Adding LDAP Authentication to a Play! 2 Application

a row of white and yellow led strips

As of Play! 1 is not really supported anymore, i will describe the steps for accessing Data from your LDAP Directory with your Play! 2 with this Post.

Prerequisites

As also mentioned in my last Post, for this example we are using the Vagrant vagrant-rundeck-ldap VM, I already mentioned here.

Setup

After you setup a basic Play! 2 Application with

play new ldap-test

We need to update our Applications Dependencies. To achieve this, we need to change project/Build.scala:


import sbt._
import Keys._
import play.Project._

object ApplicationBuild extends Build {

  val appName         = "play2-ldap-example"
  val appVersion      = "1.0-SNAPSHOT"

  val appDependencies = Seq(
    // Add your project dependencies here,
    javaCore,
    javaJdbc,
    javaEbean,
    "com.innoq.liqid" % "ldap-connector" % "1.3"
  )

  val main = play.Project(appName, appVersion, appDependencies).settings(
    // Add your own project settings here      
  )
}

The Command:


play compile

Should download all necessary Project Depedencies and will do an initial Compilation of all your Project Files (currently not really many).

You also need to add the LDAP Settings to your Applications configuration. For this example we will use an external Properties File conf/ldap.properties:


# Settings for LiQID
# ~~~~~
ldap.user.objectClasses=person
ldap.group.objectClasses=groupOfUniqueNames

default.ldap=ldap1
# LDAP Listsing, divided by ","
ldap.listing=ldap1

ldap1.ou_people=ou=users
ldap1.ou_group=ou=roles
ldap1.url=ldap://localhost:3890
ldap1.principal=dc=Manager,dc=example,dc=com
ldap1.credentials=password

ldap1.base_dn=dc=example,dc=com
ldap1.admin.group.id=admin

ldap1.user.id.attribute=cn
ldap1.user.object.class=person

ldap1.group.id.attribute=cn
ldap1.group.object.class=groupOfUniqueNames
ldap1.group.member.attribute=uniqueMember

Implementation

Since Play1 2 does not really support the use of Before Filters, we will use Custom Actions for making our Login Authentication work.
We will create a new Package app/actions with two new files: an annotation interface BasicAuth and the implementation itself BasicAuthAction.
Annotations will be used to Set a specific Controller to use Basic Auth.
So lets start with BasicAuth:


package actions;

import play.mvc.With;

import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Inherited;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@With(BasicAuthAction.class)
@Retention(RetentionPolicy.RUNTIME)
@Target({ ElementType.METHOD, ElementType.TYPE })
@Inherited
@Documented
public @interface BasicAuth {
}

After that you can annotate Controllers with @BasicAuth (but this won’t work, since the Implementation is still missing).
Here then the BasicAuthAction:



package actions;

import com.ning.http.util.Base64;

import models.User;
import play.mvc.Action;
import play.mvc.Http.Context;
import play.mvc.Result;

public class BasicAuthAction extends Action {

    private static final String AUTHORIZATION = "authorization";
    private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final String REALM = "Basic realm=\"play2-ldap-example\"";

    @Override
    public Result call(Context context) throws Throwable {

        String authHeader = context.request().getHeader(AUTHORIZATION);
        if (authHeader == null) {
            return sendAuthRequest(context);
        }

        String auth = authHeader.substring(6);

        byte[] decodedAuth = Base64.decode(auth);
        String[] credString = new String(decodedAuth, "UTF-8").split(":");

        if (credString == null || credString.length != 2) {
            return sendAuthRequest(context);
        }

        String username = credString[0];
        String password = credString[1];
        User authUser = User.authenticate(username, password);
        if (authUser == null) {
            return sendAuthRequest(context);
        }
        context.request().setUsername(username);
        return delegate.call(context);
    }

    private Result sendAuthRequest(Context context) {
        context.response().setHeader(WWW_AUTHENTICATE, REALM);
        return unauthorized();
    }
}

