Configure LDAP Provider for Spring Security
|
This version of Mule reached its End of Life on May 2, 2023, when Extended Support ended. Deployments of new applications to CloudHub that use this version of Mule are no longer allowed. Only in-place updates to applications are permitted. MuleSoft recommends that you upgrade to the latest version of Mule 4 that is in Standard Support so that your applications run with the latest fixes and security enhancements. |
In Mule 4, you can either use a Spring Security LDAP provider to perform component authorization, or use it as a Mule security provider via the Spring module. Before you configure the LDAP provider, obtain the Spring JAR files and declare Spring beans.
Obtain JAR Files
The Mule software distribution provides the Spring JAR files you need in the <distribution>/lib/opt directory:
-
spring-ldap-core-2.3.2.RELEASE.jar -
spring-security-config-4.2.6.RELEASE.jar -
spring-security-core-4.2.6.RELEASE.jar -
spring-security-ldap-4.2.6.RELEASE.jar -
spring-security-web-4.2.6.RELEASE.jar
Declare Spring Beans
The DefaultSpringSecurityContextSource class is the access point for obtaining an LDAP context.
You must declare the Spring bean for DefaultSpringSecurityContextSource in a separate beans.xml file in your resources folder.
For example, you must set up an LDAP context source for use by the Spring Security authentication provider to search and authenticate your users. Also, you need to define an authentication-manager interface with an embedded ldap-authentication-provider class as in the following code sample:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:ss="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
...
http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://localhost:389"/>
<property name="userDn" value="cn=admin,dc=example,dc=org"/>
<property name="password" value="admin"/>
</bean>
<ss:authentication-manager alias="ldapAuthManager">
<ss:ldap-authentication-provider
server-ref="ldapContextSource"
user-search-base="DC=example,DC=org"
user-search-filter="(uid={0})"
group-search-base="DC=example,DC=org"
group-search-filter="({0})"
group-role-attribute="ou"
/>
</ss:authentication-manager>
</beans>Configure the Mule Security Provider
The SpringSecurityProviderAdapter delegates to an AuthenticationProvider such as the LdapAuthenticationProvider. To configure the Mule security provider review the following example configuration that shows how you can achieve in Mule connector-level security and other security features that require one or more security providers.
<spring:config name="Spring_Config" files="beans.xml" />
<spring:security-manager>
<spring:delegate-security-provider name="ldap-provider" delegate-ref="ldapAuthManager" />
</spring:security-manager>The following example configuration references a basic HTTP security filter:
<http:listener-config name="HTTP_Listener_config" doc:name="HTTP Listener config">
<http:listener-connection host="0.0.0.0" port="8081" />
</http:listener-config>
<spring:config name="Spring_Config" files="beans.xml" />
<spring:security-manager>
<spring:delegate-security-provider name="ldap-provider" delegate-ref="ldapAuthManager" />
</spring:security-manager>
<flow name="secureFlow">
<http:listener doc:name="Listener" config-ref="HTTP_Listener_config" path="/test" />
<http:basic-security-filter doc:name="Basic security filter" securityProviders="#[['ldap-provider']]" realm="mule-realm"/>
<ee:transform doc:name="Transform Message">
<ee:message>
<ee:set-payload><![CDATA[%dw 2.0
output application/json
---
{
"status": "ok"
}]]></ee:set-payload>
</ee:message>
</ee:transform>
</flow>