Saturday 21 March 2009

Integrating Spring Security with Active Directory on JBOSS 4.0.5

Spring Security (formely ACEGI) is a fairly robust and flexible framework that fits in well with a J2EE solution stack. Some of the main features that made us choose Spring was its flow transition authorization policy and its database backed 'remember me' implementation.
Based on this, we decided to use Spring Security 2.0.4 on a JBOSS 4.0.5 server. The Spring component authenticates and authorizes a user against a Active Directory through its LDAP authenticator component (org.springframework.security.providers.ldap.authenticator.BindAuthenticator) and authorize the user using its LDAP authorities search classes (org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator & org.springframework.security.providers.ldap.LdapAuthenticationProvider).

The important thing to remember is that Spring security matches a group name with the prefix "ROLE_" so if you have a user belonging to a group called "PG_JAVA_DEV), it would get mapped as ROLE_PG_JAVA_DEV within the security context. You can get more information on how the Spring security LDAP component works in Chapter 10 of the Spring Security guide.A detailed example of how to set up Spring Security to talk to the Active Directory is given here.

To set up Spring Security, you will need Spring Security 2.0.4 and Spring LDAP 1.3 (which has some additional dependencies mapped in them).Just map these to your Maven POM and you'll be good to go.