Nav
You are viewing an older version of this section. Click here to navigate to the latest version.

Setting Up an LDAP Provider for Acegi

Deprecated Module

The Acegi module is deprecated. Please upgrade to the Spring Security module instead, which is a drop-in replacement. As of Mule 3.2 the Acegi module is removed from the distribution.

This page describes how you can configure an Acegi LDAP provider, which can be:

For information on configuring an in-memory DAO provider, see Configuring Security.

Declaring the Beans

You must set up two beans in Spring, an InitialDirContextFactory and an LdapAuthenticationProvider. The InitialDirContextFactory is the access point for obtaining an LDAP context where the LdapAuthenticationProvider provides integration with the LDAP server. For example:


         
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:mule="http://www.mulesource.org/schema/mule/core"
       xmlns:acegi="http://www.mulesource.org/schema/mule/acegi"
       ...cut...

  <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
        <constructor-arg value="ldap://localhost:389/dc=com,dc=foobar" />
        <property name="managerDn">
                <value>cn=root,dc=com,dc=foobar</value>
        </property>
        <property name="managerPassword">
                <value>secret</value>
        </property>
  </bean>

  <bean id="authenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
                <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
                        <constructor-arg>
                                <ref local="initialDirContextFactory" />
                        </constructor-arg>
                        <property name="userDnPatterns">
                                <list>
                                        <value>uid={0},ou=people</value>
                                </list>
                        </property>
                </bean>
        </constructor-arg>
        <constructor-arg>
                <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
                        <constructor-arg>
                                <ref local="initialDirContextFactory" />
                        </constructor-arg>
                        <constructor-arg>
                                <value>ou=groups</value>
                        </constructor-arg>
                        <property name="groupRoleAttribute">
                                <value>cn</value>
                        </property>
                        <property name="searchSubtree">
                                <value>true</value>
                        </property>
                        <property name="rolePrefix">
                                <value>ROLE_</value>
                        </property>
                        <property name="convertToUpperCase">
                                <value>true</value>
                        </property>
                </bean>
        </constructor-arg>
  </bean>

Configuring the Mule Security Provider

The AcegiProviderAdapter delegates to an AuthenticationProvider such as the LdapAuthenticationProvider.


         
      
1
2
3
<acegi:security-manager>
    <acegi:delegate-security-provider name="acegi-ldap" delegate-ref="authenticationProvider"/>
</acegi:security-manager>

With the above configuration, you can achieve endpoint-level security and other security features in Mule that require one or more security providers.

Configuring the MethodSecurityInterceptor

The configuration for component authorization is similar to the one described in Component Authorization Using Acegi. A key point of configuration is ObjectDefinitionSource:


         
      
1
<property name="objectDefinitionSource" value="org.mule.api.lifecycle.Callable.onCall=ROLE_MANAGERS"/>

The roles are looked up by the DefaultLdapAuthoritiesPopulator, which you configured in the previous section. By default, a role is prefixed with ROLE_ and its value is extracted (and converted to uppercase) from the LDAP attribute defined by the groupRoleAttribute.