As you can see, there are no LDAP specific Dependencies at all, since all necessary Logic is the User Model, in User.authenticate(username, password).So let’s have a look into that Model:


package models;

import play.Play;

import com.innoq.ldap.connector.LdapHelper;
import com.innoq.ldap.connector.LdapUser;
import com.innoq.liqid.utils.Configuration;

public class User {

    private static LdapHelper HELPER = getHelper();

    public String sn;
    public String cn;
    public String dn;

    public User(String cn) {
        this.cn = cn;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("cn: ").append(cn).append("\n");
        sb.append("sn: ").append(sn).append("\n");
        sb.append("dn: ").append(dn).append("\n");
        return sb.toString();
    }

    public static User authenticate(String username, String password) {
        if (HELPER.checkCredentials(username, password)) {
            return new User(username);
        }
        return null;
    }

    public static User getUser(String username) {
        LdapUser ldapUser = (LdapUser) LdapHelper.getInstance().getUser(
                username);
        User user = new User(username);
        user.cn = ldapUser.get("cn");
        user.sn = ldapUser.get("sn");
        user.dn = ldapUser.getDn();
        return user;
    }

    private static LdapHelper getHelper() {
        Configuration.setPropertiesLocation(Play.application().path()
                .getAbsolutePath()
                + "/conf/ldap.properties");
        return LdapHelper.getInstance();
    }
}

You also have a static Instace of that LDAP Helper, but authenticate User Credentials and Login are in two different Methods.Last thing is to Load a User from the LDAP Directory:Here the Admin Controller:


package controllers;

import models.User;
import actions.BasicAuth;
import play.mvc.Controller;
import play.mvc.Result;
import views.html.Admin.index;

@BasicAuth
public class Admin extends Controller {
    public static Result index() {
        User u = User.getUser(request().username());
        return ok(index.render("Hello Admin!", u));
    }
}

And here the used Template File:


@(message: String, user: User)

@main("Admin Index") {
@{message} 
<p>   
<pre>
@{user}
</pre>
</p>
}

Links

You can find the Sources of that Library here: https://github.com/innoq/LiQIDYou can find an example Project here: https://github.com/phaus/play-ldap/tree/master/play2-ldap-example

Adding LDAP Authentication to a Play! 1 Application

close up shot of keyboard buttons

You will often find yourself in a situation where you need a public and a private (normally some Administration) Area in your application.

This Post is about how easy you can access User Data stored in you companies LDAP Directory with a public availible Library in a Play! 1 Application. I will also give you an example for Play! 2 in one of the upcoming Posts here.

Prerequisites

For this example we are using the Vagrant vagrant-rundeck-ldap VM, I already mentioned here.

Setup

After you setup a basic Play! 1 Application with

play new ldap-test

We need to add the necessary Dependencies to our Application. Since the Library is availible over the public Maven Repository the Changes in your conf/dependecies.yml are quite simple:


# Application dependencies
require:
    - play
    - com.innoq.liqid -> ldap-connector 1.3

You then need to update your Applications Dependencies with:

play deps --sync

We also need to add some Configration Settings to the conf/application.conf File:
(there are some more, since the Example Directory did not match to the Libraries default LDAP Layout)


...
# Settings for LiQID
# ~~~~~
# Basic LDAP objectClasses for Users and Groups
ldap.user.objectClasses=person
ldap.group.objectClasses=groupOfUniqueNames

# You can add several LDAP for Writing Changes, but you need one default LDAP for Access without a specifiy Instance String (e.g. ldap1, ldap2, etc).
default.ldap=ldap1
ldap.listing=ldap1

# Instance specific settings (e.g. credentials, layout, etc. )

ldap1.ou_people=ou=users
ldap1.ou_group=ou=roles
ldap1.url=ldap://localhost:3890
ldap1.principal=dc=Manager,dc=example,dc=com
ldap1.credentials=password

ldap1.base_dn=dc=example,dc=com
ldap1.admin.group.id=admin

ldap1.user.id.attribute=cn
ldap1.user.object.class=person

ldap1.group.id.attribute=cn
ldap1.group.object.class=groupOfUniqueNames
ldap1.group.member.attribute=uniqueMember

Implementation

We will use two different techniques:

  • Controller inheritance
  • Before Filters

The goal is, that for a specific Count of Controllers, the Request should be checked for a valid Autorization Header.
So all Controllers that need to be “protected” will inherit from a Controller named SecureApplication.
This SecureApplication Controller will implement a Before Filter and some Utility Methods to perform all necessary Login Verification.

