| Wiki Markup |
|---|
| Note |
The latest windows authentication bundle is available here |
First step to enable integrated login
Download: security_ntlm_step_1.xml
...
This
...
example
...
contains
...
the
...
bare
...
minimum
...
to
...
enable
...
Windows
...
Integrated
...
Authentication
...
and
...
should
...
be
...
used
...
as
...
a
...
first
...
step
...
to
...
test
...
the
...
authentication.
...
It
...
does
...
not
...
provide
...
access
...
to
...
Weave
...
at
...
all
...
if
...
the
...
user
...
is
...
not
...
part
...
of
...
the
...
domain
...
or
...
if
...
they
...
are
...
not
...
listed
...
in
...
the
...
users.properties
...
file.
...
It
...
requires
...
that
...
each
...
user
...
that
...
will
...
be
...
given
...
access
...
to
...
the
...
system
...
be
...
listed
...
in
...
the
...
users.properties
...
file,
...
but
...
since
...
this
...
is
...
for
...
testing
...
that
...
should
...
only
...
be
...
one
...
or
...
two
...
users.
...
It
...
will
...
require
...
editing
...
of
...
the
...
ntlmProcessingFilter
...
bean
...
to
...
at
...
least
...
set
...
the
...
correct
...
defaultDomain
...
and
...
domainController
...
.
...
It
...
may
...
also
...
require
...
changing
...
the
...
loadBalance
...
property
...
to
...
set
...
it
...
to
...
true
...
(
...
false
...
is
...
the
...
default
...
if
...
it's
...
not
...
set).
...
Depending
...
upon
...
the
...
version
...
of
...
active
...
directory
...
you're
...
running
...
you
...
may
...
need
...
to
...
specify
...
a
...
username/password
...
for
...
the
...
ntlmProcessingFilter
...
.
...
If
...
you
...
find
...
authentication
...
errors
...
in
...
the
...
weave.log
...
file
...
after
...
enabling
...
integrated
...
authentication
...
then
...
change
...
the
...
ntlmProcessingFilter
...
to
...
the
...
following
...
and
...
set
...
the
...
appropriate
...
username/password.
...
| Code Block | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
| access}
| |||||||||||
<bean id="ntlmProcessingFilter" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilter">
<property name="authenticationEntryPoint" ref="ntlmEntryPoint"/>
<property name="authenticationManager" ref="ntlmAuthenticationManager"/>
<property name="defaultDomain">
<value>cohga.local</value>
</property>
<property name="domainController">
<value>192.168.0.80</value>
</property>
<property name = "JCifsProperties">
<map>
<entry key="jcifs.smb.client.username">
<value>username</value>
</entry>
<entry key="jcifs.smb.client.password">
<value>password</value>
</entry>
</map>
</property>
</bean>
{code}
|
Additional
...
properties
...
that
...
can
...
effect
...
the
...
authentication
...
process
...
can be found here, where they can be set in the JCifsProperties section to alter the authentication process.
| Wiki Markup |
|---|
{graphviz}
strict digraph G {
graph [ ratio="0.7 compressed",
rankdir="LR",
ranksep=0.75,
concentrate="false",
remincross="true",
fontname=helvetica
fontsize=12
];
node [ shape=box,
style=filled,
fillcolor=white,
fontname=helvetica
fontsize=12,
fontcolor=black
];
edge [
];
subgraph "cluster_security_ntlm_step_1.xml" {
label="security_ntlm_step_1.xml";
style=filled;
color=ivory3;
"filterChainProxy" [];
"ntlmZeroPostFilter" [];
"ntlmProcessingFilter" [];
"ntlmEntryPoint" [];
"ntlmAuthenticationManager" [];
"nullDaoAuthenticationProvider" [];
"userDetailsService" [];
"httpSessionContextIntegrationFilter" [];
"securityContextHolderAwareRequestFilter" [];
"exceptionTranslationFilter" [];
"jsonExceptionTranslationFilter" [];
"filterInvocationInterceptor" [];
"ntlmAuthenticationManager" -> "nullDaoAuthenticationProvider" [];
"ntlmProcessingFilter" -> "ntlmEntryPoint" [];
"ntlmProcessingFilter" -> "ntlmAuthenticationManager" [];
"nullDaoAuthenticationProvider" -> "userDetailsService" [];
"filterInvocationInterceptor" -> "ntlmAuthenticationManager" [];
"filterChainProxy" -> "filterInvocationInterceptor" [];
"filterChainProxy" -> "jsonExceptionTranslationFilter" [];
"filterChainProxy" -> "exceptionTranslationFilter" [];
"filterChainProxy" -> "securityContextHolderAwareRequestFilter" [];
"filterChainProxy" -> "ntlmProcessingFilter" [];
"filterChainProxy" -> "httpSessionContextIntegrationFilter" [];
"filterChainProxy" -> "ntlmZeroPostFilter" [];
}
}
{graphviz}
h1. |
Extended
...
