I am attempting to integrate Shiro in my spring mvc application. The authentication is backed by a LDAP server and i am able to successfully authenticate against the ldap server and obtain a cookie.
What I am not able to perform is to then use this cookie in subsequent requests and get results. Attempting to use the cookie gives me a HTTP 302 to perform authentication again. For example:
GET on ( rest/assets/list
) with header Cookie: JSESSIONID=abcd
redirects to (rest/login
)
Is this the right strategy to secure the api ? The api is being used by a AngularJS app and i would like to get user group based authentication enabled before I add CRUD ability.
Any pointers would be useful.
Source code as follows:
applicationContext.xml file is as follows
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"/>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
<bean id="ldapRealm" class="com.directv.nmsupport.security.LDAPRealm">
<property name="contextFactory" ref="ldapContextFactory" />
<property name="userDnTemplate" value="uid={0},ou=DirecTV,ou=People,dc=swengdtv,dc=net" />
</bean>
<bean id="ldapContextFactory" class="org.apache.shiro.realm.ldap.JndiLdapContextFactory">
<property name="url" value="ldap://teon:389"/>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="ldapRealm"/>
<property name="cacheManager" ref="cacheManager"/>
<property name="sessionManager" ref="sessionManager" />
</bean>
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="sessionIdCookieEnabled" value="true" />
</bean>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/rest/login"/>
<property name="filterChainDefinitions">
<value>
/rest/login = anon
/rest/** = user
</value>
</property>
</bean>
</beans>
LDAPRealm.java code is
public class LDAPRealm extends JndiLdapRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username = (String) getAvailablePrincipal(principals);
return super.doGetAuthorizationInfo(principals); //To change body of overridden methods use File | Settings | File Templates.
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
return super.doGetAuthenticationInfo(token); //To change body of overridden methods use File | Settings | File Templates.
}
}
LoginController.java is
@Controller
public class LoginController {
@RequestMapping(value = "/login", method = RequestMethod.POST)
public void login(@RequestBody UserCredentials user) {
UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), user.getPassword());
token.setRememberMe(true);
SecurityUtils.getSecurityManager().authenticate(token);
Subject subject = SecurityUtils.getSubject();
subject.getSession(true);
}
@RequestMapping(value="/logout")
public void logout() {
Subject subject = SecurityUtils.getSubject();
SecurityUtils.getSecurityManager().logout(subject);
}
}
The logging from apache shiro is
17:47:54.428 ["http-bio-8080"-exec-7] DEBUG o.a.shiro.realm.ldap.JndiLdapRealm - Authenticating user 'afulara' through LDAP
17:47:54.428 ["http-bio-8080"-exec-7] DEBUG o.a.s.r.ldap.JndiLdapContextFactory - Initializing LDAP context using URL [ldap://teon:389] and principal [uid=afulara,ou=DirecTV,ou=People,dc=swengdtv,dc=net] with pooling disabled
17:47:54.431 ["http-bio-8080"-exec-7] DEBUG o.a.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [afulara] from doGetAuthenticationInfo
17:47:54.431 ["http-bio-8080"-exec-7] DEBUG o.a.shiro.realm.AuthenticatingRealm - AuthenticationInfo caching is disabled for info [afulara]. Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - afulara, rememberMe=true].
17:47:54.431 ["http-bio-8080"-exec-7] DEBUG o.a.s.authc.AbstractAuthenticator - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - afulara, rememberMe=true]. Returned account [afulara]
17:48:20.927 ["http-bio-8080"-exec-9] DEBUG o.a.shiro.web.servlet.SimpleCookie - Found 'JSESSIONID' cookie value [02b41ee8-e9e3-43e5-8ee3-aae72322fede]
17:48:24.204 ["http-bio-8080"-exec-10] DEBUG o.a.shiro.web.servlet.SimpleCookie - Found 'JSESSIONID' cookie value [02b41ee8-e9e3-43e5-8ee3-aae72322fede]
17:48:24.210 ["http-bio-8080"-exec-10] WARN o.s.web.servlet.PageNotFound - Request method 'GET' not supported
The Idea behind REST is that it is Stateless so, if you create a session with the client you would break the priciples of an RESTful API. I would recommend to use Spring Security, you can find a simple example here: http://spring.io/guides/gs/securing-web/. It will take you about 5 - 10 Minutes and you can then use it in your project.
Also there is a simple guide for connecting to an LDAP system: http://spring.io/guides/gs/authenticating-ldap/
UPDATE: Saw your comment on your question, I would suggest you to answer your question with the result you come up with.