Skip to content

toshipiazza/dropwizard-auth-ms-ad

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits

gradle

gradle

 
 

module

module

 
 

sample-service

sample-service

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

CHANGES.md

CHANGES.md

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

build.gradle

build.gradle

 
 

gradle.properties

gradle.properties

 
 

gradlew

gradlew

 
 

gradlew.bat

gradlew.bat

 
 

settings.gradle

settings.gradle

 
 

Repository files navigation

DropWizard ActiveDirectory Authentication Provider

Introduction Build Status

This BasicAuth provider uses the ActiveDirectory LDAP interface to authenticate and authorize your service principals. Existing LDAP providers can provide you the same capabilities as this Authenticator but this authenticator should require much less configuration and can take advantage of typical behaviors used in ActiveDirectory deployments.

Before you continue

This project is only in use for internal projects at CommerceHub. You should be familiar with the auth section of the DropWizard manual. You should consult your IT administrator before you bury her carefully size AD cluster with new auth requests. You SHOULD cache your interactions with ActiveDirectory; DropWizard provides CachingAuthenticator to help you with this (see sample-service).

Please also note that version 0.2.x of dropwizard-auth-ms-md is compatible with dropwizard 0.7 and 0.8. The 0.3.x version is compatible with dropwizard 0.9.x.

Maven (etc.) Download

NOTE: When I used this I had to override the version of javassist to 3.20.0-GA in order to make this Java 8 compatible. Gradle syntax: 'org.javassist:javassist:3.20.0-GA'

Maven

   ...
   <repositories>
       <repository>
         <id>jcenter</id>
         <url>http://jcenter.bintray.com</url>
       </repository>
     </repositories>

   ...

   <dependency>
       <groupId>com.commercehub.dropwizard</groupId>
       <artifactId>dropwizard-auth-active-directory</artifactId>
       <version>0.3.0</version>
   </dependency>

Gradle

    ...
    repositories {
        jcenter()
    }

    ...
    dependencies {
        ...
        // for dropwizard 0.7.x, change the version to 0.2.7
        compile 'com.commercehub.dropwizard:dropwizard-auth-active-directory:0.3.0'
        ...
    }

Usages

Example usage

@Override
public void run(HelloWorldConfiguration configuration, Environment environment) throws ClassNotFoundException {
    ...
    // dropwizard 0.9.x
    environment.jersey().register(new AuthDynamicFeature(
            new BasicCredentialAuthFilter.Builder<AdPrincipal>()
                .setAuthenticator(AdAuthenticator.createDefault(configuration.getAdConfiguration()))
                .setRealm("MSAD")
                .buildAuthFilter()));
    environment.jersey().register(RolesAllowedDynamicFeature.class);
    environment.jersey().register(new AuthValueFactoryProvider.Binder<>(AdPrincipal.class));

    // dropwizard 0.7.x
    environment.jersey().register(new BasicAuthProvider<>(AdAuthenticator.createDefault(configuration.getAdConfiguration()), "MSAD"));
    ...
    environment.jersey().register(new ProtectedResource());

}

Configuration

The aim of this project is to minimize the amount of required configuration. The only REQUIRED configuration variable is domain

ad:
    domain: my.company.example.com

Several additional properties can be configured, but sensible defaults should prevent you from ever needing to change them

    ad:
        domain: my.company.example.com  # No Default
        domainController: my-fav-dc.my.company.example.com # Default: <domain>
        sslEnabled: true  # Default: true
        usernameFilterTemplate: (&((&(objectCategory=Person)(objectClass=User)))(sAMAccountName=%s)) # Default: <As shown> %s replaced with the sAMAccountName
        attributeNames: # Default: <As Shown>. first two are required. Will be fetched as String.
            - sAMAccountName
            - memberOf
            - mail
        binaryAttributeNames: # Default: empty. Will be fetched as byte[]. Need for the ones below.
            - objectGUID
            - objectSid
        connectionTimeout: 1000 # Default: as shown in millseconds
        readTimeout: 1000 # Default: as shown in millseconds
        requiredGroups: # Default: <empty>
            - All
            - Of
            - These
            - Are
            - Required
            - Or
            - You
            - Get
            - A
            - 401

Sample Service

This project includes a sample dropwizard service. Simply clone the repo, update sample-service/config/dev.yaml to point to your domain then run

./gradlew run -PdwArgs='server,config/dev.yaml' -Ddw.ad.domain=nexus.commercehub.com

Then hit http://localhost:8080/protected and provide your username and password.

OK, that's cool, how about...

  • ...using another cool LDAP library?
  • Great idea, but for this project we do not think we should need more than the standard JRE support
  • ...configuring the required group at the Resource level?
  • Wonderful idea. If you get to it before us, please be sure to contribute your work.
  • ...using nested groups in AD
  • Right on! But it seems that resolving even the known groups from the memberOf attribute is very slow. I am sure there is a clever highly performant way to do it, find it and let us know.
  • ...AD has this really cool feature that allows you to do X with Y!
  • meh.

About

A DropWizard authentication and authorization module for Microsoft Active Directory that makes simplifying assumptions.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 73.4%
  • Groovy 26.6%