In this post, we are going to explain how to create a new Authentication module to authenticate users in the platform.

As a demonstration, we are going to implement LDAP protocol.

Where is the Authentication Provider configured?

As we know, for authentication purposes, Spring Boot uses AuthenticationProvider beans. This is configured in the class SpringSecurityConfig.java. You can find it in onesaitplatform-controlpanel, under the package com.minsait.onesait.platform.controlpanel.security.

In this class, the AuthenticationProvider bean is injected and assigned to our security configuration:

This means that, if Spring does not detect any custom implementation of the class AuthenticationProvider, the default Spring implementation will be injected.

NOTE: As we are injecting the AuthenticationProvider interface itself, we cannot have more than one bean/service/component implementing this interface at a given time, but we will go deeper into this later.

Integrating LDAP

The AuthenticationProviders are found in the project onesaitplatform-security-ri.

Firstly, add the LDAP dependencies in the pom.xml.

Application parameters for configuration

Now, open up the controlpanel's application.yml  and the oauth-server, because these two modules will use the AuthenticationProvider implementation independently.

For the LDAP configuration, you will need the following parameters, so set up them in both yaml files:

LDAP context and template configuration

Now we are going to set up the LDAP Context and Template. To do this, create a @Configuration class in the project.

Here we are just importing the yaml parameters and setting them up in LDAP configuration elements.

The LdapTemplate Bean is what we are going to use to exchange requests/responses between the platform and the LDAP server.

Implementing AuthenticationProvider

We need to create a @Component that implements the interface AuthenticationProvider.

The logic we are going to implement in this component is:

• Authenticate the user through LDAP server.
• If the user does not exist in the ConfigDB, then create that user, extending the information retrieved from LDAP server with a custom service (In this example, 'LdapUserService').

@Override authenticate

Retrieve parameters from request

Create filter and authenticate through LDAP server

If the user is authenticated:

If the user does not exists, then create the user. Firstly, search for LDAP attributes. The LdapUserMapper will map attributes cn,sn and mail from Ldap info to User entity attributes.

Then you will need to complete the User entity before committing to DB.

Set the userid and the password, and then call LdapUserService to assign the default Role, set it to active, and save to DB.

@Override supports

As you are returning an instance of UsernamePasswordAuthenticationToken, override the method like this:

AuthenticationProvider Singleton

As we stated before in this tutorial, you can only have one bean of type AuthenticationProvider at a time, so you are going to define a @ConditionalOnProperty in each Component of this type.

For example, in the platform we have several implementations of AuthenticationProvider, so you can add this annotation:

LdapAuthenticationProvider

ConfigDBAuthenticationProvider

As you can see, the property defined in application.yml (remember to define it in every module that uses Authentication, i.e. Oauth server and Controlpanel) 'onesaitplatform.authentication.provider, drives the switching between providers.