1

I have Spring Boot 2 REST application, and I want to configure Spring Security to support Google Sign-In OR LDAP authentication to the same resourses(/employees for example)

I've already done authentication through httpBasic(which connects to the Apache AD LDAP server).

Also I've set up authentication through Google OAuth2 Sign-In. Both of this configurations work correct separatly(I can authenticate via Google Sign-In, but can't with LDAP at the same time, because I have to recofingure spring security), and now I need the ability to authenticate with both of this ways at the same time.

My Spring Security configuration for LDAP auth

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .authorizeRequests()
            .antMatchers("/", "/login**","/callback/", "/webjars/**", "/error**")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .httpBasic()
            .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }


    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .ldapAuthentication()
                .ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)
                .userDnPatterns("uid={0},ou=people")
                .groupSearchBase("ou=groups")
                .contextSource()
                .url(env.getProperty("spring.ldap.urls") + env.getProperty("spring.ldap.base"))
                .and()
                .passwordCompare()
                .passwordAttribute("userPassword")
                .passwordEncoder(new LdapShaPasswordEncoder());
    }

And this how it looks when I reconfigure Spring Security for Google OAuth2 Sign-In

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .authorizeRequests()
            .antMatchers("/", "/login**","/callback/", "/webjars/**", "/error**")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2Login()
            .userInfoEndpoint().oidcUserService(customOAuth2UserService);
    }

The result I need: user have two options: authenticate with Oauth2, or, if he wants, with httpBasic LDAP, no matter which way.

I think there is a way to configure Spring Security so OAuth2 and httpBasic LDAP works together, but I don't know ho to do it.

skyhook19
  • 53
  • 2
  • 5

1 Answers1

0

It is possible.

Basic authentication uses basic where as oauth uses bearer as part of header authorization header.

We can use custom request matcher to detect basic authentication and authenticate with ldap. If not it'll will flow through oauth.

Firstly, order the WebSecurityConfigurerAdapter higher than the Oauth authentication server ,

@Configuration
@Order(2)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

Use our custom request mapper ,

http
            .csrf()
            .disable()
            .requestMatcher(new BasicRequestMatcher())
            .authorizeRequests()
            .antMatchers("/", "/login**","/callback/", "/webjars/**", "/error**")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .httpBasic()
            .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

Custom request matcher ,

 private static class BasicRequestMatcher implements RequestMatcher {
    @Override
    public boolean matches(HttpServletRequest request) {
        String auth = request.getHeader("Authorization");
        return (auth != null && auth.startsWith("Basic"));
    }
Srinivasan Sekar
  • 2,049
  • 13
  • 22