authentication
...
example
...
Download:
...
...
This
...
example
...
expands
...
on
...
the
...
original
...
bare
...
minimum
...
example
...
but
...
includes
...
anonymous
...
authentication
...
plus
...
form
...
login.
...
It
...
will
...
also
...
require
...
editing
...
of
...
the
...
ntlmProcessingFilter
...
bean
...
to
...
at
...
least
...
set
...
the
...
correct
...
defaultDomain
...
and
...
domainController
...
.
...
It
...
may
...
also
...
require
...
changing
...
the
...
loadBalance
...
property
...
to
...
set
...
it
...
to
...
true
...
(
...
false
...
is
...
the
...
default
...
if
...
it's
...
not
...
set).
...
| Wiki Markup |
|---|
{graphviz}
strict digraph G {
graph [ ratio="0.7 compressed",
rankdir="LR",
ranksep=0.75,
concentrate="false",
remincross="true",
fontname=helvetica
fontsize=12
];
node [ shape=box,
style=filled,
fillcolor=white,
fontname=helvetica
fontsize=12,
fontcolor=black
];
edge [
];
subgraph "cluster_security_ntlm_step_2.xml" {
label="security_ntlm_step_2.xml";
style=filled;
color=ivory3;
"filterChainProxy" [];
"ntlmZeroPostFilter" [];
"ntlmProcessingFilter" [];
"ntlmEntryPoint" [];
"ntlmAuthenticationManager" [];
"nullDaoAuthenticationProvider" [];
"httpSessionContextIntegrationFilter" [];
"logoutFilter" [];
"authenticationProcessingFilter" [];
"securityContextHolderAwareRequestFilter" [];
"rememberMeProcessingFilter" [];
"anonymousProcessingFilter" [];
"exceptionTranslationFilter" [];
"jsonExceptionTranslationFilter" [];
"filterInvocationInterceptor" [];
"rememberMeServices" [];
"authenticationManager" [];
"daoAuthenticationProvider" [];
"userDetailsService" [];
"ntlmAuthenticationManager" -> "nullDaoAuthenticationProvider" [];
"authenticationManager" -> "daoAuthenticationProvider" [];
"ntlmProcessingFilter" -> "ntlmEntryPoint" [];
"ntlmProcessingFilter" -> "ntlmAuthenticationManager" [];
"nullDaoAuthenticationProvider" -> "userDetailsService" [];
"authenticationProcessingFilter" -> "authenticationManager" [];
"authenticationProcessingFilter" -> "rememberMeServices" [];
"rememberMeProcessingFilter" -> "authenticationManager" [];
"rememberMeProcessingFilter" -> "rememberMeServices" [];
"filterInvocationInterceptor" -> "authenticationManager" [];
"rememberMeServices" -> "userDetailsService" [];
"daoAuthenticationProvider" -> "userDetailsService" [];
"logoutFilter" -> "rememberMeServices" [];
"filterChainProxy" -> "logoutFilter" [];
"filterChainProxy" -> "filterInvocationInterceptor" [];
"filterChainProxy" -> "jsonExceptionTranslationFilter" [];
"filterChainProxy" -> "exceptionTranslationFilter" [];
"filterChainProxy" -> "anonymousProcessingFilter" [];
"filterChainProxy" -> "rememberMeProcessingFilter" [];
"filterChainProxy" -> "securityContextHolderAwareRequestFilter" [];
"filterChainProxy" -> "authenticationProcessingFilter" [];
"filterChainProxy" -> "ntlmProcessingFilter" [];
"filterChainProxy" -> "logoutFilter" [];
"filterChainProxy" -> "httpSessionContextIntegrationFilter" [];
"filterChainProxy" -> "ntlmZeroPostFilter" [];
}
}
{graphviz}
h3. Getting roles from Active Directory (via LDAP)
*Download:* [^security |
Getting roles from Active Directory (via LDAP)
Download: security_ntlm_step_3.xml
...
