Configure LDAP Provider for Spring Security
In Mule 4, you can either use a Spring Security LDAP provider to perform component authorization, or use it as a Mule security provider via the Spring module. Before you configure the LDAP provider, obtain the Spring JAR files and declare Spring beans.
Obtain JAR Files
The Mule software distribution provides the Spring JAR files you need in the <distribution>/lib/opt directory:
-
spring-ldap-core-2.3.2.RELEASE.jar -
spring-security-config-4.2.6.RELEASE.jar -
spring-security-core-4.2.6.RELEASE.jar -
spring-security-ldap-4.2.6.RELEASE.jar -
spring-security-web-4.2.6.RELEASE.jar
Declare Spring Beans
The DefaultSpringSecurityContextSource class is the access point for obtaining an LDAP context.
You must declare the Spring bean for DefaultSpringSecurityContextSource in a separate beans.xml file in your resources folder.
For example, you must set up an LDAP context source for use by the Spring Security authentication provider to search and authenticate your users. Also, you need to define an authentication-manager interface with an embedded ldap-authentication-provider class as in the following code sample:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:ss="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
...
http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://localhost:389"/>
<property name="userDn" value="cn=admin,dc=example,dc=org"/>
<property name="password" value="admin"/>
</bean>
<ss:authentication-manager alias="ldapAuthManager">
<ss:ldap-authentication-provider
server-ref="ldapContextSource"
user-search-base="DC=example,DC=org"
user-search-filter="(uid={0})"
group-search-base="DC=example,DC=org"
group-search-filter="({0})"
group-role-attribute="ou"
/>
</ss:authentication-manager>
</beans>Configure the Mule Security Provider
The SpringSecurityProviderAdapter delegates to an AuthenticationProvider such as the LdapAuthenticationProvider. To configure the Mule security provider review the following example configuration that shows how you can achieve in Mule connector-level security and other security features that require one or more security providers.
<spring:config name="Spring_Config" files="beans.xml" />
<spring:security-manager>
<spring:delegate-security-provider name="ldap-provider" delegate-ref="ldapAuthManager" />
</spring:security-manager>The following example configuration references a basic HTTP security filter:
<http:listener-config name="HTTP_Listener_config" doc:name="HTTP Listener config">
<http:listener-connection host="0.0.0.0" port="8081" />
</http:listener-config>
<spring:config name="Spring_Config" files="beans.xml" />
<spring:security-manager>
<spring:delegate-security-provider name="ldap-provider" delegate-ref="ldapAuthManager" />
</spring:security-manager>
<flow name="secureFlow">
<http:listener doc:name="Listener" config-ref="HTTP_Listener_config" path="/test" />
<http:basic-security-filter doc:name="Basic security filter" securityProviders="#[['ldap-provider']]" realm="mule-realm"/>
<ee:transform doc:name="Transform Message">
<ee:message>
<ee:set-payload><![CDATA[%dw 2.0
output application/json
---
{
"status": "ok"
}]]></ee:set-payload>
</ee:message>
</ee:transform>
</flow>