Versions Compared

Old Version 3

changes.mady.by.user Shaun Forbes

Saved on

compared with

New Version 4

changes.mady.by.user Shaun Forbes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
h1. First step to enable integrated login

[Windows Authentication Examples^security^security_ntlm_step_1.xml]

This example contains the bare minimum to enable Windows Integrated Authentication and should be used as a first step to test the authentication.

It does not provide access to Weave at all if the user is not part of the domain or if they are not listed in the {{users.properties}} file.

It requires that each user that will be given access to the system be listed in the {{users.properties}} file, but since this is for testing that should only be one or two users.

It will require editing of the {{ntlmProcessingFilter}} bean to at least set the correct {{defaultDomain}} and {{domainController}}.
It may also require changing the {{loadBalance}} property to set it to {{true}} ({{false}} is the default if it's not set).

Depending upon the version of active directory you're running you may need to specify a username/password for the {{ntlmProcessingFilter}}.
If you find authentication errors in the weave.log file after enabling integrated authentication then change the {{ntlmProcessingFilter}} to the following and set the appropriate username/password.

{code:xml|linenumbers=true|title=Setting username/password for domain access}
	<bean id="ntlmProcessingFilter" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilter">
		<property name="authenticationEntryPoint" ref="ntlmEntryPoint"/>
		<property name="authenticationManager" ref="ntlmAuthenticationManager"/>
		<property name="defaultDomain">
			<value>cohga.local</value>
		</property>
		<property name="domainController">
			<value>192.168.0.80</value>
		</property>
		<property name = "JCifsProperties">
			<map>
				<entry key="jcifs.smb.client.username">
					<value>username</value>
				</entry>
				<entry key="jcifs.smb.client.password">
					<value>password</value>
				</entry>
			</map>
		</property>
	</bean>
{code}

Additional properties that can effect the authentication process [can be found here|http://jcifs.samba.org/src/docs/api/overview-summary.html#scp], where they can be set in the {{JCifsProperties}} section to alter the authentication process.

{graphviz}
strict digraph G {
    graph [ ratio="0.7 compressed", 
    		rankdir="LR",
    		ranksep=0.75, 
     		concentrate="false", 
    		remincross="true",
    		fontname=helvetica
    		fontsize=12 
    		];
    node  [ shape=box, 
	   	style=filled,
	   	fillcolor=white,
    		fontname=helvetica
     		fontsize=12,
    		fontcolor=black 
    		];
    edge  [ 
    		];
    		
    subgraph "cluster_security_ntlm_step_1.xml" { 
    	label="security_ntlm_step_1.xml";
    	style=filled;
    	color=ivory3;
        "filterChainProxy" [];
        "ntlmZeroPostFilter" [];
        "ntlmProcessingFilter" [];
        "ntlmEntryPoint" [];
        "ntlmAuthenticationManager" [];
        "nullDaoAuthenticationProvider" [];
        "userDetailsService" [];
        "httpSessionContextIntegrationFilter" [];
        "securityContextHolderAwareRequestFilter" [];
        "exceptionTranslationFilter" [];
        "jsonExceptionTranslationFilter" [];
        "filterInvocationInterceptor" [];
        "ntlmAuthenticationManager" -> "nullDaoAuthenticationProvider" [];
        "ntlmProcessingFilter" -> "ntlmEntryPoint" [];
        "ntlmProcessingFilter" -> "ntlmAuthenticationManager" [];
        "nullDaoAuthenticationProvider" -> "userDetailsService" [];
        "filterInvocationInterceptor" -> "ntlmAuthenticationManager" [];

	"filterChainProxy" -> "filterInvocationInterceptor" [];
	"filterChainProxy" -> "jsonExceptionTranslationFilter" [];
	"filterChainProxy" -> "exceptionTranslationFilter" [];
	"filterChainProxy" -> "securityContextHolderAwareRequestFilter" [];
	"filterChainProxy" -> "ntlmProcessingFilter" [];
	"filterChainProxy" -> "httpSessionContextIntegrationFilter" [];
	"filterChainProxy" -> "ntlmZeroPostFilter" [];
    }
}
{graphviz}

h1. Extended authentication example

[^security_ntlm_step_2.xml]

This example expands on the original bare minimum example but includes anonymous authentication plus form login.

