This guide walks you through the process creating an application and securing it with the Spring Security LDAP module.
You’ll build a simple web application that is secured by Spring Security’s embedded Java-based LDAP server. You’ll load the LDAP server with a data file containing a set of users.
In Spring, REST endpoints are just Spring MVC controllers. The following Spring MVC controller handles a GET / request by returning a simple message:
src/main/java/hello/HomeController.java
link:complete/src/main/java/hello/HomeController.java[role=include]The entire class is marked up with @RestController so Spring MVC can autodetect the controller using it’s built-in scanning features and automatically configure web routes.
The method is tagged with @RequestMapping to flag the path and the REST action. In this case, GET is the default behavior; it returns a message indicating that you are on the home page.
@RestController also tells Spring MVC to write the text directly into the HTTP response body, because there aren’t any views. Instead, when you visit the page, you’ll get a simple message in the browser as the focus of this guide is securing the page with LDAP.
Before you secure the web application, verify that it works. To do that, you need to define some key beans. To do that, create an Application class.
src/main/java/hello/Application.java
link:complete/src/main/java/hello/Application.java[role=include]https://raw.githubusercontent.com/spring-guides/getting-started-macros/master/build_an_executable_jar_subhead.adoc https://raw.githubusercontent.com/spring-guides/getting-started-macros/master/build_an_executable_jar_with_both.adoc
If you open your browser and visit http://localhost:8080, you should see the following plain text:
Welcome to the home page!
To configure Spring Security, you first need to add some extra dependencies to your build.
For a Gradle-based build:
build.gradle
link:complete/build.gradle[role=include]|
Note
|
Due to a artifact resolution issue with Gradle, spring-tx must be pulled in or Gradle will fetch an older one that doesn’t work. |
For a Maven-based build:
pom.xml
link:complete/pom.xml[role=include]These dependencies add Spring Security and UnboundId, an open source LDAP server. With that in place, you can then use pure Java to configure your security policy.
src/main/java/hello/WebSecurityConfig.java
link:complete/src/main/java/hello/WebSecurityConfig.java[role=include]The @EnableWebSecurity turns on a variety of beans needed to use Spring Security.
You also need an LDAP server. Spring Boot’s provides autoconfiguration for an embedded server written in pure Java, which is being used for this guide. The ldapAuthentication() method configures things where the username at the login form is plugged into {0} such that it searches uid={0},ou=people,dc=springframework,dc=org in the LDAP server. Also, the passwordCompare() method configures the encoder and the name of the password’s attribute.
LDAP servers can use LDIF (LDAP Data Interchange Format) files to exchange user data. The spring.ldap.embedded.ldif property inside application.properties allow to Spring Boot pulls in an LDIF data file. This makes it easy to pre-load demonstration data.
src/main/resources/test-server.ldif
link:complete/src/main/resources/test-server.ldif[role=include]|
Note
|
Using an LDIF file isn’t standard configuration for a production system. However, it’s very useful for testing purposes or guides. |
If you visit the site at http://localhost:8080, you should be redirected to a login page provided by Spring Security.
Enter username ben and password benspassword. You should see this message in your browser:
Welcome to the home page!
Congratulations! You have just written a web application and secured it with Spring Security. In this case, you used an LDAP-based user store.
The following guide may also be helpful: