mirror of
				https://github.com/spring-projects/spring-security.git
				synced 2025-10-26 04:08:47 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			153 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			Java
		
	
	
	
	
	
			
		
		
	
	
			153 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			Java
		
	
	
	
	
	
| /*
 | |
|  * Copyright 2004-present the original author or authors.
 | |
|  *
 | |
|  * Licensed under the Apache License, Version 2.0 (the "License");
 | |
|  * you may not use this file except in compliance with the License.
 | |
|  * You may obtain a copy of the License at
 | |
|  *
 | |
|  *      https://www.apache.org/licenses/LICENSE-2.0
 | |
|  *
 | |
|  * Unless required by applicable law or agreed to in writing, software
 | |
|  * distributed under the License is distributed on an "AS IS" BASIS,
 | |
|  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
|  * See the License for the specific language governing permissions and
 | |
|  * limitations under the License.
 | |
|  */
 | |
| 
 | |
| package org.springframework.security.kerberos.docs;
 | |
| 
 | |
| import org.springframework.beans.factory.annotation.Value;
 | |
| import org.springframework.context.annotation.Bean;
 | |
| import org.springframework.context.annotation.Configuration;
 | |
| import org.springframework.core.io.FileSystemResource;
 | |
| import org.springframework.security.authentication.AuthenticationManager;
 | |
| import org.springframework.security.authentication.ProviderManager;
 | |
| import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 | |
| import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 | |
| import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
 | |
| import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
 | |
| import org.springframework.security.kerberos.client.config.SunJaasKrb5LoginConfig;
 | |
| import org.springframework.security.kerberos.client.ldap.KerberosLdapContextSource;
 | |
| import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
 | |
| import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
 | |
| import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
 | |
| import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 | |
| import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
 | |
| import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
 | |
| import org.springframework.security.web.SecurityFilterChain;
 | |
| import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 | |
| 
 | |
| //tag::snippetA[]
 | |
| @Configuration
 | |
| @EnableWebSecurity
 | |
| public class WebSecurityConfig {
 | |
| 
 | |
| 	@Value("${app.ad-domain}")
 | |
| 	private String adDomain;
 | |
| 
 | |
| 	@Value("${app.ad-server}")
 | |
| 	private String adServer;
 | |
| 
 | |
| 	@Value("${app.service-principal}")
 | |
| 	private String servicePrincipal;
 | |
| 
 | |
| 	@Value("${app.keytab-location}")
 | |
| 	private String keytabLocation;
 | |
| 
 | |
| 	@Value("${app.ldap-search-base}")
 | |
| 	private String ldapSearchBase;
 | |
| 
 | |
| 	@Value("${app.ldap-search-filter}")
 | |
| 	private String ldapSearchFilter;
 | |
| 
 | |
| 	@Bean
 | |
| 	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 | |
| 		KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = kerberosServiceAuthenticationProvider();
 | |
| 		ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider = activeDirectoryLdapAuthenticationProvider();
 | |
| 		ProviderManager providerManager = new ProviderManager(kerberosServiceAuthenticationProvider,
 | |
| 				activeDirectoryLdapAuthenticationProvider);
 | |
| 
 | |
| 		http
 | |
| 			.authorizeHttpRequests((authz) -> authz
 | |
| 				.requestMatchers("/", "/home").permitAll()
 | |
| 				.anyRequest().authenticated()
 | |
| 			)
 | |
| 			.exceptionHandling()
 | |
| 				.authenticationEntryPoint(spnegoEntryPoint())
 | |
| 				.and()
 | |
| 			.formLogin()
 | |
| 				.loginPage("/login").permitAll()
 | |
| 				.and()
 | |
| 			.logout()
 | |
| 				.permitAll()
 | |
| 				.and()
 | |
| 			.authenticationProvider(activeDirectoryLdapAuthenticationProvider())
 | |
| 			.authenticationProvider(kerberosServiceAuthenticationProvider())
 | |
| 			.addFilterBefore(spnegoAuthenticationProcessingFilter(providerManager),
 | |
| 				BasicAuthenticationFilter.class);
 | |
| 
 | |
| 		return http.build();
 | |
| 	}
 | |
| 
 | |
| 	@Bean
 | |
| 	public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
 | |
| 		return new ActiveDirectoryLdapAuthenticationProvider(adDomain, adServer);
 | |
| 	}
 | |
| 
 | |
| 	@Bean
 | |
| 	public SpnegoEntryPoint spnegoEntryPoint() {
 | |
| 		return new SpnegoEntryPoint("/login");
 | |
| 	}
 | |
| 
 | |
| 	public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
 | |
| 			AuthenticationManager authenticationManager) {
 | |
| 		SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
 | |
| 		filter.setAuthenticationManager(authenticationManager);
 | |
| 		return filter;
 | |
| 	}
 | |
| 
 | |
| 	public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() throws Exception {
 | |
| 		KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
 | |
| 		provider.setTicketValidator(sunJaasKerberosTicketValidator());
 | |
| 		provider.setUserDetailsService(ldapUserDetailsService());
 | |
| 		return provider;
 | |
| 	}
 | |
| 
 | |
| 	@Bean
 | |
| 	public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
 | |
| 		SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
 | |
| 		ticketValidator.setServicePrincipal(servicePrincipal);
 | |
| 		ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
 | |
| 		ticketValidator.setDebug(true);
 | |
| 		return ticketValidator;
 | |
| 	}
 | |
| 
 | |
| 	@Bean
 | |
| 	public KerberosLdapContextSource kerberosLdapContextSource() throws Exception {
 | |
| 		KerberosLdapContextSource contextSource = new KerberosLdapContextSource(adServer);
 | |
| 		contextSource.setLoginConfig(loginConfig());
 | |
| 		return contextSource;
 | |
| 	}
 | |
| 
 | |
| 	public SunJaasKrb5LoginConfig loginConfig() throws Exception {
 | |
| 		SunJaasKrb5LoginConfig loginConfig = new SunJaasKrb5LoginConfig();
 | |
| 		loginConfig.setKeyTabLocation(new FileSystemResource(keytabLocation));
 | |
| 		loginConfig.setServicePrincipal(servicePrincipal);
 | |
| 		loginConfig.setDebug(true);
 | |
| 		loginConfig.setIsInitiator(true);
 | |
| 		loginConfig.afterPropertiesSet();
 | |
| 		return loginConfig;
 | |
| 	}
 | |
| 
 | |
| 	@Bean
 | |
| 	public LdapUserDetailsService ldapUserDetailsService() throws Exception {
 | |
| 		FilterBasedLdapUserSearch userSearch =
 | |
| 				new FilterBasedLdapUserSearch(ldapSearchBase, ldapSearchFilter, kerberosLdapContextSource());
 | |
| 		LdapUserDetailsService service =
 | |
| 				new LdapUserDetailsService(userSearch, new ActiveDirectoryLdapAuthoritiesPopulator());
 | |
| 		service.setUserDetailsMapper(new LdapUserDetailsMapper());
 | |
| 		return service;
 | |
| 	}
 | |
| }
 | |
| //end::snippetA[]
 |