It will also require editing of the {{ntlmProcessingFilter}} bean to at least set the correct {{defaultDomain}} and {{domainController}}.
It may also require changing the {{loadBalance}} property to set it to {{true}} ({{false}} is the default if it's not set).

{graphviz}
strict digraph G {
    graph [ ratio="0.7 compressed", 
    		rankdir="LR",
    		ranksep=0.75, 
     		concentrate="false", 
    		remincross="true",
    		fontname=helvetica
    		fontsize=12 
    		];
    node  [ shape=box, 
	   	style=filled,
	   	fillcolor=white,
    		fontname=helvetica
     		fontsize=12,
    		fontcolor=black 
    		];
    edge  [ 
    		];

    subgraph "cluster_security_ntlm_step_2.xml" { 
    	label="security_ntlm_step_2.xml";
    	style=filled;
    	color=ivory3;
        "filterChainProxy" [];
        "ntlmZeroPostFilter" [];
        "ntlmProcessingFilter" [];
        "ntlmEntryPoint" [];
        "ntlmAuthenticationManager" [];
        "nullDaoAuthenticationProvider" [];
        "httpSessionContextIntegrationFilter" [];
        "logoutFilter" [];
        "authenticationProcessingFilter" [];
        "securityContextHolderAwareRequestFilter" [];
        "rememberMeProcessingFilter" [];
        "anonymousProcessingFilter" [];
        "exceptionTranslationFilter" [];
        "jsonExceptionTranslationFilter" [];
        "filterInvocationInterceptor" [];
        "rememberMeServices" [];
        "authenticationManager" [];
        "daoAuthenticationProvider" [];
        "userDetailsService" [];

        "ntlmAuthenticationManager" -> "nullDaoAuthenticationProvider" [];
        "authenticationManager" -> "daoAuthenticationProvider" [];
        "ntlmProcessingFilter" -> "ntlmEntryPoint" [];
        "ntlmProcessingFilter" -> "ntlmAuthenticationManager" [];
        "nullDaoAuthenticationProvider" -> "userDetailsService" [];
        "authenticationProcessingFilter" -> "authenticationManager" [];
        "authenticationProcessingFilter" -> "rememberMeServices" [];
        "rememberMeProcessingFilter" -> "authenticationManager" [];
        "rememberMeProcessingFilter" -> "rememberMeServices" [];
        "filterInvocationInterceptor" -> "authenticationManager" [];
        "rememberMeServices" -> "userDetailsService" [];
        "daoAuthenticationProvider" -> "userDetailsService" [];
        "logoutFilter" -> "rememberMeServices" [];

	"filterChainProxy" -> "logoutFilter" [];
	"filterChainProxy" -> "filterInvocationInterceptor" [];
	"filterChainProxy" -> "jsonExceptionTranslationFilter" [];
	"filterChainProxy" -> "exceptionTranslationFilter" [];
	"filterChainProxy" -> "anonymousProcessingFilter" [];
	"filterChainProxy" -> "rememberMeProcessingFilter" [];
	"filterChainProxy" -> "securityContextHolderAwareRequestFilter" [];
	"filterChainProxy" -> "authenticationProcessingFilter" [];
	"filterChainProxy" -> "ntlmProcessingFilter" [];
	"filterChainProxy" -> "logoutFilter" [];
	"filterChainProxy" -> "httpSessionContextIntegrationFilter" [];
	"filterChainProxy" -> "ntlmZeroPostFilter" [];
    }
 }
{graphviz}