Legacy Product

Fusion 5.10
    Fusion 5.10

    Set Up Spring Authentication

    The Spring Security authentication provider for Appkit interfaces with both Spring Security 3 and 4. Projects that adopt Appkit version 3 must switch to using Spring Security 4.

    Authorized Spring principals become fully-qualified Appkit user profiles, along with any roles or groups that the Spring module provides. Spring Security integrates with a number of authentication protocols, including LDAP, Active Directory, Basic Authentication, Kerberos, JAAS, and others. For a full list, see here.

    Below you will find some common configurations of the spring-security.xml file for integrating with different security mechanisms for authentication and authorization.

    The references given are for Spring Security 3. For information on how these configurations would change with Spring Security 4, refer to the Release Notes for Appkit 3.

    The first portion of the configuration file contains the required access levels for URL patterns used in Appkit and in most cases stays the same for all configurations.

    Hard-coded users

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
                 xmlns:beans="http://www.springframework.org/schema/beans"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:schemaLocation="http://www.springframework.org/schema/beans
               http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
               http://www.springframework.org/schema/security
               http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
        <http pattern="/styles/**" security="none"/>
        <http pattern="/assets/**" security="none"/>
        <http pattern="/javascript/**" security="none"/>
        <http pattern="/wro/**" security="none"/>
    
        <http use-expressions="true" disable-url-rewriting="true">
            <intercept-url pattern="/login/" access="isAnonymous()"/>
            <intercept-url pattern="/twigkit/resources/**" access="isAnonymous() or isAuthenticated()"/>
            <intercept-url pattern="/twigkit/services/gsa/auth/**" access="isAnonymous() or isAuthenticated()"/>
            <intercept-url pattern="/mock-response/search" access="isAnonymous() or isAuthenticated()"/>
            <intercept-url pattern="/**" access="isAuthenticated()"/>
            <form-login login-page="/login/" authentication-failure-url="/login/?access=denied"/>
            <http-basic/>
            <logout logout-url="/logout/" logout-success-url="/"/>
        </http>
    
        <!--
            Simple Configuration Example
        -->
        <authentication-manager>
            <authentication-provider>
                <user-service>
                    <user name="admin" password="admin" authorities="USER, ADMIN"/>
                    <user name="user" password="user" authorities="USER"/>
                </user-service>
            </authentication-provider>
        </authentication-manager>
    </beans:beans>

    Here, you can see that two users are configured - 'user' and 'admin'. Both have been assigned the role named 'USER' and the admin user also has the 'ADMIN' role.

    LDAP

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
                 xmlns:beans="http://www.springframework.org/schema/beans"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:schemaLocation="http://www.springframework.org/schema/beans
               http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
               http://www.springframework.org/schema/security
               http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
        <http pattern="/local-data/**" security="none"/>
        <http pattern="/styles/**" security="none"/>
        <http pattern="/assets/**" security="none"/>
        <http pattern="/javascript/**" security="none"/>
        <http pattern="/wro/**" security="none"/>
    
        <http use-expressions="true" disable-url-rewriting="true">
            <intercept-url pattern="/login/" access="isAnonymous()"/>
            <intercept-url pattern="/twigkit/resources/**" access="isAnonymous() or isAuthenticated()"/>
            <intercept-url pattern="/twigkit/services/gsa/auth/**" access="isAnonymous() or isAuthenticated()"/>
            <intercept-url pattern="/mock-response/search" access="isAnonymous() or isAuthenticated()"/>
            <intercept-url pattern="/**" access="isAuthenticated()"/>
            <form-login login-page="/login/" authentication-failure-url="/login/?access=denied"/>
            <http-basic/>
            <logout logout-url="/logout/" logout-success-url="/"/>
        </http>
    
        <!-- Active Directory Configuration -->
        <ldap-server id="ldapServer" url="ldap://my-ldap.my-domain.com:389/" manager-dn="gsaindexing@my-domain.com"
                     manager-password="ABC1234567890*" />
    
        <authentication-manager>
           <ldap-authentication-provider server-ref="ldapServer"
                                          user-search-base="OU=[Root],DC=uk,DC=corp,DC=my-domain,DC=com"
                                          user-search-filter="sAMAccountName={0}"
                                          group-role-attribute="cn"
                                          group-search-base="OU=[Root],DC=uk,DC=corp,DC=my-domain,DC=com"
                                          group-search-filter="(member={0})"
                                          role-prefix="ROLE_" />
        </authentication-manager>
    </beans:beans>

    Note the use of the LDAP protocol. In some cases, SSL encryption is used with the 'LDAPS' protocol. This requires the certificate to be trusted by the authentication client (the JVM running Appkit). There are several ways to configure the keystore for the JVM to trust the certificate from the LDAP server. The most common way to do this is to import the certificate into the JVM’s default keystore.

    Spring 'remember me' feature

    Spring Security comes with a mechanism for allowing a user’s details to be remembered beyond the current browser session, avoiding the user having to provide credentials on a login page every time. This integrates with the 'remember' attributes on the widget:login-form tag.

    There are two methods to allow the user’s session to be persistent using either a browser cookie or a database backed persistence method. The first is most commonly used, and to implement this all that is required is to add the remember-me line to the spring-security.xml HTTP configuration:

    ...
        <http use-expressions="true" disable-url-rewriting="true">
            <intercept-url pattern="/login/" access="isAnonymous()"/>
            <intercept-url pattern="/twigkit/resources/**" access="isAnonymous() or isAuthenticated()"/>
            <intercept-url pattern="/twigkit/services/gsa/auth/**" access="isAnonymous() or isAuthenticated()"/>
            <intercept-url pattern="/mock-response/search" access="isAnonymous() or isAuthenticated()"/>
            <intercept-url pattern="/**" access="isAuthenticated()"/>
            <form-login login-page="/login/" authentication-failure-url="/login/?access=denied"/>
            <http-basic/>
            <logout logout-url="/logout/" logout-success-url="/"/>
            <remember-me key="KEY-U5ED-F0R-C00KIE-ENCRYPT1ON"/>
        </http>
    ...

    Re-directing users to the original requested URL post-login

    Spring Security provides an authentication strategy that allows a requested URL to be saved before requiring the user to log in; once credentials have been authenticated the user is re-directed to the original URL.

    This strategy is implemented as part of the <form-login …​> tag defined via the authentication-success-handler-ref. For example:

    <form-login login-page="/login/"
                        authentication-failure-url="/login/?access=denied"
                        authentication-success-handler-ref="login_success_handler"/>

    The login_success_handler is a reference to the Spring Security class that implements the described strategy. This class is defined via this bean that needs to be added to the spring-security.xml as follows:

    <http..>
        ...
    
    </http>
    
    <beans:bean id="login_success_handler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"/>