diff --git a/spring-security-kerberos-samples/sec-server-win-auth/src/main/java/demo/app/ActiveDirectoryLdapAuthoritiesPopulator.java b/spring-security-kerberos-samples/sec-server-win-auth/src/main/java/demo/app/ActiveDirectoryLdapAuthoritiesPopulator.java new file mode 100644 index 0000000..eefa6eb --- /dev/null +++ b/spring-security-kerberos-samples/sec-server-win-auth/src/main/java/demo/app/ActiveDirectoryLdapAuthoritiesPopulator.java @@ -0,0 +1,34 @@ +package demo.app; + +import org.springframework.ldap.core.DirContextOperations; +import org.springframework.ldap.core.DistinguishedName; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; + +import java.util.ArrayList; +import java.util.Collection; + +public class ActiveDirectoryLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator { + + @Override + public Collection getGrantedAuthorities(DirContextOperations userData, String username) { + String[] groups = userData.getStringAttributes("memberOf"); + + if (groups == null) { + return AuthorityUtils.NO_AUTHORITIES; + } + + ArrayList authorities = new ArrayList( + groups.length); + + for (String group : groups) { + authorities.add(new SimpleGrantedAuthority(new DistinguishedName(group) + .removeLast().getValue())); + } + + return authorities; + } + +} diff --git a/spring-security-kerberos-samples/sec-server-win-auth/src/main/java/demo/app/WebSecurityConfig.java b/spring-security-kerberos-samples/sec-server-win-auth/src/main/java/demo/app/WebSecurityConfig.java index 5f588e1..240209b 100644 --- a/spring-security-kerberos-samples/sec-server-win-auth/src/main/java/demo/app/WebSecurityConfig.java +++ b/spring-security-kerberos-samples/sec-server-win-auth/src/main/java/demo/app/WebSecurityConfig.java @@ -90,7 +90,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { } @Bean - public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() { + public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() throws Exception { KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider(); provider.setTicketValidator(sunJaasKerberosTicketValidator()); provider.setUserDetailsService(ldapUserDetailsService()); @@ -107,29 +107,35 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { } @Bean - public KerberosLdapContextSource kerberosLdapContextSource() { + public KerberosLdapContextSource kerberosLdapContextSource() throws Exception { KerberosLdapContextSource contextSource = new KerberosLdapContextSource(adServer); contextSource.setLoginConfig(loginConfig()); return contextSource; } - @Bean - public SunJaasKrb5LoginConfig loginConfig() { + public SunJaasKrb5LoginConfig loginConfig() throws Exception { SunJaasKrb5LoginConfig loginConfig = new SunJaasKrb5LoginConfig(); loginConfig.setKeyTabLocation(new FileSystemResource(keytabLocation)); loginConfig.setServicePrincipal(servicePrincipal); loginConfig.setDebug(true); loginConfig.setIsInitiator(true); + loginConfig.afterPropertiesSet(); return loginConfig; } @Bean - public LdapUserDetailsService ldapUserDetailsService() { + public LdapUserDetailsService ldapUserDetailsService() throws Exception { FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch(ldapSearchBase, ldapSearchFilter, kerberosLdapContextSource()); - LdapUserDetailsService service = new LdapUserDetailsService(userSearch); + LdapUserDetailsService service = + new LdapUserDetailsService(userSearch, new ActiveDirectoryLdapAuthoritiesPopulator()); service.setUserDetailsMapper(new LdapUserDetailsMapper()); return service; } + @Bean + @Override + public AuthenticationManager authenticationManagerBean() throws Exception { + return super.authenticationManagerBean(); + } }