDetailsService());
- return provider;
- }
+ @Bean
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+ KerberosAuthenticationProvider kerberosAuthenticationProvider = kerberosAuthenticationProvider();
+ KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = kerberosServiceAuthenticationProvider();
+ ProviderManager providerManager = new ProviderManager(kerberosAuthenticationProvider,
+ kerberosServiceAuthenticationProvider);
- @Bean
- public DummyUserDetailsService dummyUserDetailsService() {
- return new DummyUserDetailsService();
- }
+ http
+ .authorizeHttpRequests((authz) -> authz
+ .requestMatchers("/", "/home").permitAll()
+ .anyRequest().authenticated()
+ )
+ .exceptionHandling()
+ .authenticationEntryPoint(spnegoEntryPoint())
+ .and()
+ .formLogin()
+ .loginPage("/login").permitAll()
+ .and()
+ .logout()
+ .permitAll()
+ .and()
+ .authenticationProvider(kerberosAuthenticationProvider())
+ .authenticationProvider(kerberosServiceAuthenticationProvider())
+ .addFilterBefore(spnegoAuthenticationProcessingFilter(providerManager),
+ BasicAuthenticationFilter.class);
+ return http.build();
+ }
+ @Bean
+ public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
+ KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
+ SunJaasKerberosClient client = new SunJaasKerberosClient();
+ client.setDebug(true);
+ provider.setKerberosClient(client);
+ provider.setUserDetailsService(dummyUserDetailsService());
+ return provider;
+ }
+
+ @Bean
+ public SpnegoEntryPoint spnegoEntryPoint() {
+ return new SpnegoEntryPoint("/login");
+ }
+
+ public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
+ AuthenticationManager authenticationManager) {
+ SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
+ filter.setAuthenticationManager(authenticationManager);
+ return filter;
+ }
+
+ @Bean
+ public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
+ KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
+ provider.setTicketValidator(sunJaasKerberosTicketValidator());
+ provider.setUserDetailsService(dummyUserDetailsService());
+ return provider;
+ }
+
+ @Bean
+ public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
+ SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
+ ticketValidator.setServicePrincipal(servicePrincipal);
+ ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
+ ticketValidator.setDebug(true);
+ return ticketValidator;
+ }
+
+ @Bean
+ public DummyUserDetailsService dummyUserDetailsService() {
+ return new DummyUserDetailsService();
+ }
}
//end::snippetA[]
diff --git a/spring-security-kerberos-docs/modules/ROOT/examples/AuthProviderConfig.xml b/spring-security-kerberos-docs/modules/ROOT/examples/AuthProviderConfig.xml
deleted file mode 100644
index a71c001..0000000
--- a/spring-security-kerberos-docs/modules/ROOT/examples/AuthProviderConfig.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/spring-security-kerberos-docs/modules/ROOT/examples/SpnegoConfig.java b/spring-security-kerberos-docs/modules/ROOT/examples/SpnegoConfig.java
index 8704fc1..4ac1f87 100644
--- a/spring-security-kerberos-docs/modules/ROOT/examples/SpnegoConfig.java
+++ b/spring-security-kerberos-docs/modules/ROOT/examples/SpnegoConfig.java
@@ -15,104 +15,137 @@
*/
package org.springframework.security.kerberos.docs;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.FileSystemResource;
import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
-import org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
-import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
+import org.springframework.security.kerberos.client.config.SunJaasKrb5LoginConfig;
+import org.springframework.security.kerberos.client.ldap.KerberosLdapContextSource;
import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
+import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
+import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
+import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
//tag::snippetA[]
@Configuration
-@EnableWebMvcSecurity
-public class SpnegoConfig extends WebSecurityConfigurerAdapter {
+@EnableWebSecurity
+public class WebSecurityConfig {
- @Override
- protected void configure(HttpSecurity http) throws Exception {
- http
- .exceptionHandling()
- .authenticationEntryPoint(spnegoEntryPoint())
- .and()
- .authorizeRequests()
- .antMatchers("/", "/home").permitAll()
- .anyRequest().authenticated()
- .and()
- .formLogin()
- .loginPage("/login").permitAll()
- .and()
- .logout()
- .permitAll()
- .and()
- .addFilterBefore(
- spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
- BasicAuthenticationFilter.class);
- }
+ @Value("${app.ad-domain}")
+ private String adDomain;
- @Override
- protected void configure(AuthenticationManagerBuilder auth)
- throws Exception {
- auth
- .authenticationProvider(kerberosAuthenticationProvider())
- .authenticationProvider(kerberosServiceAuthenticationProvider());
- }
+ @Value("${app.ad-server}")
+ private String adServer;
- @Bean
- public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
- KerberosAuthenticationProvider provider =
- new KerberosAuthenticationProvider();
- SunJaasKerberosClient client = new SunJaasKerberosClient();
- client.setDebug(true);
- provider.setKerberosClient(client);
- provider.setUserDetailsService(dummyUserDetailsService());
- return provider;
- }
+ @Value("${app.service-principal}")
+ private String servicePrincipal;
- @Bean
- public SpnegoEntryPoint spnegoEntryPoint() {
- return new SpnegoEntryPoint("/login");
- }
+ @Value("${app.keytab-location}")
+ private String keytabLocation;
- @Bean
- public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
