I'm trying to get the role name from the SPNEGO token returned by Active Directory for use with Spring Security authorization. I'm using kerb4j to authenticate since my understanding is that it can get group (i.e. role) information from the token (instead of a subsequent LDAP query) by using this code.
In my Spring web security config, I have the following:
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${app.service-principal}")
private String servicePrincipal;
@Value("${app.keytab-location}")
private String keytabLocation;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling()
.authenticationEntryPoint(spnegoEntryPoint())
.and()
.authorizeRequests().antMatchers("/", "/home").permitAll()
.antMatchers("/hello").access("hasRole('ROLE_ADMIN')")
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll().and() //spring
.addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
BasicAuthenticationFilter.class);
}
@Bean
public SpnegoAuthenticationProvider kerberosServiceAuthenticationProvider() {
SpnegoAuthenticationProvider provider = new SpnegoAuthenticationProvider();
provider.setTicketValidator(sunJaasKerberosTicketValidator());
provider.setExtractGroupsUserDetailsService(new ExtractGroupsUserDetailsService());
provider.setServerSpn(servicePrincipal);
return provider;
}
ExtractGroupsUserDetailsService
only gets a SID such as (S-1-2-20-132925241-12333....) rather than an AD group name such as ADMIN. How can ExtractGroupsUserDetailsService
be written to extract the name of the group? Is this information available in the SPNEGO token?
Update
Simply replacing ROLE_ADMIN in the hasRole
SpEL with the SID does not work.
Update 2
A given SID string is not matching SID string passed into hasRole
because hasRole
appends ROLE_
the passed in String. Once I changed ExtractGroupsUserDetailsService
to prefix "ROLE_" to the SID (e.g. ROLE_S-1-2-20-132925241-12333....), the matching worked.
Still though... how can I get the group name (e.g. ADMIN) in ExtractGroupsUserDetailsService
instead of the SID?
ExtractGroupsUserDetailsService only gets a SID such as (S-1-2-20-132925241-12333....) rather than an AD group name such as ADMIN. How can ExtractGroupsUserDetailsService be written to extract the name of the group? Is this information available in the SPNEGO token?
No, the Kerberos PAC only contains SIDs, not names. (Windows access control is never based on names.) You will still need an LDAP search for those.