...
First up we'll look at how to provide the user with access to the system without having to enter a username/password via Windows integrated authentication. Then we'll look at extending this to also obtain the access levels for the users from the domain.
| Note |
|---|
The latest windows authentication bundle is downloadable here |
Debugging
You may want to turn on the logging of the security processing during the setting up of the authentication, since it'd disabled by default.
...
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<bean id="ntlmProcessingFilter" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilterIPFilteredNtlmProcessingFilter"> <property name="defaultDomain"><value>DOMAINNAME</value></property> <property name="domainController"><value>172.16.0.30</value></property> <property name="authenticationEntryPoint" ref="ntlmEntryPoint"/> <property name="authenticationManager" ref="ntlmAuthenticationManager"/> <property name="excludedIpAddresses"> <list> <value>192.168.2.0/24</value> <value>138.19.19.50</value> </list> </property> <property name="includedIpAddresses"> <list> <value>172.16.0.0/16</value> </list> </property> </bean> |
...
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<bean id="ntlmProcessingFilterInternal" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilterIPFilteredNtlmProcessingFilter"> <property name="defaultDomain"><value>INTERNAL</value></property> <property name="domainController"><value>172.16.0.30</value></property> <property name="authenticationEntryPoint" ref="ntlmEntryPoint"/> <property name="authenticationManager" ref="ntlmAuthenticationManager"/> <property name="includedIpAddresses"> <list> <value>172.16.0.0/16</value> </list> </property> <property name="defaultRole"><value>ROLE_INTERNAL</value></property> </bean> <bean id="ntlmProcessingFilterExternal" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilterIPFilteredNtlmProcessingFilter"> <property name="defaultDomain"><value>EXTERNAL</value></property> <property name="domainController"><value>201.20.109.76</value></property> <property name="authenticationEntryPoint" ref="ntlmEntryPoint"/> <property name="authenticationManager" ref="ntlmAuthenticationManager"/> <property name="includedIpAddresses"> <list> <value>201.20.0.0/16</value> </list> </property> <property name="defaultRole"><value>ROLE_EXTERNAL</value></property> </bean> |
...
| Info |
|---|
Connecting to the LDAP server with JXplorer |
| Info |
|---|
Connected to the LDAP server with JXplorer |
...
| Note |
|---|
The
|
The two final beans, the userSearchLdap and populatorLdap also require information that is specific to the environment you're running within, the userSearchLdap beans would be something like the following:
...
This configuration assumes that there is a branch in the tree matching the first constructor arg and that the sAMAccountName value of any users found there will match the username they logged into Windows with.
| Noteinfo |
|---|
JXplorer showing a users entry |
...
This configuration is setup to search for groups and use the member attribute of the group to determine if the user belongs.
This setup is assuming that there has been a security group created in the Active Directory server called Weave and that the roles/groups for Weave are created under there.
This "should" take the active directory groups that the user belongs to and convert them to a format that's usable in Weave, and also assigns a default ROLE_USERS role to all users (which you can remove if it's not appropriate).
| Noteinfo |
|---|
JXplorer showing a group entry |
...