I am trying to set up Spring Security in Grails authenticating against CAS and authorizing against LDAP. I have found examples several examples (I have about 20 browser tabs open right now), but none of them answer the whole question. Most of the examples are Grails + CAS or Grails + LDAP, but no examples of Grails + CAS + LDAP.
2 回答
So I got it working, and it really isn't that bad, but I wish I had seen @cantoni's example first. It would have made this really easy. My setup is a little more simple than his, so I'll add it here.
Install the Spring Security Core, CAS, and LDAP plugins. IMPORTANT: Until spring-security-cas:1.0.5
is updated, I wouldn't try to use the new spring-security-core:2.0-RC2
and spring-security-ldap:2.0-RC2
. The CAS plugin doesn't seem to work with them.
plugins {
....
//security
compile ":spring-security-core:1.2.7.3"
compile ":spring-security-cas:1.0.5"
compile ":spring-security-ldap:1.0.6"
...
}
You don't need to run the quickstart command if you're not also using daoAuthenticationProvider, which I am not.
Configure the core and cas plugins in Config.groovy
//Spring Security Core Config
grails.plugins.springsecurity.providerNames = ['casAuthenticationProvider']
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/**': ['hasAnyRole("ROLE_OPERATOR","ROLE_ADMIN")']
]
//Spring Security CAS Config
grails.plugins.springsecurity.cas.loginUri = '/login'
grails.plugins.springsecurity.cas.serviceUrl = 'http://server.company.com:8080/app-name/j_spring_cas_security_check'
grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://sso.company.com/cas'
grails.plugins.springsecurity.cas.proxyCallbackUrl = 'http://server.company.com:8080/app-name/secure/receptor'
grails.plugins.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'
You can leave off rejectIfNoRule
, securityConfigType
, and interceptUrlMap
if you want to use annotations instead of the interceptor map.
Configure your userDetailsService to delegate to LDAP in resources.groovy
// load ldap roles from spring security
initialDirContextFactory(org.springframework.security.ldap.DefaultSpringSecurityContextSource,
"ldap://123.45.67.89:389"){
userDn = "myLdapUser"
password = "myLdapPwd"
}
ldapUserSearch(org.springframework.security.ldap.search.FilterBasedLdapUserSearch,
"DC=foo,DC=company,DC=com", "sAMAccountName={0}", initialDirContextFactory){
}
ldapAuthoritiesPopulator(org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator,
initialDirContextFactory,"OU=foo,DC=bar,DC=company,DC=com"){
groupRoleAttribute = "cn"
groupSearchFilter = "member={0}"
searchSubtree = true
rolePrefix = "ROLE_"
convertToUpperCase = true
ignorePartialResultException = true
}
userDetailsService(org.springframework.security.ldap.userdetails.LdapUserDetailsService,ldapUserSearch,ldapAuthoritiesPopulator){
}
I've shared (GitHub) a sample app that integrates Grails (2.2.0) + Spring Security Plugin + CAS + LDAP.
My work is based on this link: http://dominikschuermann.de/index.php/2010/11/using-grails-with-cas-and-ldap/, but unfortunately the link is not active.
https://github.com/luizcantoni/TestCAS-LDAP-Grails
This App authenticates using CAS. After authenticated, CAS redirect to Grails that populates (through ldap) the User with some Active Directory information (email and name).
This is the file that populates the user with some AD information: https://github.com/luizcantoni/TestCAS-LDAP-Grails/blob/master/src/groovy/example/PrepopulateUserDetailsService.groovy
Check the resources.groovy: https://github.com/luizcantoni/TestCAS-LDAP-Grails/blob/master/grails-app/conf/spring/resources.groovy
Finally, the Config.groovy with the CAS and LDAP configuration: https://github.com/luizcantoni/TestCAS-LDAP-Grails/blob/master/grails-app/conf/Config.groovy