Skip to content
/ shiro-ad-ssl-example Public

An example of using Shiro to perform Active Directory authentication over SSL

License

BSD-2-Clause license
11 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jhegg/shiro-ad-ssl-example

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.wrapper
.wrapper
 
 
src/main/java
src/main/java
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
settings.gradle
settings.gradle
 
 

Repository files navigation

shiro-ad-ssl-example

====================

An example of using Shiro to perform Active Directory authentication over SSL.

This simple example illustrates how you can configure Shiro via the shiro.ini to do authentication and authorization using Active Directory over SSL. It uses Shiro's ActiveDirectoryRealm for authc/authz, and Shiro's JndiLdapContextFactory for the connections to AD. There are a few steps to be performed before you can run the LdapSslExample#main method.

Prerequisites

  • An Active Directory server with some users and groups, configured to accept SSL connections.

Instructions

  1. Modify src/main/java/shiro.ini, following the instructions within that file.
  2. Modify the userName and password variables of com.jhegg.reference.shiro.ldapSslExample.LdapSslExample. Those credentials will be used to authenticate. Note: this handling of credentials is insecure and in plain-text.
  3. If the Active Directory SSL certificate is not signed by a trusted CA, obtain and import the SSL certificate into your JRE or JDK cacerts keystore. (see the "Importing Self-Signed AD SSL Certificate" section below)
  4. Run LdapSslExample#main.

The output will indicate whether the user is authenticated, and whether it is authorized.

Example shiro.ini

[main]
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = ldaps://ad.domain.com:636
contextFactory.systemUsername = shiro@domain.com
contextFactory.systemPassword = password
contextFactory.environment[java.naming.security.protocol] = ssl

realm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
realm.ldapContextFactory = $contextFactory
realm.searchBase = "CN=Users,DC=DOMAIN,DC=com"
realm.groupRolesMap = "CN=ShiroUsers,CN=Users,DC=DOMAIN,DC=com":"ShiroUsersRole"

Using the above example shiro.ini, if there exists some user (e.g., "jhegg") in the Users container of domain.com, then that user will be able to authenticate with this application. For example, the following code will execute without throwing an AuthenticationException:

UsernamePasswordToken token = new UsernamePasswordToken("jhegg", "password");
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(token);

And, if that user is a member of the ShiroUsers group (located in the Users container), then the following code will return true:

currentUser.hasRole("ShiroUsersRole")

Importing Self-Signed AD SSL Certificate

The easy way to obtain and import a self-signed Active Directory SSL certificate is as follows:

  1. Use openssl as a client, and dump out the certs.
openssl s_client -connect ad.domain.com:636 -showcerts
  1. Copy the certificate block output (including the BEGIN and END lines) into a file such as adserver.crt.
  2. Import the SSL certificate into the JRE cacerts keystore, using an alias that represents the AD server (in case you need to update it at a later date). Note: the default cacerts keystore password is 'changeit'.
keytool -import -keystore <path/to/jre/lib/security/cacerts> -alias <alias> -file adserver.crt

About

An example of using Shiro to perform Active Directory authentication over SSL

Resources

Readme

License

BSD-2-Clause license
Activity

Stars

11 stars

Watchers

5 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages