Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

The latest windows authentication bundle is available [here|^org.acegisecurity.ntlm_1.4.4.jar]

First step to enable integrated login

Download: security_ntlm_step_1.xml

This example contains the bare minimum to enable Windows Integrated Authentication and should be used as a first step to test the authentication.

It does not provide access to Weave at all if the user is not part of the domain or if they are not listed in the users.properties file.

It requires that each user that will be given access to the system be listed in the users.properties file, but since this is for testing that should only be one or two users.

It will require editing of the ntlmProcessingFilter bean to at least set the correct defaultDomain and domainController.
It may also require changing the loadBalance property to set it to true (false is the default if it's not set).

Depending upon the version of active directory you're running you may need to specify a username/password for the ntlmProcessingFilter.
If you find authentication errors in the weave.log file after enabling integrated authentication then change the ntlmProcessingFilter to the following and set the appropriate username/password.

Setting username/password for domain access
	<bean id="ntlmProcessingFilter" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilter">
		<property name="authenticationEntryPoint" ref="ntlmEntryPoint"/>
		<property name="authenticationManager" ref="ntlmAuthenticationManager"/>
		<property name="defaultDomain">
			<value>cohga.local</value>
		</property>
		<property name="domainController">
			<value>192.168.0.80</value>
		</property>
		<property name = "JCifsProperties">
			<map>
				<entry key="jcifs.smb.client.username">
					<value>username</value>
				</entry>
				<entry key="jcifs.smb.client.password">
					<value>password</value>
				</entry>
			</map>
		</property>
	</bean>

Additional properties that can effect the authentication process can be found here, where they can be set in the JCifsProperties section to alter the authentication process.

Unknown macro: {graphviz}

strict digraph G {
graph [ ratio="0.7 compressed",
rankdir="LR",
ranksep=0.75,
concentrate="false",
remincross="true",
fontname=helvetica
fontsize=12
];
node [ shape=box,
style=filled,
fillcolor=white,
fontname=helvetica
fontsize=12,
fontcolor=black
];
edge [
];

subgraph "cluster_security_ntlm_step_1.xml"

Unknown macro: { label="security_ntlm_step_1.xml"; style=filled; color=ivory3; "filterChainProxy" []; "ntlmZeroPostFilter" []; "ntlmProcessingFilter" []; "ntlmEntryPoint" []; "ntlmAuthenticationManager" []; "nullDaoAuthenticationProvider" []; "userDetailsService" []; "httpSessionContextIntegrationFilter" []; "securityContextHolderAwareRequestFilter" []; "exceptionTranslationFilter" []; "jsonExceptionTranslationFilter" []; "filterInvocationInterceptor" []; "ntlmAuthenticationManager" -> "nullDaoAuthenticationProvider" []; "ntlmProcessingFilter" -> "ntlmEntryPoint" []; "ntlmProcessingFilter" -> "ntlmAuthenticationManager" []; "nullDaoAuthenticationProvider" -> "userDetailsService" []; "filterInvocationInterceptor" -> "ntlmAuthenticationManager" []; "filterChainProxy" -> "filterInvocationInterceptor" []; "filterChainProxy" -> "jsonExceptionTranslationFilter" []; "filterChainProxy" -> "exceptionTranslationFilter" []; "filterChainProxy" -> "securityContextHolderAwareRequestFilter" []; "filterChainProxy" -> "ntlmProcessingFilter" []; "filterChainProxy" -> "httpSessionContextIntegrationFilter" []; "filterChainProxy" -> "ntlmZeroPostFilter" []; }

}

Extended authentication example

Download: security_ntlm_step_2.xml

This example expands on the original bare minimum example but includes anonymous authentication plus form login.

It will also require editing of the ntlmProcessingFilter bean to at least set the correct defaultDomain and domainController.
It may also require changing the loadBalance property to set it to true (false is the default if it's not set).

Unknown macro: {graphviz}

strict digraph G {
graph [ ratio="0.7 compressed",
rankdir="LR",
ranksep=0.75,
concentrate="false",
remincross="true",
fontname=helvetica
fontsize=12
];
node [ shape=box,
style=filled,
fillcolor=white,
fontname=helvetica
fontsize=12,
fontcolor=black
];
edge [
];

subgraph "cluster_security_ntlm_step_2.xml"

