Spring security LDAP authentication

I was experimenting on spring security and found that with spring 2.5 LDAP authentication was a pain. This is what I did to get around the issue.

First my maven POM had these dependencies

        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring</artifactId>
            <version>2.5.6</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.ldap</groupId>
            <artifactId>spring-ldap</artifactId>
            <version>1.2.1</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>2.0.4</version>
        </dependency>

Your web.xml should have the contextConfigLocation which refers to the location of the spring security config xml file, the spring web context loader and the spring security filter.

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:/spring/context-security.xml
        </param-value>
    </context-param>
      <!-- Spring context loader servlet and listener class need to spring managed beans-->
    <listener>
      <listener-class> org.springframework.web.context.request.RequestContextListener     </listener-class>
    </listener>

    <servlet>
        <servlet-name>context</servlet-name>
        <servlet-class>org.springframework.web.context.ContextLoaderServlet  </servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <!--spring security filter chain -->

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>*.html</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

The contents of context-security.xml is as follows

<!-- first configure the LDAP url -->

<ldap-server id="appLdapServer" url="ldap://example.com:389/ou=San_Jose,o=ME" />

<!-- configure the LDAP authentication provider here you can specify search filters 
 which will start the LDAP search from a given node in the tree. you can also specify
  users with certain specific attributes so that only those users can have access to   your application web page
-->

<ldap-authentication-provider server-ref="appLdapServer"
 user-search-filter="(cn={0})" group-role-attribute="ou=Engineering" 
 user-search-base="ou=Software Eng"/>

Now the http intercept url xml elements need to be written for this we shall have a simple rule which shows pages in folder inbox if the user has been authenticated otherwise the user gets redirected to login or error page in folder auth so make sure you have only unsecure pages in the auth folder.

<http access-denied-page="/auth/denied.html">
        <intercept-url
            pattern="/**/*.xhtml"
            access="ROLE_NONE_GETS_ACCESS" />
        <intercept-url
            pattern="/auth/*"
            access="ROLE_ANONYMOUS" />
        <intercept-url
            pattern="/inbox/*"
            access="IS_AUTHENTICATED_FULLY" />
        <intercept-url
            pattern="/**"
            access="IS_AUTHENTICATED_FULLY" />
        <form-login
            login-processing-url="/j_spring_security_check.html"
            login-page="/auth/login.html"
            default-target-url="/inbox/index.html"
            authentication-failure-url="/auth/login.html" />
        <logout logout-url="/auth/logout.html"
                logout-success-url="/" />
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
    </http>

The IS_AUTHENTICATED_FULLY is a spring security access constant which does the trick to all pages inside inbox to be visible if the LDAP authentication is successful