Configuring Spring Security with Active Directory and Concurrent Session Control

In my last post I demonstrated how to get a stub Spring Security implementation going. Now we’re going to do something useful with it.

Jed Prentice
#Development | Posted

In my last post I demonstrated how to get a stub Spring Security implementation going. Now we’re going to do something useful with it. We will configure Spring Security to use LDAP via Active Directory for authentication and limit each user to one session at a time.

LDAP authentication depends on Spring LDAP, so you’ll need to download it and place the core JAR in the classpath.

Here’s the configuration:

<?xml version="1.0" encoding="UTF-8"?><br><br><beans:beans xmlns="http://www.springframework.org/schema/security"<br>             xmlns:beans="http://www.springframework.org/schema/beans"<br>             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<br>             xsi:schemaLocation="http://www.springframework.org/schema/beans <a href="http://www.springframework.org/schema/beans/spring-beans-2.0.xsd" title="http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">http://www.springframework.org/schema/beans/spring-beans-2.0.xsd</a><br>                 <a href="http://www.springframework.org/schema/security" title="http://www.springframework.org/schema/security">http://www.springframework.org/schema/security</a> <a href="http://www.springframework.org/schema/security/spring-security-2.0.1.xsd%22>" title='http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">'>http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"></a><br><br>  <http><br>    <intercept-url pattern="/login*.jsp*" filters="none"/><br>    <intercept-url pattern="/images/**" filters="none"/><br>    <intercept-url pattern="/includes/**" filters="none"/><br>    <intercept-url pattern="/**" access="ROLE_USER"/><br>    <form-login login-page="/login.jsp" always-use-default-target="true"/><br>    <concurrent-session-control max-sessions="1" expired-url="/login-duplicate.jsp"/><br>    <logout/><br>  </http><br><br>  <ldap-server<br>    url="ldap://ldapserver:389"<br>    manager-dn="CN=Administrator,CN=Users,DC=www,DC=mydomain,DC=com"<br>    manager-password="mgrpasswd"<br>  /><br><br>  <ldap-authentication-provider<br>    user-search-base="cn=Users,dc=www,dc=mydomain,dc=com"<br>    user-search-filter="sAMAccountName={0}"<br>    group-search-filter="member={0}"<br>    group-search-base="cn=Users,dc=www,dc=mydomain,dc=com"<br>    role-prefix="ROLE_"<br>  /><br></beans:beans>

We’ve removed the autoconfig=“true” attribute from the http element to gain more control over the security namespace configuration; in particular, this allows us to configure the authentication provider. The downside is that Spring Security is doing less automatic config for us, so we need to add the logout element.

The concurrent-session-control element limits each user to one session at a time and specifies a URL where users will be sent if they try to log in more than once.

The ldap-server element is self-explanatory. Discovering the manager-dn might take a bit of digging using an LDAP search tool; I used Apache Directory Studio.

The ldap-authentication-provider element controls the searches for users and groups that will be used for authentication. In this example, we are using sAMAccountName as the user filter and member as the group filter. Once again, you may have to search to discover where things are stored if you want to use different attributes for filtering users and groups. Finally, we need to tell Spring Security to prefix the role names with ROLE_. For now we’ll live with this, later I’ll demonstrate how to get rid of that as the configuration gets more complex.

This example should give you a good place to start with a basic Spring Security configuration.

Jed Prentice