Unknown macro: { label="security_ntlm_step_2.xml"; style=filled; color=ivory3; "filterChainProxy" []; "ntlmZeroPostFilter" []; "ntlmProcessingFilter" []; "ntlmEntryPoint" []; "ntlmAuthenticationManager" []; "nullDaoAuthenticationProvider" []; "httpSessionContextIntegrationFilter" []; "logoutFilter" []; "authenticationProcessingFilter" []; "securityContextHolderAwareRequestFilter" []; "rememberMeProcessingFilter" []; "anonymousProcessingFilter" []; "exceptionTranslationFilter" []; "jsonExceptionTranslationFilter" []; "filterInvocationInterceptor" []; "rememberMeServices" []; "authenticationManager" []; "daoAuthenticationProvider" []; "userDetailsService" []; "ntlmAuthenticationManager" -> "nullDaoAuthenticationProvider" []; "authenticationManager" -> "daoAuthenticationProvider" []; "ntlmProcessingFilter" -> "ntlmEntryPoint" []; "ntlmProcessingFilter" -> "ntlmAuthenticationManager" []; "nullDaoAuthenticationProvider" -> "userDetailsService" []; "authenticationProcessingFilter" -> "authenticationManager" []; "authenticationProcessingFilter" -> "rememberMeServices" []; "rememberMeProcessingFilter" -> "authenticationManager" []; "rememberMeProcessingFilter" -> "rememberMeServices" []; "filterInvocationInterceptor" -> "authenticationManager" []; "rememberMeServices" -> "userDetailsService" []; "daoAuthenticationProvider" -> "userDetailsService" []; "logoutFilter" -> "rememberMeServices" []; "filterChainProxy" -> "logoutFilter" []; "filterChainProxy" -> "filterInvocationInterceptor" []; "filterChainProxy" -> "jsonExceptionTranslationFilter" []; "filterChainProxy" -> "exceptionTranslationFilter" []; "filterChainProxy" -> "anonymousProcessingFilter" []; "filterChainProxy" -> "rememberMeProcessingFilter" []; "filterChainProxy" -> "securityContextHolderAwareRequestFilter" []; "filterChainProxy" -> "authenticationProcessingFilter" []; "filterChainProxy" -> "ntlmProcessingFilter" []; "filterChainProxy" -> "logoutFilter" []; "filterChainProxy" -> "httpSessionContextIntegrationFilter" []; "filterChainProxy" -> "ntlmZeroPostFilter" []; }

}

Getting roles from Active Directory (via LDAP)

Download: security_ntlm_step_3.xml

In this example we're going back to step 1 but instead of obtaining the user information from the users.properties file, via the org.acegisecurity.userdetails.memory.InMemoryDaoImpl user details service, we'll access the information from Active Directory (via the LDAP protocol).

This example is exactly the same as step one except we've swapped out the user details service that accesses users.properties for the one that accesses that information LDAP server.

The information setup in the ldapUserSearch, ldapAuthoritiesPopulator and initialDirContextFactory will at least need to updated to reflect your local settings.

Unknown macro: {graphviz}

strict digraph G {
graph [ ratio="0.7 compressed",
rankdir="LR",
ranksep=0.75,
concentrate="false",
remincross="true",
fontname=helvetica
fontsize=12
];
node [ shape=box,
style=filled,
fillcolor=white,
fontname=helvetica
fontsize=12,
fontcolor=black
];
edge [
];

subgraph "cluster_security_ntlm_step_3.xml"

Unknown macro: { label="security_ntlm_step_3.xml"; style=filled; color=ivory3; "filterChainProxy" []; "ntlmZeroPostFilter" []; "ntlmProcessingFilter" []; "ntlmEntryPoint" []; "ntlmAuthenticationManager" []; "nullDaoAuthenticationProvider" []; "httpSessionContextIntegrationFilter" []; "securityContextHolderAwareRequestFilter" []; "exceptionTranslationFilter" []; "jsonExceptionTranslationFilter" []; "filterInvocationInterceptor" []; "userDetailsService" []; "ldapUserSearch" []; "ldapAuthoritiesPopulator" []; "initialDirContextFactory" []; "ntlmAuthenticationManager" -> "nullDaoAuthenticationProvider" []; "ntlmProcessingFilter" -> "ntlmEntryPoint" []; "ntlmProcessingFilter" -> "ntlmAuthenticationManager" []; "nullDaoAuthenticationProvider" -> "userDetailsService" []; "filterInvocationInterceptor" -> "ntlmAuthenticationManager" []; "userDetailsService" -> "ldapUserSearch" []; "userDetailsService" -> "ldapAuthoritiesPopulator" []; "ldapUserSearch" -> "initialDirContextFactory" []; "ldapAuthoritiesPopulator" -> "initialDirContextFactory" []; "filterChainProxy" -> "filterInvocationInterceptor" []; "filterChainProxy" -> "jsonExceptionTranslationFilter" []; "filterChainProxy" -> "exceptionTranslationFilter" []; "filterChainProxy" -> "securityContextHolderAwareRequestFilter" []; "filterChainProxy" -> "ntlmProcessingFilter" []; "filterChainProxy" -> "httpSessionContextIntegrationFilter" []; "filterChainProxy" -> "ntlmZeroPostFilter" []; }

}

  • No labels