This is the basic Implementation of that Controller:


package controllers;

import com.innoq.ldap.connector.LdapHelper;
import com.innoq.liqid.utils.Configuration;

import play.Logger;
import play.Play;
import play.mvc.Before;
import play.mvc.Controller;

public class SecureApplication extends Controller {
    private final static LdapHelper HELPER = getLdapHelper();
    @Before
    public static void checkLogin() {
        if (request.user == null || request.password == null
                || !HELPER.checkCredentials(request.user, request.password)) {
            unauthorized("You need to Login first!");
        }
    }
    private static LdapHelper getLdapHelper() {
        Configuration.setPropertiesLocation(Play.applicationPath
                + "/conf/application.conf");
        return LdapHelper.getInstance();
    }   
}

In the getLdapHelper() Methods you also see, that the location of the Configuration is changed to ../conf/application.conf.
Otherwise the Default Location would be in ~/.liqid/ldap.properties.

The Before Action checkLogin is triggered on every Request to a Controller that inherits from SecureApplication.
All other Controllers (inheriting the normal Controller Class), won’t trigger that Application.

You also can access all Data stored in the LDAP Directory. So if you want to access Attributes like cn, dn and sn, you need to add some more Code:
First we will create a basic POJO that contains all User data:


package models;

public class User {
    public String cn;
    public String sn;
    public String dn;

    public User(String cn, String sn, String dn) {
        this.cn = cn;
        this.sn = sn;
        this.dn = dn;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("cn: ").append(cn).append("\n");
        sb.append("sn: ").append(sn).append("\n");
        sb.append("dn: ").append(dn).append("\n");
        return sb.toString();
    }
}

We then will update our SecureApplication Class:


package controllers;

import models.User;

import com.innoq.ldap.connector.LdapHelper;
import com.innoq.ldap.connector.LdapNode;
import com.innoq.liqid.model.Node;
import com.innoq.liqid.utils.Configuration;

import play.Logger;
import play.Play;
import play.mvc.Before;
import play.mvc.Controller;

public class SecureApplication extends Controller {
    private final static LdapHelper HELPER = getLdapHelper();
    protected static User ActiveUser;
    @Before
    public static void checkLogin() {
        if (request.user == null || request.password == null
                || !HELPER.checkCredentials(request.user, request.password)) {
            unauthorized("You need to Login first!");
        } else {
            ActiveUser = getUser(request.user);
        }
    }

    private static LdapHelper getLdapHelper() {
        Configuration.setPropertiesLocation(Play.applicationPath
                + "/conf/application.conf");
        return LdapHelper.getInstance();
    }

    private static User getUser(String cn){
        LdapNode ldapNode = (LdapNode) HELPER.getUser(cn);
        return new User(cn, ldapNode.get("sn"), ldapNode.getDn());
    }
}

As you can see, there is a specific NodeType LdapNode that has some Convenience Methods for accessing the LDAP Data.
As Example you can invoke the toString() Method of an User Object in your template.

So first we will have to create our Admin Controller:


package controllers;

import models.User;

public class Admin extends SecureApplication {
    public static void index(){
        User u = ActiveUser;
        render(u);
    }
}

You have to use another Object u for that User, since Play! 1 has a specific Behavior of how to map Variables in Templates.
Our Template app/views/Admin/index.html might look like this:


#{extends 'main.html' /}
#{set title:'Admin Area' /}
Hello Admin!
<pre>
${u}
</pre>

If you login then with the Credendials build/build your output might look then like this:

 Index | Administration
Hello Admin!

cn: build
sn: The account to use to demonstrate managing builds only
dn: cn=build,ou=users,dc=example,dc=com

Links

You can find the Sources of that Library here: https://github.com/innoq/LiQID
You can find an example Project here: https://github.com/phaus/play-ldap/tree/master/play1-ldap-example

Feel free to add issues about bugs or missing features to this :-).