From a73647564123b494bdd267db79ab1ac0562b389a Mon Sep 17 00:00:00 2001 From: "Piyush Sadangi (EXT)" Date: Tue, 12 Mar 2024 15:40:44 +0530 Subject: [PATCH] LDAP cahcing --- publish-service/pom.xml | 32 ++++++++ .../CachingLdapAuthenticationProvider.java | 70 ++++++++++++++++ .../remrem/publish/config/SecurityConfig.java | 80 +++++++++++++++++-- 3 files changed, 176 insertions(+), 6 deletions(-) create mode 100644 publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/CachingLdapAuthenticationProvider.java diff --git a/publish-service/pom.xml b/publish-service/pom.xml index e9c90a4c..af361dd4 100644 --- a/publish-service/pom.xml +++ b/publish-service/pom.xml @@ -81,6 +81,38 @@ + + org.springframework.security + spring-security-test + 5.7.4 + test + + + org.springframework.security + spring-security-ldap + 5.7.4 + + + com.github.ben-manes.caffeine + caffeine + 3.1.8 + + + org.springframework.security + spring-security-config + 5.7.4 + + + org.springframework.ldap + spring-ldap-core + 2.4.1 + + + org.springframework.boot + spring-boot-starter-cache + ${springboot.version} + + io.springfox springfox-swagger-ui diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/CachingLdapAuthenticationProvider.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/CachingLdapAuthenticationProvider.java new file mode 100644 index 00000000..1af06b3d --- /dev/null +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/CachingLdapAuthenticationProvider.java @@ -0,0 +1,70 @@ +package com.ericsson.eiffel.remrem.publish.config; + +import org.springframework.cache.concurrent.ConcurrentMapCache; +import org.springframework.security.authentication.BadCredentialsException; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.userdetails.UserCache; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.cache.NullUserCache; +import org.springframework.security.core.userdetails.cache.SpringCacheBasedUserCache; +import org.springframework.security.ldap.authentication.LdapAuthenticationProvider; +import org.springframework.security.ldap.authentication.LdapAuthenticator; +import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator; +import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; +import org.springframework.stereotype.Component; +import org.springframework.util.StringUtils; + +public class CachingLdapAuthenticationProvider extends LdapAuthenticationProvider { + + private UserCache userCache = new NullUserCache(); + + /** + * Create an instance with the supplied authenticator and authorities populator + * implementations. + * + * @param authenticator the authentication strategy (bind, password comparison, etc) + * to be used by this provider for authenticating users. + * @param authoritiesPopulator the strategy for obtaining the authorities for a given + */ + + public CachingLdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator) { + super(authenticator, authoritiesPopulator); + } + + public void setUserCache(UserCache userCache) { + this.userCache = userCache; + } + + + @Override + public Authentication authenticate(Authentication authentication) { + String userName = authentication.getName(); + UsernamePasswordAuthenticationToken userToken = (UsernamePasswordAuthenticationToken) authentication; + UserDetails userDetailsFromCache = userCache.getUserFromCache(userName); + if (userDetailsFromCache != null) { + additionalAuthenticationChecks(userDetailsFromCache, userToken); + return createSuccessfulAuthentication(userToken, userDetailsFromCache); + } else { + Authentication authenticationFromProvider = super.authenticate(authentication); + userCache.putUserInCache((UserDetails)authenticationFromProvider.getPrincipal()); + return authenticationFromProvider; + } + + } + + protected void additionalAuthenticationChecks(UserDetails userDetails, + UsernamePasswordAuthenticationToken authentication) { + Object credentials = authentication.getCredentials(); + if (!StringUtils.isEmpty(credentials)) { + String presentedPassword = authentication.getCredentials().toString(); + if (userDetails.getPassword().equals(presentedPassword)) { + // password matches + return; + } + } + throw new