I used this blog to get started: http://blog.mediasoft.be/ntlm-with-spring-security-20/
My Application-context is pretty much as per the Spring 2.0 configuration at the bottom of the post, with the following changes:
- Different properties for the ntlm filter
- servlet-api-provision=”false” on the <security:http> tag
- Addition of custom UserDetailsService.
The full config is below:
<security:authentication-manager alias="_authenticationManager" /> <bean id="authenticationProvider" class="com.mydomain.security.UserDetailsAuthenticationProvider"> <security:custom-authentication-provider /> <property name="userDetailsService" ref="userDetailsService" /> </bean> <bean id="userDetailsService" class="com.mydomain.security.UserDetailsServiceImpl"> <property name="daoUser" ref="daoUser" /> </bean> <bean id="ntlmFilter" class="org.springframework.security.ui.ntlm.NtlmProcessingFilter"> <security:custom-filter position="NTLM_FILTER" /> <property name="stripDomain" value="true" /> <property name="defaultDomain" value="mydomain.com" /> <property name="domainController" value="mycontroller" /> <property name="authenticationManager" ref="_authenticationManager" /> </bean> <bean id="ntlmEntryPoint" class="org.springframework.security.ui.ntlm.NtlmProcessingFilterEntryPoint"> <property name="authenticationFailureUrl" value="/denied.xhtml" /> </bean> <bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint" ref="ntlmEntryPoint" /> </bean> <security:http access-denied-page="/denied.xhtml" entry-point-ref="ntlmEntryPoint" servlet-api-provision="false"> <security:intercept-url pattern="/denied.xhtml" filters="none" /> <security:intercept-url pattern="/**" access="ROLE_USER" /> </security:http>
My UserDetailsAuthenticationProvider is exactly as per the blog.
My UserDetails Service is below. Note that the UserDetails created should have blank password. This confused me for a bit.
public class UserDetailsServiceImpl implements UserDetailsService { private UserDAO daoUser; private static Logger log = Logger.getLogger(UserDetailsService.class); public UserDAO getDaoUser() { return daoUser; } public void setDaoUser(UserDAO daoUser) { this.daoUser = daoUser; } public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { MyUser user; try { user = daoUser.getUser(username); } catch (DAOException ex) { throw new DataRetrievalFailureException(ex.getMessage()); } if (user != null) { ArrayList<GrantedAuthority> ga = new ArrayList<GrantedAuthority>(); ga.add(new GrantedAuthorityImpl("ROLE_USER")); GrantedAuthority[] grantedAuthorities = new GrantedAuthority[ga.size()]; ga.toArray(grantedAuthorities); UserDetailsImpl ud = new UserDetailsImpl(username, "", true, grantedAuthorities, user); return ud; } else { throw new UsernameNotFoundException("Username Not Found"); } }
My UserDetailsImpl simply extends org.springframework.security.userdetails.User and has an additional field for my ‘MyUser’
public class UserDetailsImpl extends org.springframework.security.userdetails.User { private static final long serialVersionUID = 1584153957347843760L; private MyUser user; public UserDetailsImpl(String username, String password, boolean enabled, GrantedAuthority[] authorities, MyUser user) throws IllegalArgumentException { super(username, password, enabled, true, true, true, authorities); this.user = user; } public MyUser getUser() { return user; } public void setUser(MyUser user) { this.user = user; } }
And that seems to work. Now I am trying to enable method level security, so more to come soon…
anorakgirl,
Thank for sharing your knowledge about enabling NTLM with the Spring framework. Is it possible for you to share a sample web application with NTLM authentication? I’m new to Spring and I’m having problems enabling NTLM with spring. I’m going to reuse you code and see if I can make it to work in my environment (Flex -Tomcat + BLazeds-Spring bridge running in Windows 2003). Keep the good work.
Thanks,
Alberto Acevedo
Hi Alberto, I don’t have a simple web app with it working I am afraid, as I’ve been retrofitting it to an existing app. I think the config and classes in the post should be all you need though. Good luck!
any sample on doing fallover to spring form login? if i take out servlet-api-provision=”false” , form login will work, but when i included servlet-api-provision=”false” like your code above , it doesnt work
Hello,
I have one or two doubts, I would like to know how do I pass the ntlm authenticated user to your classes or I don’t need that?
Second, how do I run the project if I would want to follow this article. Excuse me for my ignorance.
Hi,
What are the changes needs to be done if I need to change from manual login to ntlm?
Thanks