In
...
this
...
example
...
we're
...
going
...
back
...
to
...
step
...
1
...
but
...
instead
...
of
...
obtaining
...
the
...
user
...
information
...
from
...
the
...
users.properties
...
file,
...
via
...
the
...
org.acegisecurity.userdetails.memory.InMemoryDaoImpl
...
user
...
details
...
service,
...
we'll
...
access
...
the
...
information
...
from
...
Active
...
Directory
...
(via
...
the
...
LDAP
...
protocol).
...
This
...
example
...
is
...
exactly
...
the
...
same
...
as
...
step
...
one
...
except
...
we've
...
swapped
...
out
...
the
...
user
...
details
...
service
...
that
...
accesses
...
users.properties
...
for
...
the
...
one
...
that
...
accesses
...
that
...
information
...
LDAP
...
server.
...
The
...
information
...
setup
...
in
...
the
...
ldapUserSearch
...
,
...
ldapAuthoritiesPopulator
...
and
...
initialDirContextFactory
...
will
...
at
...
least
...
need
...
to
...
updated
...
to
...
reflect
...
your
...
local
...
settings.
...
| Wiki Markup |
|---|
{graphviz}
strict digraph G {
graph [ ratio="0.7 compressed",
rankdir="LR",
ranksep=0.75,
concentrate="false",
remincross="true",
fontname=helvetica
fontsize=12
];
node [ shape=box,
style=filled,
fillcolor=white,
fontname=helvetica
fontsize=12,
fontcolor=black
];
edge [
];
subgraph "cluster_security_ntlm_step_3.xml" {
label="security_ntlm_step_3.xml";
style=filled;
color=ivory3;
"filterChainProxy" [];
"ntlmZeroPostFilter" [];
"ntlmProcessingFilter" [];
"ntlmEntryPoint" [];
"ntlmAuthenticationManager" [];
"nullDaoAuthenticationProvider" [];
"httpSessionContextIntegrationFilter" [];
"securityContextHolderAwareRequestFilter" [];
"exceptionTranslationFilter" [];
"jsonExceptionTranslationFilter" [];
"filterInvocationInterceptor" [];
"userDetailsService" [];
"ldapUserSearch" [];
"ldapAuthoritiesPopulator" [];
"initialDirContextFactory" [];
"ntlmAuthenticationManager" -> "nullDaoAuthenticationProvider" [];
"ntlmProcessingFilter" -> "ntlmEntryPoint" [];
"ntlmProcessingFilter" -> "ntlmAuthenticationManager" [];
"nullDaoAuthenticationProvider" -> "userDetailsService" [];
"filterInvocationInterceptor" -> "ntlmAuthenticationManager" [];
"userDetailsService" -> "ldapUserSearch" [];
"userDetailsService" -> "ldapAuthoritiesPopulator" [];
"ldapUserSearch" -> "initialDirContextFactory" [];
"ldapAuthoritiesPopulator" -> "initialDirContextFactory" [];
"filterChainProxy" -> "filterInvocationInterceptor" [];
"filterChainProxy" -> "jsonExceptionTranslationFilter" [];
"filterChainProxy" -> "exceptionTranslationFilter" [];
"filterChainProxy" -> "securityContextHolderAwareRequestFilter" [];
"filterChainProxy" -> "ntlmProcessingFilter" [];
"filterChainProxy" -> "httpSessionContextIntegrationFilter" [];
"filterChainProxy" -> "ntlmZeroPostFilter" [];
}
}
{graphviz} |