Authenticating a User with LDAP :: Learn how to secure an application with LDAP.
Shell Batchfile Java

README.adoc

tags projects
security
ldap
spring-security
spring-ldap

This guide walks you through the process creating an application and securing it with the Spring Security LDAP module.

What you’ll build

You’ll build a simple web application that is secured by Spring Security’s embedded Java-based LDAP server. You’ll load the LDAP server with a data file containing a set of users.

Create a simple web controller

In Spring, REST endpoints are just Spring MVC controllers. The following Spring MVC controller handles a GET / request by returning a simple message:

src/main/java/hello/HomeController.java

link:complete/src/main/java/hello/HomeController.java[]

The entire class is marked up with @RestController so Spring MVC can autodetect the controller using it’s built-in scanning features and automatically configure web routes.

The method is tagged with @RequestMapping to flag the path and the REST action. In this case, GET is the default behavior; it returns a message indicating that you are on the home page.

@RestController also tells Spring MVC to write the text directly into the HTTP response body, because there aren’t any views. Instead, when you visit the page, you’ll get a simple message in the browser as the focus of this guide is securing the page with LDAP.

Build the unsecured web application

Before you secure the web application, verify that it works. To do that, you need to define some key beans. To do that, create an Application class.

src/main/java/hello/Application.java

link:complete/src/main/java/hello/Application.java[]

If you open your browser and visit http://localhost:8080, you should see the following plain text:

Welcome to the home page!

Set up Spring Security

To configure Spring Security, you first need to add some extra dependencies to your build.

For a Gradle-based build:

build.gradle

link:complete/build.gradle[]
Note
Due to a artifact resolution issue with Gradle, spring-tx must be pulled in or Gradle will fetch an older one that doesn’t work.

For a Maven-based build:

pom.xml

link:complete/pom.xml[]

These dependencies add Spring Security and ApacheDS, an open source LDAP server. With that in place, you can then use pure Java to configure your security policy.

src/main/java/hello/WebSecurityConfig.java

link:complete/src/main/java/hello/WebSecurityConfig.java[]

The @EnableWebSecurity turns on a variety of beans needed to use Spring Security.

You also need an LDAP server. Spring Security’s LDAP module includes an embedded server written in pure Java, which is being used for this guide. The ldapAuthentication() method configures things where the username at the login form is plugged into {0} such that it searches uid={0},ou=people,dc=springframework,dc=org in the LDAP server.

Set up user data

LDAP servers can use LDIF (LDAP Data Interchange Format) files to exchange user data. The ldif() method inside WebSecurityConfig pulls in an LDIF data file. This makes it easy to pre-load demonstration data.

src/main/resources/test-server.ldif

link:complete/src/main/resources/test-server.ldif[]
Note
Using an LDIF file isn’t standard configuration for a production system. However, it’s very useful for testing purposes or guides.

If you visit the site at http://localhost:8080, you should be redirected to a login page provided by Spring Security.

Enter username ben and password benspassword. You should see this message in your browser:

Welcome to the home page!

Summary

Congratulations! You have just written a web application and secured it with Spring Security. In this case, you used an LDAP-based user store.