Spring LDAP/Active Directory Security: Authenticate User w/out Using an Admin/Mgr Account

I am using Spring Security 3.1.0M2 and LDAP 1.3.1, the most current as of this date, to authenticate users via a login form. I am trying to determine if it is possible to eliminate the need for an admin/mgr account, as declared below in the DefaultSpringSecurityContextSource. On our LDAP server, all users are able to connect to and query the server, so there is no need for an admin account to do this and this is actually undesirable for our company needs. Can anyone state that this is definitely not possible with Spring Security, or if it is possible point me to either configuration or code to accomplish this?

I am successfully authenticating users with the following Spring configuration:
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:jdbc="http://www.springframework.org/schema/jdbc" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:context="http://www.springframework.org/schema/context" xmlns:jee="http://www.springframework.org/schema/jee" xmlns:p="http://www.springframework.org/schema/p" xmlns:sec="http://www.springframework.org/schema/security" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd"> <!-- If SSL is being used, then requires-channel should be set to: https --> <sec:http auto-config="true" use-expressions="true"> <sec:anonymous enabled="false"/> <sec:intercept-url pattern="/myWebappContext/sc/IDACall*" access="hasRole('ROLE_MYWEBAPPDEV') and fullyAuthenticated" requires-channel="any"/> <sec:form-login login-processing-url="/myCompany_login" login-page="/myWebappContext"/> <sec:access-denied-handler error-page="/myWebappContext"/> <!-- ref="accessDeniedHandler"/ --> <!-- if no logout-url uses /j_spring_security_logout virtual URL --> <sec:logout invalidate-session="true" logout-success-url="/myWebappContext" logout-url="/myCompany_logout"/> <sec:session-management> <sec:concurrency-control max-sessions="1" expired-url="/myWebappContext"/> </sec:session-management> </sec:http> <!-- BEGIN EXPLICIT LDAP/MS ACTIVE DIRECTORY CONFIGURATION. From Spring Security 3 by Peter Mularien with customization to match myCompany LDAP server. gsl --> <sec:authentication-manager alias="authenticationManager"> <sec:authentication-provider ref="ldapAuthProvider"/> </sec:authentication-manager> <beans:bean class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider" id="ldapAuthProvider"> <beans:constructor-arg ref="ldapBindAuthenticator"/> <beans:constructor-arg ref="ldapAuthoritiesPopulator"/> <beans:property name="userDetailsContextMapper" ref="ldapUserDetailsContextMapper"/> </beans:bean> <beans:bean class="org.springframework.security.ldap.DefaultSpringSecurityContextSource" id="ldapServer"> <!-- MS Active Directory --> <beans:constructor-arg value="ldap://myHost:10389/dc=int,dc=myCompany,dc=com"/> <beans:property name="userDn" value="CN=Gregg Leichtman,OU=IT Users,DC=int,DC=myCompany,DC=com"/> <beans:property name="password" value="myPassword"/> </beans:bean> <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator" id="ldapBindAuthenticator"> <beans:constructor-arg ref="ldapServer"/> <beans:property name="userSearch" ref="ldapSearchBean"/> </beans:bean> <beans:bean class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch" id="ldapSearchBean"> <!-- MS Active Directory --> <!-- user-search-base; relative to base of configured context source --> <beans:constructor-arg value="ou=IT Users"/> <!-- user-search-filter --> <beans:constructor-arg value="(sAMAccountName={0})"/> <beans:constructor-arg ref="ldapServer"/> </beans:bean> <beans:bean class="com.myCompany.myWebappContext.server.security.RoleGrantingLdapAuthoritiesPopulator" id="ldapAuthoritiesPopulator" p:ldapTemplate-ref="ldapTemplate"> </beans:bean> <beans:bean class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" id="ldapUserDetailsContextMapper"/> <!-- beans:bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> <beans:property name="errorPage" value="/myWebappContext"/> <!- - /accessDenied.htm - -> </beans:bean --> <!-- END LDAP/MS ACTIVE DIRECTORY CONFIGURATION --> <!-- Bean used for LDAP querying. --> <beans:bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate"> <beans:constructor-arg ref="ldapServer" /> </beans:bean> <beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" id="expressionHandler"/> </beans:beans> -=> Gregg <=-

It might be possible with Spring's Expression Language. Spring Security supports the expression language.

Or you can always customize Spring Security to do this. In this case, those Spring LDAP classes can be extended or I am sure there is an interface that you can implement and then you write custom code in the setUserDn or setPassword methods, but it might also entail overriding methods in the other LDAP classes that reference the "ldapServer" bean and then take the data coming in through the Http request from the login form.

Or, doing a Google search or two I found this
http://www.jarvana.com/jarvana/view/org/springframework/ldap/spring-ldap/1.2/spring-ldap-1.2-javadoc.jar!/org/springframework/ldap/core/AuthenticationSource.html

You might just implement this method and that would be the only custom class you need to deal with in Java, then add it to the config and use your custom one.

Mark

Hi Gregg,

I am new to Spring Security and your post looks quite useful. I have a similar requirement of integrating with Active Directory.

In your security application context can you please throw some light on the functionality of the class "com.myCompany.myWebappContext.server.security.RoleGrantingLdapAuthoritiesPopulator".

Also if you can put some light on your web layer, i mean your web.xml and any jsp's for controlling the authorization it would be very helpful.

Thanks,
Ramana