...
As of version 1.3.4 of the org.acegisecurity.ntlm bundle there's an additional property that can be set for the IPFilteredNtlmProcessingFilter, and that's domainRole defaultRole, which when set will add the role (exactly as it appears in the security.xml file) to the list of roles the user has. This allows you to utilise multiple Active Directory domain to authenticate user and provide access control based on what domain the user was authenticated against.
Note: If you're using LDAP to provide the users roles then it's also possible to set a defaultRole in the LDAP populator.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<bean id="ntlmProcessingFilterInternal" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilter"> <property name="defaultDomain"><value>INTERNAL</value></property> <property name="domainController"><value>172.16.0.30</value></property> <property name="authenticationEntryPoint" ref="ntlmEntryPoint"/> <property name="authenticationManager" ref="ntlmAuthenticationManager"/> <property name="doaminRole"><value>ROLE_INTERNAL</value></property> <property name="includedIpAddresses"> <list> <value>172.16.0.0/16</value> </list> </property> <property name="defaultRole"><value>ROLE_INTERNAL</value></property> </bean> <bean id="ntlmProcessingFilterExternal" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilter"> <property name="defaultDomain"><value>EXTERNAL</value></property> <property name="domainController"><value>201.20.109.76</value></property> <property name="authenticationEntryPoint" ref="ntlmEntryPoint"/> <property name="authenticationManager" ref="ntlmAuthenticationManager"/> <property name="doaminRole"><value>ROLE_EXTERNAL</value></property> <property name="includedIpAddresses"> <list> <value>201.20.0.0/16</value> </list> </property> <property name="defaultRole"><value>ROLE_EXTERNAL</value></property> </bean> |
Not that to enable this both filters need to be added to the filter chain:
...