This BasicAuth provider uses the ActiveDirectory LDAP interface to authenticate and authorize your service principals. Existing LDAP providers can provide you the same capabilities as this Authenticator but this authenticator should require much less configuration and can take advantage of typical behaviors used in ActiveDirectory deployments.
This project is only in use for internal projects at CommerceHub. You should be familiar with the auth section of the DropWizard manual. You should consult your IT administrator before you bury her carefully size AD cluster with new auth requests. You SHOULD cache your interactions with ActiveDirectory; DropWizard provides CachingAuthenticator to help you with this (see sample-service).
Please also note that version 0.2.x of dropwizard-auth-ms-md is compatible with dropwizard 0.7 and 0.8. The 0.3.x version is compatible with dropwizard 0.9.x.
NOTE: When I used this I had to override the version of javassist to 3.20.0-GA in order to make this Java 8 compatible.
Gradle syntax: 'org.javassist:javassist:3.20.0-GA'
Maven
...
<repositories>
<repository>
<id>jcenter</id>
<url>http://jcenter.bintray.com</url>
</repository>
</repositories>
...
<dependency>
<groupId>com.commercehub.dropwizard</groupId>
<artifactId>dropwizard-auth-active-directory</artifactId>
<version>0.3.0</version>
</dependency>
Gradle
...
repositories {
jcenter()
}
...
dependencies {
...
// for dropwizard 0.7.x, change the version to 0.2.7
compile 'com.commercehub.dropwizard:dropwizard-auth-active-directory:0.3.0'
...
}
Example usage
@Override
public void run(HelloWorldConfiguration configuration, Environment environment) throws ClassNotFoundException {
...
// dropwizard 0.9.x
environment.jersey().register(new AuthDynamicFeature(
new BasicCredentialAuthFilter.Builder<AdPrincipal>()
.setAuthenticator(AdAuthenticator.createDefault(configuration.getAdConfiguration()))
.setRealm("MSAD")
.buildAuthFilter()));
environment.jersey().register(RolesAllowedDynamicFeature.class);
environment.jersey().register(new AuthValueFactoryProvider.Binder<>(AdPrincipal.class));
// dropwizard 0.7.x
environment.jersey().register(new BasicAuthProvider<>(AdAuthenticator.createDefault(configuration.getAdConfiguration()), "MSAD"));
...
environment.jersey().register(new ProtectedResource());
}
The aim of this project is to minimize the amount of required configuration. The only REQUIRED configuration variable is domain
ad:
domain: my.company.example.com
Several additional properties can be configured, but sensible defaults should prevent you from ever needing to change them
ad:
domain: my.company.example.com # No Default
domainController: my-fav-dc.my.company.example.com # Default: <domain>
sslEnabled: true # Default: true
usernameFilterTemplate: (&((&(objectCategory=Person)(objectClass=User)))(sAMAccountName=%s)) # Default: <As shown> %s replaced with the sAMAccountName
attributeNames: # Default: <As Shown>. first two are required. Will be fetched as String.
- sAMAccountName
- memberOf
- mail
binaryAttributeNames: # Default: empty. Will be fetched as byte[]. Need for the ones below.
- objectGUID
- objectSid
connectionTimeout: 1000 # Default: as shown in millseconds
readTimeout: 1000 # Default: as shown in millseconds
requiredGroups: # Default: <empty>
- All
- Of
- These
- Are
- Required
- Or
- You
- Get
- A
- 401
This project includes a sample dropwizard service. Simply clone the repo, update sample-service/config/dev.yaml to point to your domain then run
./gradlew run -PdwArgs='server,config/dev.yaml' -Ddw.ad.domain=nexus.commercehub.com
Then hit http://localhost:8080/protected and provide your username and password.
- ...using another cool LDAP library?
- Great idea, but for this project we do not think we should need more than the standard JRE support
- ...configuring the required group at the Resource level?
- Wonderful idea. If you get to it before us, please be sure to contribute your work.
- ...using nested groups in AD
- Right on! But it seems that resolving even the known groups from the memberOf attribute is very slow. I am sure there is a clever highly performant way to do it, find it and let us know.
- ...AD has this really cool feature that allows you to do X with Y!
- meh.