Set Up LDAP Authentication
Appkit allows for authentication against a server using LDAP (Lightweight Directory Access Protocol). It assumes that your Appkit application is managed as a Maven project with all project dependencies described in a Maven POM file.
1 Add the security provider dependency
Authentication against LDAP requires the LDAP module. To enable this module first remove any existing security provider dependency from the pom.xml under the root of the project and add this within the dependencies tag:
<dependency>
<groupId>twigkit</groupId>
<artifactId>twigkit.security.provider.ldap</artifactId>
<version>${project.parent.version}</version>
</dependency>Then to configure Appkit to invoke this module on startup change the security.conf file in src/main/resources/conf/security/ to contain:
type: spring_security2 Configure security filtering in the application
Spring Security operates using a Servlet filter that must be mapped in the web.xml file in src/main/webapp/WEB-INF:
<!-- Spring Security -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Spring Security Ends -->Add this Servlet filter as the first filter in the chain (at the top of the web.xml file).
3 Point the application to the security backend
No Spring Security XML file is required. Add this in a file named ldap.conf in src/main/resources/conf/security:
ldap-server-url: ldap://sharepoint-dc-mtyy7623.cloudapp.net:389/
manager-dn: sharepoint-dev@sharepoint-dev.twigkit.com
manager-password: abcdef123*
user-search-base: CN=Users,dc=sharepoint-dev,dc=twigkit,dc=com
user-search-filter: (uid={0})
group-role-attribute: cn
group-search-base: CN=Groups,DC=sharepoint-dev,DC=twigkit,DC=com
group-search-filter: (member={0})
role-prefix: ROLE_The first three settings configure the LDAP server’s location and manager credentials. The manager is the account used by Spring Security to access the LDAP server. The DN for this user should be available from the LDAP server or directory containing the user.
The remaining settings reference the LDAP server configuration to be used and provide the attributes required to determine the username and roles.
-
user-search-baseis the DN used under which users are retrieved -
user-search-filteris the property used to determine a match against the username specified by the user -
group-role-attributeis the property from which the name of the roles will be populated -
group-search-baseis the DN used under which groups are retrieved -
group-search-filteris the property used to determine the group membership of a user -
role-prefixis a prefix applied to the roles reported by Spring Security
The roles picked up from LDAP can later be used for security trimming and personalization.
The LDAP server protocol
Note the use of the LDAP protocol in the URL - ldap://. In some cases SSL encryption is used with the 'LDAPS' protocol. This requires the certificate is trusted by the authentication client (the JVM running Appkit). There are several ways to configure the keystore for the JVM to trust the certificate from the LDAP server. The most common way to do this is to import the certificate into the JVM’s default keystore.
4 Verify the configuration
You can now verify the authentication in an Appkit application using the widget:login-form on a login page which is typically located in src/main/webapp/login.jsp in your application source tree.