spring-securityactive-directorykerberosspnegospring-security-kerberos

Kerb4j - How to get role name from SPNEGO Token?


I'm trying to get the role name from the SPNEGO token returned by Active Directory for use with Spring Security authorization. I'm using kerb4j to authenticate since my understanding is that it can get group (i.e. role) information from the token (instead of a subsequent LDAP query) by using this code.

In my Spring web security config, I have the following:

class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${app.service-principal}")
    private String servicePrincipal;

    @Value("${app.keytab-location}")
    private String keytabLocation;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

       http.exceptionHandling()
            .authenticationEntryPoint(spnegoEntryPoint())
            .and()
            .authorizeRequests().antMatchers("/", "/home").permitAll()
            .antMatchers("/hello").access("hasRole('ROLE_ADMIN')")
            .anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login").permitAll()
                .and()
                .logout().permitAll().and() //spring
                .addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()), 
                        BasicAuthenticationFilter.class);
    }

@Bean
public SpnegoAuthenticationProvider kerberosServiceAuthenticationProvider() {
    SpnegoAuthenticationProvider provider = new SpnegoAuthenticationProvider();
    provider.setTicketValidator(sunJaasKerberosTicketValidator());
    provider.setExtractGroupsUserDetailsService(new ExtractGroupsUserDetailsService());
    provider.setServerSpn(servicePrincipal);
    return provider;
}

ExtractGroupsUserDetailsService only gets a SID such as (S-1-2-20-132925241-12333....) rather than an AD group name such as ADMIN. How can ExtractGroupsUserDetailsService be written to extract the name of the group? Is this information available in the SPNEGO token?

Update

Simply replacing ROLE_ADMIN in the hasRole SpEL with the SID does not work.

Update 2

A given SID string is not matching SID string passed into hasRole because hasRole appends ROLE_ the passed in String. Once I changed ExtractGroupsUserDetailsService to prefix "ROLE_" to the SID (e.g. ROLE_S-1-2-20-132925241-12333....), the matching worked.

Still though... how can I get the group name (e.g. ADMIN) in ExtractGroupsUserDetailsService instead of the SID?


Solution

  • ExtractGroupsUserDetailsService only gets a SID such as (S-1-2-20-132925241-12333....) rather than an AD group name such as ADMIN. How can ExtractGroupsUserDetailsService be written to extract the name of the group? Is this information available in the SPNEGO token?

    No, the Kerberos PAC only contains SIDs, not names. (Windows access control is never based on names.) You will still need an LDAP search for those.