Saturday, December 19, 2009

Integrating Spring Security with NTLM + Crowd

For the purpose of implementing a SSO (Single Sign On) system into our application, I investigated the use of spring-security and successfully implemented it using NTLM and Crowd.

Download Sample Project

Technologies
As most of our users are using Internet Explorer, NTLM seems to be the best solution. By the way, as developer we are using Firefox and fortunately Firefox can provide too NTLM credentials (see this to enableNTLM inside Firefox).
NTLM is used for authentication only (giving windows credentials to the web application) then Crowd is used to store and retrieve user's authorizations.
Atlassian Crowd provide full spring-security integration, and a bunch of connector to communicate with most of directory services available.
I first configured Crowd to use an internal directory to avoid being disrupted by communication with external directories. Then I added connection to our Microsoft Active Directory... but this go beyond the scope of this blog entry.

Prerequisites
  • Add spring-security and spring-security-ntlm and theirs dependency in your project
  • Add crowd-integration-client and his dependency in your project 
  • Integrate Crowd integration client by following this documentation from step 1 to 3.0 
Integration
First of all, create a new spring application context (applicationContext-security.xml) with the following content :

Then add it in your web application descriptor (web.xml) with the spring security filter, you must end with something like this :

And finally, create the custom UserDetailsAuthenticationProvider (unfortunally I was suprised to didn't find a provider that suit my needs...):

You're done !

Creating test pages
As you may have notified, the file applicationContext-security.xml defining three different level of security:

  • Anonymous access authorized by default to all page
  • Standard users can access the 'secure.jsp' page
  • Administrators can access the 'admin.jsp' page
So create the pages index.jsp, secure.jsp and admin.jsp with the content you want or change the security context to suit your needs.

Crowd configuration
Open the Crowd administrator console, and create user corresponding to your Active Directory account name, add it to the application you created when you integrated Crowd (more informations).
Create two groups (myapp-user and myapp-administrators, you can name it differently but you must then update your spring security context correspondingly) and add them to the user created before.
Don't hesitate to read the Crowd documentation for further information. Specially if you want add a connector for your directory, but I strongly recommend you to first test your application using a Crowd integrated directory.

Conclusion
Integrating spring-security into an existing web-application is relatively straight-forward, specially if you already using spring. Some specific configuration is needed to enable NTLM and Crowd support but documentation can be easily find online.
And best of all, if you want to change for Kerberos in future you can do it simply and without changing the way your application works... thanks to Spring IoC :-D
And thanks to Crowd you can change connection to different directory services without loosing user authorizations (of course user-name must be the same...).

References