I recently implemented authentication and authorization via LDAP in my Javalin web server. I encountered a few pitfalls in the process. That is why I am sharing my experiences in this blog article.
Javalin
I used pac4j for the implementation. This is a modular library that allows you to replicate your own use case with different authenticators, clients and web server connection libraries. In this case I use “org.pac4j:pac4j-ldap” as authenticator, “org.pac4j:pac4j-http” as client and “org.pac4j:javalin-pac4j” as web server.
In combination with Javalin, pac4j independently manages the session and forwards it for authentication if you try to access a protected path.
var config = new LdapConfigFactory().build();
var callback = new CallbackHandler(config, null, true);
Javalin.create()
.before("administration", new SecurityHandler(config, "FormClient", "admin"))
.get("administration", ctx -> webappHandler.serveWebapp(ctx))
.get("login", ctx -> webappHandler.serveWebapp(ctx))
.get("forbidden", ctx -> webappHandler.serveWebapp(ctx))
.get("callback", callback)
.post("callback", callback)
.start(7070);
In this example code the path to the administration is protected by the SecurityHandler. The “FormClient” indicates that in the event of missing authentication, the user is forwarded to a form for authentication. The specification “admin” defines that the user must also be authorized to the role “admin”.
LDAP Config Factory
I configured LDAP using my own ConfigFactory. Here, for example, I define the callback and login route. In addition, my self-written authorizer and http action adapter are assigned. I will go into these two areas in more detail below. The login form requires the authenticator here. For us, this is an LdapProfileService.
public class LdapConfigFactory implements ConfigFactory {
@Override
public Config build(Object... parameters) {
var formClient = new FormClient("http://localhost:7070/login", createLdapProfileService());
var clients = new Clients("http://localhost:7070/callback", formClient);
var config = new Config(clients);
config.setWebContextFactory(JEEContextFactory.INSTANCE);
config.setSessionStoreFactory(JEESessionStoreFactory.INSTANCE);
config.setProfileManagerFactory(ProfileManagerFactory.DEFAULT);
config.addAuthorizer("admin", new LdapAuthorizer());
config.setHttpActionAdapter(new HttpActionAdapter());
return config;
}
}
LDAP Profile Service
I implement a separate method for configure the service. The LDAP connection requires the url and a user for the connection and the query of the active directory. The LDAP connection is defined in the ConnectionConfig. It is also possible to activate TLS here, but in our case we use LDAPS.
The Distinguished Name must also be defined. Queries only search for users under this path.
private static LdapProfileService createLdapProfileService() {
var url = "ldaps://test-ad.com";
var baseDN = "OU=TEST,DC=schneide,DC=com";
var user = "username";
var password = "password";
ConnectionConfig connConfig = ConnectionConfig.builder()
.url(url)
.connectionInitializers(new BindConnectionInitializer(user, new Credential(password)))
.build();
var connectionFactory = new DefaultConnectionFactory(connConfig);
SearchDnResolver dnResolver = SearchDnResolver.builder()
.factory(connectionFactory)
.dn(baseDN)
.filter("(displayName={user})")
.subtreeSearch(true)
.build();
SimpleBindAuthenticationHandler authHandler = new SimpleBindAuthenticationHandler(connectionFactory);
Authenticator authenticator = new Authenticator(dnResolver, authHandler);
return new LdapProfileService(connectionFactory, authenticator, "memberOf,displayName,sAMAccountName", baseDN);
}
The SearchDNResolver is used to search for the user to be authenticated. A filter can be defined for the match with the user name. And, very importantly, the subtreeSearch must be activated. By default, it is set to false, which means that only users who appear exactly in the BaseDN are found.
The SimpleBindAuthenticationHandler can be used together with the Authenticator for authentication with user and password.
Finally, in the LdapProfileService, a comma-separated string can be used to define which attributes of a user should be queried after authentication and transferred to the user profile.
With all of these settings, you will be redirected to the login page when you try to accessing administration. The credentials is then matched against the active directory via LDAP and the user is authenticated. In addition, I want to check that the user is in the administrator group and therefore authorized. Unfortunately, pac4j cannot do this on its own because it cannot interpret the attributes as roles. That’s why I build my own authorizer.
Authorizer
public class LdapAuthorizer extends ProfileAuthorizer {
@Override
protected boolean isProfileAuthorized(WebContext context, SessionStore sessionStore, UserProfile profile) {
var group = "CN=ADMIN_GROUP,OU=Groups,OU=TEST,DC=schneide,DC=com";
var attribute = (List) profile.getAttribute("memberOf");
return attribute.contains(group);
}
@Override
public boolean isAuthorized(WebContext context, SessionStore sessionStore, List<UserProfile> profiles) {
return isAnyAuthorized(context, sessionStore, profiles);
}
}
The attributes defined in LdapProfileService can be found in the user profile. For authorization, I query the group memberships to check if the user is in the group. If the user has been successfully authorized, he is redirected to the administration page. Otherwise the http status code forbidden is returned.
Javalin Http Action Adapter
Since I want to display a separate page that shows the user the Forbidden, I build my own JavalinHttpActionAdapter.
public class HttpActionAdapter extends JavalinHttpActionAdapter {
@Override
public Void adapt(HttpAction action, WebContext webContext) {
JavalinWebContext context = (JavalinWebContext) webContext;
if(action.getCode() == HttpConstants.FORBIDDEN){
context.getJavalinCtx().redirect("/forbidden");
throw new RedirectResponse();
}
return super.adapt(action, context);
}
}
This redirects the request to the Forbidden page instead of returning the status code.
Conclusion
Overall, the use of pac4j for authentication and authorization on javalin facilitates the work and works well. Unfortunately, the documentation is rather poor, especially for the LDAP module. So the setup was a bit of a journey of discovery and I had to spend a lot of time looking for the root cause of some problems like subtreeSearch.
Schneide Blog 