With most of your samples we’re using DummyUserDetailsService
because there is not necessarily need to query a real user details
once kerberos authentication is successful and we can use kerberos
principal info to create that dummy user. However there is a way to
access kerberized LDAP services in a say way and query user details
from there.
KerberosLdapContextSource can be used to bind into LDAP via kerberos
which is at least proven to work well with Windows AD services.
@Value("${app.ad-server}") private String adServer; @Value("${app.service-principal}") private String servicePrincipal; @Value("${app.keytab-location}") private String keytabLocation; @Value("${app.ldap-search-base}") private String ldapSearchBase; @Value("${app.ldap-search-filter}") private String ldapSearchFilter; @Bean public KerberosLdapContextSource kerberosLdapContextSource() { KerberosLdapContextSource contextSource = new KerberosLdapContextSource(adServer); SunJaasKrb5LoginConfig loginConfig = new SunJaasKrb5LoginConfig(); loginConfig.setKeyTabLocation(new FileSystemResource(keytabLocation)); loginConfig.setServicePrincipal(servicePrincipal); loginConfig.setDebug(true); loginConfig.setIsInitiator(true); contextSource.setLoginConfig(loginConfig); return contextSource; } @Bean public LdapUserDetailsService ldapUserDetailsService() { FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch(ldapSearchBase, ldapSearchFilter, kerberosLdapContextSource()); LdapUserDetailsService service = new LdapUserDetailsService(userSearch); service.setUserDetailsMapper(new LdapUserDetailsMapper()); return service; }
![[Tip]](images/tip.png) | Tip |
|---|---|
|
Sample Chapter 6, Security Server Windows Auth Sample is currently configured to query user details from AD if authentication happen via kerberos. |