Setting Up an LDAP Provider for Spring Security

This page describes how you can configure a Spring Security LDAP provider, which can be used by Mule 2.2 or later as follows:

As its security provider via SpringProviderAdapter
To perform component authorization

For information on configuring an in-memory provider, see Configuring Security.

JAR Files

The Mule software distribution provides the Spring .jar files you need in the <distribution>/lib/opt directory:

spring-ldap-core-2.0.2.RELEASE.jar
spring-security-config-4.0.1.RELEASE.jar
spring-security-core-4.0.1.RELEASE.jar
spring-security-ldap-4.0.1.RELEASE.jar
spring-security-web-4.0.1.RELEASE.jar

Declaring the Beans

You must set up two beans in Spring, a DefaultSpringSecurityContextSource and an LdapAuthenticationProvider. The DefaultSpringSecurityContextSource is the access point for obtaining an LDAP context where the LdapAuthenticationProvider provides integration with the LDAP server. For example:

Set up an LDAP context source for use by the Spring security authentication provider to search and authenticate your users. Also, you need to define an authentication manager with an embedded LDAP authentication provider as shown:

<mule
      xmlns:ss="http://www.springframework.org/schema/security"
      xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
      xmlns:spring="http://www.springframework.org/schema/beans"
      ...
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      ...
      xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
        http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
        http://www.mulesoft.org/schema/mule/spring-security http://www.mulesoft.org/schema/mule/spring-security/current/mule-spring-security.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
...
  <spring:beans>

    ...

    <spring:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
             <spring:constructor-arg value="${ldap.url}"/>
             <spring:property name="userDn" value="${ldap.adminDn}"/>
             <spring:property name="password" value="${ldap.adminPassword}"/>
        </spring:bean>

        <ss:authentication-manager alias="authenticationManager">
            <ss:ldap-authentication-provider user-search-filter="(uid={0})" user-search-base="ou=People" group-search-base="ou=Group"/>
        </ss:authentication-manager>
  </spring:beans>
...

More information about the LDAP authentication provider and the different mechanisms to authenticate users against your LDAP server can be found here: LDAP. See also: Spring Security Reference.

Configuring the Mule Security Provider

The SpringSecurityProviderAdapter delegates to an AuthenticationProvider such as the LdapAuthenticationProvider.

<mule-ss:security-manager>
    <mule-ss:delegate-security-provider name="spring-security-ldap" delegate-ref="authenticationManager"/>
</mule-ss:security-manager>

With the above configuration, you can achieve connector-level security and other security features in Mule that require one or more security providers.

Configuring the MethodSecurityInterceptor

The configuration for component authorization is similar to the one described in Component Authorization Using Spring Security. A key point of configuration is securityMetadataSource:

<property name="securityMetadataSource" value="org.mule.api.lifecycle.Callable.onCall=ROLE_MANAGERS"/>

The roles are looked up by the DefaultLdapAuthoritiesPopulator, which you configured in the previous section. By default, a role is prefixed with ROLE_, and its value is extracted and converted to uppercase from the LDAP attribute defined by the groupRoleAttribute.