BadCredentialsException(messages.getMessage( + "AbstractUserDetailsAuthenticationProvider.badCredentials", + "Bad credentials")); + } +} \ No newline at end of file diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java index ab4fe376..98fb436d 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java @@ -29,6 +29,37 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.cache.annotation.Cacheable; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.cache.concurrent.ConcurrentMapCache; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.ldap.core.support.BaseLdapPathContextSource; +import org.springframework.ldap.core.support.LdapContextSource; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.UserCache; +import org.springframework.security.core.userdetails.cache.SpringCacheBasedUserCache; +import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; +import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.ldap.authentication.BindAuthenticator; +import org.springframework.security.ldap.authentication.LdapAuthenticator; +import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; +import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator; +import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; +import org.springframework.cache.CacheManager; +import org.springframework.cache.caffeine.CaffeineCacheManager; +import com.github.benmanes.caffeine.cache.Caffeine; +import java.util.concurrent.TimeUnit; /** * This class is used to enable the ldap authentication based on property @@ -64,6 +95,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { @Value("${activedirectory.connectionTimeOut:#{127000}}") private Integer ldapTimeOut = DEFAULT_LDAP_CONNECTION_TIMEOUT; + @Value("${LdapCacheTTL}") + private Integer LdapCacheTTL; + // built in connection timeout value for ldap if the network issue happens public static final Integer DEFAULT_LDAP_CONNECTION_TIMEOUT = 127000; @@ -74,20 +108,54 @@ public Integer getTimeOut() { @Autowired private CustomAuthenticationEntryPoint customAuthenticationEntryPoint; - @Autowired - protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { + @Bean + public UserCache userCache() { + if (cacheManager().getCache("authenticationCache") == null) { + throw new IllegalStateException ("Cache 'authenticationCache' is required but not available"); + } + return new SpringCacheBasedUserCache(cacheManager().getCache("authenticationCache")); + } + + @Bean + public CacheManager cacheManager() { + CaffeineCacheManager cacheManager = new CaffeineCacheManager(); + cacheManager.setCaffeine(Caffeine.newBuilder() + .expireAfterWrite(LdapCacheTTL, TimeUnit.MINUTES)); + return cacheManager; + } + + @Bean + public LdapAuthoritiesPopulator ldapAuthoritiesPopulator() { + LdapContextSource contextSource = ldapContextSource(); + return new DefaultLdapAuthoritiesPopulator(contextSource, null); + } + + @Override + public void configure(AuthenticationManagerBuilder auth) throws Exception { final String jasyptKey = RabbitMqPropertiesConfig.readJasyptKeyFile(jasyptKeyFilePath); if (managerPassword.startsWith("{ENC(") && managerPassword.endsWith("}")) { managerPassword = DecryptionUtils.decryptString( managerPassword.substring(1, managerPassword.length() - 1), jasyptKey); } LOGGER.debug("LDAP server url: " + ldapUrl); - auth.ldapAuthentication() - .userSearchFilter(userSearchFilter) - .contextSource(ldapContextSource()); + LdapContextSource contextSource = ldapContextSource(); + BindAuthenticator bindAuthenticator = new BindAuthenticator(contextSource); + bindAuthenticator.setUserSearch(new FilterBasedLdapUserSearch("", userSearchFilter, contextSource)); + + + LdapAuthoritiesPopulator ldapAuthoritiesPopulator = ldapAuthoritiesPopulator(); + + // Create and use the caching LDAP authentication provider + CachingLdapAuthenticationProvider cachingProvider = + new CachingLdapAuthenticationProvider(bindAuthenticator, ldapAuthoritiesPopulator); + + cachingProvider.setUserCache(userCache()); + auth.authenticationProvider(cachingProvider); + } - public BaseLdapPathContextSource ldapContextSource() { + @Bean + public LdapContextSource ldapContextSource() { LdapContextSource ldap = new LdapContextSource(); ldap.setUrl(ldapUrl); ldap.setBase(rootDn);