Set Up Active Directory Authentication for Appkit

Table of Contents

1. Add the security provider dependency
2. Configure security filtering in the application
3. Point the application to the security backend
- The LDAP protocol
- Authentication manager configuration
4 Verify the configuration
Related articles

While integration with Active Directory can be achieved using the LDAP setup, Spring Security provides a tailored security provider which makes configuring security using Active Directory easier.

This article describes how to set up authentication against an Active Directory server. It assumes that your Appkit application is managed as a Maven project with all project dependencies described in a Maven POM file.

1. Add the security provider dependency

Authentication against Active Directory requires the Active Directory module.

To enable the Active Directory module

Remove any existing security provider dependency from the pom.xml under the root of the project.

Add this within the dependencies tag:

<dependency>
    <groupId>twigkit</groupId>
    <artifactId>twigkit.security.provider.active-directory</artifactId>
    <version>${project.parent.version}</version>
</dependency>

To configure Appkit to invoke this module on startup, change the security.conf file in src/main/resources/conf/security/ to contain:
```
type: spring_security
```

2. Configure security filtering in the application

Spring Security operates using a Servlet filter that must be mapped in the web.xml file in src/main/webapp/WEB-INF:

<!-- Spring Security -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring-security.xml</param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
<!-- Spring Security Ends -->

Added this as the first filter in the chain (at the top of the web.xml file).

3. Point the application to the security backend

No Spring Security XML file is required. Just add this in a file named active-directory.conf in src/main/resources/conf/security:

ldap-server-url: ldap://sharepoint-dc-mtyy7623.cloudapp.net:389/
domain: sharepoint-dev.twigkit.com

Configure this to point to the Active Directory server implementing the LDAP protocol and the domain under which users are located.

The LDAP protocol

Note the use of the LDAP protocol in the url - ldap://. In some cases, SSL encryption is used with the 'LDAPS' protocol. This requires the certificate is trusted by the authentication client (the JVM running Appkit). There are several ways to configure the keystore for the JVM to trust the certificate from the LDAP server. The most common way to do this is to import the certificate into the JVM’s default keystore.

Authentication manager configuration

Unlike the configuration for the LDAP module, the Active Directory specific configuration is minimal. A user can then login using either their username or the fully qualified principal (for example, bloggsj@my-domain.com). By default roles are assigned using the memberOf attribute values of the user entry.

4 Verify the configuration

You can now verify the authentication in an Appkit application using the widget:login-form on a login page which is typically located in src/main/webapp/login.jsp in your application source tree.