Using Spring Security in Grails with CAS and LDAP

2020-06-28 02:02发布

问题:

I am trying to set up Spring Security in Grails authenticating against CAS and authorizing against LDAP. I have found examples several examples (I have about 20 browser tabs open right now), but none of them answer the whole question. Most of the examples are Grails + CAS or Grails + LDAP, but no examples of Grails + CAS + LDAP.

回答1:

So I got it working, and it really isn't that bad, but I wish I had seen @cantoni's example first. It would have made this really easy. My setup is a little more simple than his, so I'll add it here.

Install the Spring Security Core, CAS, and LDAP plugins. IMPORTANT: Until spring-security-cas:1.0.5 is updated, I wouldn't try to use the new spring-security-core:2.0-RC2 and spring-security-ldap:2.0-RC2. The CAS plugin doesn't seem to work with them.

    plugins {
    ....
    //security
    compile ":spring-security-core:1.2.7.3"
    compile ":spring-security-cas:1.0.5"
    compile ":spring-security-ldap:1.0.6"
    ...
    }

You don't need to run the quickstart command if you're not also using daoAuthenticationProvider, which I am not.

Configure the core and cas plugins in Config.groovy

//Spring Security Core Config
grails.plugins.springsecurity.providerNames = ['casAuthenticationProvider'] 
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
    '/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/**': ['hasAnyRole("ROLE_OPERATOR","ROLE_ADMIN")']
]

//Spring Security CAS Config
grails.plugins.springsecurity.cas.loginUri = '/login'
grails.plugins.springsecurity.cas.serviceUrl = 'http://server.company.com:8080/app-name/j_spring_cas_security_check'
grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://sso.company.com/cas'
grails.plugins.springsecurity.cas.proxyCallbackUrl = 'http://server.company.com:8080/app-name/secure/receptor'
grails.plugins.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'

You can leave off rejectIfNoRule, securityConfigType, and interceptUrlMap if you want to use annotations instead of the interceptor map.

Configure your userDetailsService to delegate to LDAP in resources.groovy

// load ldap roles from spring security
initialDirContextFactory(org.springframework.security.ldap.DefaultSpringSecurityContextSource,
    "ldap://123.45.67.89:389"){
    userDn = "myLdapUser"
    password = "myLdapPwd"
}

ldapUserSearch(org.springframework.security.ldap.search.FilterBasedLdapUserSearch,
    "DC=foo,DC=company,DC=com", "sAMAccountName={0}", initialDirContextFactory){

}

ldapAuthoritiesPopulator(org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator,
    initialDirContextFactory,"OU=foo,DC=bar,DC=company,DC=com"){
      groupRoleAttribute = "cn"
      groupSearchFilter = "member={0}"
      searchSubtree = true
      rolePrefix = "ROLE_"
      convertToUpperCase = true
      ignorePartialResultException = true
}

userDetailsService(org.springframework.security.ldap.userdetails.LdapUserDetailsService,ldapUserSearch,ldapAuthoritiesPopulator){
} 


回答2:

I've shared (GitHub) a sample app that integrates Grails (2.2.0) + Spring Security Plugin + CAS + LDAP.

My work is based on this link: http://dominikschuermann.de/index.php/2010/11/using-grails-with-cas-and-ldap/, but unfortunately the link is not active.

https://github.com/luizcantoni/TestCAS-LDAP-Grails

This App authenticates using CAS. After authenticated, CAS redirect to Grails that populates (through ldap) the User with some Active Directory information (email and name).

This is the file that populates the user with some AD information: https://github.com/luizcantoni/TestCAS-LDAP-Grails/blob/master/src/groovy/example/PrepopulateUserDetailsService.groovy

Check the resources.groovy: https://github.com/luizcantoni/TestCAS-LDAP-Grails/blob/master/grails-app/conf/spring/resources.groovy

Finally, the Config.groovy with the CAS and LDAP configuration: https://github.com/luizcantoni/TestCAS-LDAP-Grails/blob/master/grails-app/conf/Config.groovy