Legacy Product

Fusion 5.10
    Fusion 5.10

    Set Up LDAP Authentication

    Appkit allows for authentication against a server using LDAP (Lightweight Directory Access Protocol). It assumes that your Appkit application is managed as a Maven project with all project dependencies described in a Maven POM file.

    1 Add the security provider dependency

    Authentication against LDAP requires the LDAP module. To enable this module first remove any existing security provider dependency from the pom.xml under the root of the project and add this within the dependencies tag:

    <dependency>
        <groupId>twigkit</groupId>
        <artifactId>twigkit.security.provider.ldap</artifactId>
        <version>${project.parent.version}</version>
    </dependency>

    Then to configure Appkit to invoke this module on startup change the security.conf file in src/main/resources/conf/security/ to contain:

    type: spring_security

    2 Configure security filtering in the application

    Spring Security operates using a Servlet filter that must be mapped in the web.xml file in src/main/webapp/WEB-INF:

    <!-- Spring Security -->
        <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring-security.xml</param-value>
        </context-param>
    
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
    
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
    <!-- Spring Security Ends -->

    Add this Servlet filter as the first filter in the chain (at the top of the web.xml file).

    3 Point the application to the security backend

    No Spring Security XML file is required. Add this in a file named ldap.conf in src/main/resources/conf/security:

    ldap-server-url: ldap://sharepoint-dc-mtyy7623.cloudapp.net:389/
    manager-dn: sharepoint-dev@sharepoint-dev.twigkit.com
    manager-password: abcdef123*
    user-search-base: CN=Users,dc=sharepoint-dev,dc=twigkit,dc=com
    user-search-filter: (uid={0})
    group-role-attribute: cn
    group-search-base: CN=Groups,DC=sharepoint-dev,DC=twigkit,DC=com
    group-search-filter: (member={0})
    role-prefix: ROLE_

    The first three settings configure the LDAP server’s location and manager credentials. The manager is the account used by Spring Security to access the LDAP server. The DN for this user should be available from the LDAP server or directory containing the user.

    The remaining settings reference the LDAP server configuration to be used and provide the attributes required to determine the username and roles.

    • user-search-base is the DN used under which users are retrieved

    • user-search-filter is the property used to determine a match against the username specified by the user

    • group-role-attribute is the property from which the name of the roles will be populated

    • group-search-base is the DN used under which groups are retrieved

    • group-search-filter is the property used to determine the group membership of a user

    • role-prefix is a prefix applied to the roles reported by Spring Security

    The roles picked up from LDAP can later be used for security trimming and personalization.

    The LDAP server protocol

    Note the use of the LDAP protocol in the URL - ldap://. In some cases SSL encryption is used with the 'LDAPS' protocol. This requires the certificate is trusted by the authentication client (the JVM running Appkit). There are several ways to configure the keystore for the JVM to trust the certificate from the LDAP server. The most common way to do this is to import the certificate into the JVM’s default keystore.

    4 Verify the configuration

    You can now verify the authentication in an Appkit application using the widget:login-form on a login page which is typically located in src/main/webapp/login.jsp in your application source tree.