Use multiple ClientAuthentiation with spring-vault

Question

We have an application using spring-vault. It authenticates to Vault using an AppRole. We use the token we get from that operation to read and write secrets. The configuration for the VaultEndpoint and AppRoleAuthentication are auto-configured from a properties file.

Code looks like this:

@Autowired
private ApplicationContext context;

@Autowired
private VaultOperations vault;

private Logger logger = LoggerFactory.getLogger(VaultFacade.class);

public VaultFacadeImpl() {
    logger.debug("Creating VaultFacade with autowired context");
    context = new AnnotationConfigApplicationContext(VaultConfig.class);

    vault = context.getBean(VaultTemplate.class);
    //vault variable ready to use with vault.read or vault.write 
    //in our VaultFacadeImpl
}

I would like to keep autowire capabilities, but also support two other ClientAuthentication implementations:

The existing TokenAuthentication
A custom ClientAuthentication implementation (LDAP auth backend)

The end result would be having two authentication mechanism available at the same time. Some operations would be carried out with the application's credentials (AppRole in Vault), others with the user's credentials (LDAP in Vault).

I think I can create multiple AbstractVaultConfiguration classes, each returning a different ClientAuthentication derivative. But how can I create a VaultTemplate for configuration class?

Do you want to add options about the client authentication of which a single authentication is used or do you want to support multiple authentication mechanisms that are active at the same time (within the same application instance)? — mp911de, Jun 29 '17 at 10:04
Both active at the same time in the same application instance. Clarified my question, thanks! — ixe013, Jun 29 '17 at 12:54

score 2 · Answer 1 · answered Jun 29 '17 at 21:09

If you want to have an additional VaultTemplate bean, then you need to configure and declare the bean yourself. You can keep the foundation provided by AbstractVaultConfiguration. Your config could look like:

@Configuration
public class CustomConfiguration {

    @Bean
    public VaultTemplate ldapAuthVaultTemplate(ClientFactoryWrapper clientHttpRequestFactoryWrapper, 
                            ThreadPoolTaskScheduler threadPoolTaskScheduler) {
        return new VaultTemplate(…, 
                clientHttpRequestFactoryWrapper.getClientHttpRequestFactory(), 
                ldapSessionManager(threadPoolTaskScheduler));
    }

    @Bean
    public SessionManager ldapSessionManager(ThreadPoolTaskScheduler threadPoolTaskScheduler) {

        ClientAuthentication clientAuthentication = new MyLdapClientAuthentication(…);

        return new LifecycleAwareSessionManager(clientAuthentication,
                                                threadPoolTaskScheduler, 
                                                …);
    }
}

On the client side (using the second VaultTemplate) you need to make sure to look up the appropriate instance. Spring doesn't limit you to a bean per type but allows registration of multiple beans of the same type.

Could you please provide full working code for LDAP authentication method. — Pramendra Raghuwanshi, Aug 17 '21 at 09:08

Use multiple ClientAuthentiation with spring-vault

1 Answers1