Spring project using CAS for Authentication and LDAP for Authorities

Question

I had a Spring 3 project that was using LDAP for Authentication and Authorities. We know changed the project to use CAS for authentication but still work like to use LDAP for Authorities. can someone please look at this XML file and tell me how to get LDAP Authorities back and working

  <?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
    xmlns="http://www.springframework.org/schema/security" xmlns:p="http://www.springframework.org/schema/p"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

    <http entry-point-ref="casEntryPoint" use-expressions="true">
        <intercept-url pattern="/" access="permitAll" />

        <intercept-url pattern="/index.jsp" access="permitAll" />
        <intercept-url pattern="/cas-logout.jsp" access="permitAll" />
        <intercept-url pattern="/casfailed.jsp" access="permitAll" />

        <intercept-url pattern="/secure/**" access="hasRole('ROLE_USER')" />
        <intercept-url pattern="/requests/**" access="hasRole('ROLE_MEMBER_INQUIRY')" />

        <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
        <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
        <custom-filter ref="casFilter" position="CAS_FILTER" />


        <logout logout-success-url="/cas-logout.jsp" />
    </http>

    <authentication-manager alias="authManager">
        <authentication-provider ref="casAuthProvider" />
    </authentication-manager>


     <user-service id="userService">
        <user name="rod" password="rod" authorities="ROLE_SUPERVISOR,ROLE_USER" />
        <user name="cpilling04@aol.com.dev" password="testing"
            authorities="ROLE_MEMBER_INQUIRY" />
    </user-service>

    <!-- This filter handles a Single Logout Request from the CAS Server -->
    <b:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />
    <!-- This filter redirects to the CAS Server to signal Single Logout should 
        be performed -->
    <b:bean id="requestSingleLogoutFilter"
        class="org.springframework.security.web.authentication.logout.LogoutFilter"
        p:filterProcessesUrl="/j_spring_cas_security_logout">
        <b:constructor-arg
            value="https://${cas.server.host}/cas-server-webapp/logout" />
        <b:constructor-arg>
            <b:bean
                class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
        </b:constructor-arg>
    </b:bean>

    <b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"
        p:service="https://${cas.service.host}/MemberInquiry/j_spring_cas_security_check"
        p:authenticateAllArtifacts="true" />

    <b:bean id="casEntryPoint"
        class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
        p:serviceProperties-ref="serviceProperties"
        p:loginUrl="https://${cas.server.host}/cas-server-webapp/login" />

    <b:bean id="casFilter"
        class="org.springframework.security.cas.web.CasAuthenticationFilter"
        p:authenticationManager-ref="authManager" p:serviceProperties-ref="serviceProperties"
        p:proxyGrantingTicketStorage-ref="pgtStorage"
        p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor">
        <b:property name="authenticationDetailsSource">
            <b:bean
                class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource" />
        </b:property>

        <b:property name="authenticationFailureHandler">
            <b:bean
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
                p:defaultFailureUrl="/casfailed.jsp" />
        </b:property>


        <b:property name="authenticationSuccessHandler">
            <b:bean
                class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"
                p:defaultTargetUrl="/requests/add.html" />
        </b:property>
    </b:bean>
    <!-- NOTE: In a real application you should not use an in memory implementation. 
        You will also want to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup() -->
    <b:bean id="pgtStorage"
        class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
    <b:bean id="casAuthProvider"
        class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
        p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey">
        <b:property name="authenticationUserDetailsService">
            <b:bean
                class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                <b:constructor-arg ref="userService" />
            </b:bean>
        </b:property>
        <b:property name="ticketValidator">
            <b:bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
                p:acceptAnyProxy="true"
                p:proxyCallbackUrl="https://${cas.service.host}/MemberInquiry/j_spring_cas_security_proxyreceptor"
                p:proxyGrantingTicketStorage-ref="pgtStorage">
                <b:constructor-arg value="https://${cas.server.host}/cas-server-webapp" />
            </b:bean>
        </b:property>
        <b:property name="statelessTicketCache">
            <b:bean
                class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
                <b:property name="cache">
                    <b:bean class="net.sf.ehcache.Cache" init-method="initialise"
                        destroy-method="dispose">
                        <b:constructor-arg value="casTickets" />
                        <b:constructor-arg value="50" />
                        <b:constructor-arg value="true" />
                        <b:constructor-arg value="false" />
                        <b:constructor-arg value="3600" />
                        <b:constructor-arg value="900" />
                    </b:bean>
                </b:property>
            </b:bean>
        </b:property>
    </b:bean>

    <!-- Configuration for the environment can be overriden by system properties -->
    <context:property-placeholder
        system-properties-mode="OVERRIDE" properties-ref="environment" />

    <util:properties id="environment">
        <b:prop key="cas.service.host">wcmisdlin07.uftmasterad.org:8443</b:prop>
        <b:prop key="cas.server.host">wcmisdlin07.uftmasterad.org:8443</b:prop>
    </util:properties>


    <b:bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">

        <b:constructor-arg
            value="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />

        <b:property name="userDn" value="cn=Manager,dc=uftwf,dc=dev" />

        <b:property name="password" value="uftwf" />
    </b:bean>

        <b:bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">

        <b:constructor-arg>

            <b:bean
                class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <b:constructor-arg ref="contextSource" />
                <b:property name="userDnPatterns">
                    <b:list>
                        <b:value>
                            uid={0},ou=webusers
                        </b:value>
                    </b:list>
                </b:property>
            </b:bean>
        </b:constructor-arg>
        <b:constructor-arg>
            <b:bean
                class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <b:constructor-arg ref="contextSource" />
                <b:constructor-arg value="ou=groups" />
                <b:property name="groupRoleAttribute" value="ou" />
            </b:bean>
        </b:constructor-arg>
    </b:bean>
    <ldap-server url="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />




</b:beans>

Answer 1

You need to replace the in-memory UserDetailsService bean (userService) with an LdapUserDetailsService. If you were previously using LDAP for authentication, then the configuration should be pretty much the same, assuming the user name returned by CAS can be easily mapped into the directory.

In more detail: You currently have a bean called userService which is created using the namespace:

<user-service id="userService">
    <user name="rod" password="rod" authorities="ROLE_SUPERVISOR,ROLE_USER" />
    <user name="cpilling04@aol.com.dev" password="testing"
        authorities="ROLE_MEMBER_INQUIRY" />
</user-service>

you need to replace it by one that looks something like this:

<ldap-user-service id="userService" 
    server-ref="yourLdapServer" 
    user-search-base="ou=people"
    user-search-filter="(uid={0})"
    group-search-base="ou=groups"
    group-role-attribute="cn"
    group-search-filter="(member={0})"
    role-prefix="ROLE_" />

but with the various attributes set to match your directory configuration. They should be similar to whatever you had in your <ldap-authentication-provider> configuration before you moved to CAS. You'll also need to declare an <ldap-server> element to point to the directory server. Again that should match what you had before.