Configuring Spring Security with Active Directory and Concurrent Session Control

Posted Mar 4, 2010 // 0 comments
Jed:

In my last post I demonstrated how to get a stub Spring Security implementation going. Now we’re going to do something useful with it. We will configure Spring Security to use LDAP via Active Directory for authentication and limit each user to one session at a time.

LDAP authentication depends on Spring LDAP, so you’ll need to download it and place the core JAR in the classpath.

Here’s the configuration:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

  <http>
    <intercept-url pattern="/login*.jsp*" filters="none"/>
    <intercept-url pattern="/images/**" filters="none"/>
    <intercept-url pattern="/includes/**" filters="none"/>
    <intercept-url pattern="/**" access="ROLE_USER"/>
    <form-login login-page="/login.jsp" always-use-default-target="true"/>
    <concurrent-session-control max-sessions="1" expired-url="/login-duplicate.jsp"/>
    <logout/>
  </http>

  <ldap-server
    url="ldap://ldapserver:389"
    manager-dn="CN=Administrator,CN=Users,DC=www,DC=mydomain,DC=com"
    manager-password="mgrpasswd"
  />

  <ldap-authentication-provider
    user-search-base="cn=Users,dc=www,dc=mydomain,dc=com"
    user-search-filter="sAMAccountName={0}"
    group-search-filter="member={0}"
    group-search-base="cn=Users,dc=www,dc=mydomain,dc=com"
    role-prefix="ROLE_"
  />
</beans:beans>

We’ve removed the autoconfig=“true” attribute from the http element to gain more control over the security namespace configuration; in particular, this allows us to configure the authentication provider. The downside is that Spring Security is doing less automatic config for us, so we need to add the logout element.

The concurrent-session-control element limits each user to one session at a time and specifies a URL where users will be sent if they try to log in more than once.

The ldap-server element is self-explanatory. Discovering the manager-dn might take a bit of digging using an LDAP search tool; I used Apache Directory Studio.

The ldap-authentication-provider element controls the searches for users and groups that will be used for authentication. In this example, we are using sAMAccountName as the user filter and member as the group filter. Once again, you may have to search to discover where things are stored if you want to use different attributes for filtering users and groups. Finally, we need to tell Spring Security to prefix the role names with ROLE_. For now we’ll live with this, later I’ll demonstrate how to get rid of that as the configuration gets more complex.

This example should give you a good place to start with a basic Spring Security configuration.

About Jed

Jed Prentice is a senior software engineer with 15 years of experience developing business applications in a variety of industries. He is an expert in the field of object-oriented software development specializing in distributed systems and ...

more >

Read Jed's Blog

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <strong> <code> <p> <img> <ul> <ol> <li> <h2> <h3> <h4> <b> <u> <i>
  • You may insert videos with [video:URL]

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.