- AuthenticationManager authenticationManager) {
- SpnegoAuthenticationProcessingFilter filter =
- new SpnegoAuthenticationProcessingFilter();
- filter.setAuthenticationManager(authenticationManager);
- return filter;
- }
+ @Value("${app.ldap-search-base}")
+ private String ldapSearchBase;
- @Bean
- public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
- KerberosServiceAuthenticationProvider provider =
- new KerberosServiceAuthenticationProvider();
- provider.setTicketValidator(sunJaasKerberosTicketValidator());
- provider.setUserDetailsService(dummyUserDetailsService());
- return provider;
- }
+ @Value("${app.ldap-search-filter}")
+ private String ldapSearchFilter;
- @Bean
- public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
- SunJaasKerberosTicketValidator ticketValidator =
- new SunJaasKerberosTicketValidator();
- ticketValidator.setServicePrincipal("HTTP/servicehost.example.org@EXAMPLE.ORG");
- ticketValidator.setKeyTabLocation(new FileSystemResource("/tmp/service.keytab"));
- ticketValidator.setDebug(true);
- return ticketValidator;
- }
+ @Bean
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+ KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = kerberosServiceAuthenticationProvider();
+ ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider = activeDirectoryLdapAuthenticationProvider();
+ ProviderManager providerManager = new ProviderManager(kerberosServiceAuthenticationProvider,
+ activeDirectoryLdapAuthenticationProvider);
- @Bean
- public DummyUserDetailsService dummyUserDetailsService() {
- return new DummyUserDetailsService();
- }
+ http
+ .authorizeHttpRequests((authz) -> authz
+ .requestMatchers("/", "/home").permitAll()
+ .anyRequest().authenticated()
+ )
+ .exceptionHandling()
+ .authenticationEntryPoint(spnegoEntryPoint())
+ .and()
+ .formLogin()
+ .loginPage("/login").permitAll()
+ .and()
+ .logout()
+ .permitAll()
+ .and()
+ .authenticationProvider(activeDirectoryLdapAuthenticationProvider())
+ .authenticationProvider(kerberosServiceAuthenticationProvider())
+ .addFilterBefore(spnegoAuthenticationProcessingFilter(providerManager),
+ BasicAuthenticationFilter.class);
+ return http.build();
+ }
+
+ @Bean
+ public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
+ return new ActiveDirectoryLdapAuthenticationProvider(adDomain, adServer);
+ }
+
+ @Bean
+ public SpnegoEntryPoint spnegoEntryPoint() {
+ return new SpnegoEntryPoint("/login");
+ }
+
+ public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
+ AuthenticationManager authenticationManager) {
+ SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
+ filter.setAuthenticationManager(authenticationManager);
+ return filter;
+ }
+
+ public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() throws Exception {
+ KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
+ provider.setTicketValidator(sunJaasKerberosTicketValidator());
+ provider.setUserDetailsService(ldapUserDetailsService());
+ return provider;
+ }
+
+ @Bean
+ public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
+ SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
+ ticketValidator.setServicePrincipal(servicePrincipal);
+ ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
+ ticketValidator.setDebug(true);
+ return ticketValidator;
+ }
+
+ @Bean
+ public KerberosLdapContextSource kerberosLdapContextSource() throws Exception {
+ KerberosLdapContextSource contextSource = new KerberosLdapContextSource(adServer);
+ contextSource.setLoginConfig(loginConfig());
+ return contextSource;
+ }
+
+ public SunJaasKrb5LoginConfig loginConfig() throws Exception {
+ SunJaasKrb5LoginConfig loginConfig = new SunJaasKrb5LoginConfig();
+ loginConfig.setKeyTabLocation(new FileSystemResource(keytabLocation));
+ loginConfig.setServicePrincipal(servicePrincipal);
+ loginConfig.setDebug(true);
+ loginConfig.setIsInitiator(true);
+ loginConfig.afterPropertiesSet();
+ return loginConfig;
+ }
+
+ @Bean
+ public LdapUserDetailsService ldapUserDetailsService() throws Exception {
+ FilterBasedLdapUserSearch userSearch =
+ new FilterBasedLdapUserSearch(ldapSearchBase, ldapSearchFilter, kerberosLdapContextSource());
+ LdapUserDetailsService service =
+ new LdapUserDetailsService(userSearch, new ActiveDirectoryLdapAuthoritiesPopulator());
+ service.setUserDetailsMapper(new LdapUserDetailsMapper());
+ return service;
+ }
}
//end::snippetA[]
diff --git a/spring-security-kerberos-docs/modules/ROOT/examples/SpnegoConfig.xml b/spring-security-kerberos-docs/modules/ROOT/examples/SpnegoConfig.xml
deleted file mode 100644
index 5a05b8f..0000000
--- a/spring-security-kerberos-docs/modules/ROOT/examples/SpnegoConfig.xml
+++ /dev/null
@@ -1,63 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/spring-security-kerberos-docs/modules/ROOT/pages/ssk.adoc b/spring-security-kerberos-docs/modules/ROOT/pages/ssk.adoc
index a720121..b1e66db 100644
--- a/spring-security-kerberos-docs/modules/ROOT/pages/ssk.adoc
+++ b/spring-security-kerberos-docs/modules/ROOT/pages/ssk.adoc
@@ -21,13 +21,6 @@ Provider configuration using JavaConfig.
include::example$AuthProviderConfig.java[tags=snippetA]
----
-Provider configuration using xml.
-
-[source,xml,indent=0]
-----
-include::example$AuthProviderConfig.xml[tags=snippetA]
-----
-
[[ssk-spnego]]
== Spnego Negotiate
@@ -38,13 +31,6 @@ Spnego configuration using JavaConfig.
include::example$SpnegoConfig.java[tags=snippetA]
----
-Spnego configuration using xml.
-
-[source,xml,indent=0]
-----
-include::example$SpnegoConfig.xml[tags=snippetA]
-----
-
[[ssk-resttemplate]]
== Using KerberosRestTemplate