Configuring Spring Security with Active Directory and Concurrent Session Control
In my last post I demonstrated how to get a stub Spring Security implementation going. Now we’re going to do something useful with it. We will configure Spring Security to use LDAP via Active Directory for authentication and limit each user to one session at a time.
LDAP authentication depends on Spring LDAP, so you’ll need to download it and place the core JAR in the classpath.
Here’s the configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http>
<intercept-url pattern="/login*.jsp*" filters="none"/>
<intercept-url pattern="/images/**" filters="none"/>
<intercept-url pattern="/includes/**" filters="none"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login login-page="/login.jsp" always-use-default-target="true"/>
<concurrent-session-control max-sessions="1" expired-url="/login-duplicate.jsp"/>
<logout/>
</http>
<ldap-server
url="ldap://ldapserver:389"
manager-dn="CN=Administrator,CN=Users,DC=www,DC=mydomain,DC=com"
manager-password="mgrpasswd"
/>
<ldap-authentication-provider
user-search-base="cn=Users,dc=www,dc=mydomain,dc=com"
user-search-filter="sAMAccountName={0}"
group-search-filter="member={0}"
group-search-base="cn=Users,dc=www,dc=mydomain,dc=com"
role-prefix="ROLE_"
/>
</beans:beans>We’ve removed the autoconfig=“true” attribute from the http element to gain more control over the security namespace configuration; in particular, this allows us to configure the authentication provider. The downside is that Spring Security is doing less automatic config for us, so we need to add the logout element.
The concurrent-session-control element limits each user to one session at a time and specifies a URL where users will be sent if they try to log in more than once.
The ldap-server element is self-explanatory. Discovering the manager-dn might take a bit of digging using an LDAP search tool; I used Apache Directory Studio.
The ldap-authentication-provider element controls the searches for users and groups that will be used for authentication. In this example, we are using sAMAccountName as the user filter and member as the group filter. Once again, you may have to search to discover where things are stored if you want to use different attributes for filtering users and groups. Finally, we need to tell Spring Security to prefix the role names with ROLE_. For now we’ll live with this, later I’ll demonstrate how to get rid of that as the configuration gets more complex.
This example should give you a good place to start with a basic Spring Security configuration.
Comments
concurrent Sessions / User
Hello,
Could you please help of how can I set the concurrent sessions per user in J2EE application. I have FileNet P8 Workplace application deployed on Oracle 10gR2 AS and wants to set the number of concurrent sessions to '1". Tge Workplace is authorizing the users from Active Directory
Regards Mohd A. Tawab
Post new comment