close up shot of keyboard buttons
Written by on 2013-07-28

Adding LDAP Authentication to a Play! 1 Application

Hacking . Play! Framework . Tooling

You will often find yourself in a situation where you need a public and a private (normally some Administration) Area in your application.

This Post is about how easy you can access User Data stored in you companies LDAP Directory with a public availible Library in a Play! 1 Application. I will also give you an example for Play! 2 in one of the upcoming Posts here.

Prerequisites

For this example we are using the Vagrant vagrant-rundeck-ldap VM, I already mentioned here.

Setup

After you setup a basic Play! 1 Application with

play new ldap-test

We need to add the necessary Dependencies to our Application. Since the Library is availible over the public Maven Repository the Changes in your conf/dependecies.yml are quite simple:


# Application dependencies
require:
    - play
    - com.innoq.liqid -> ldap-connector 1.3

You then need to update your Applications Dependencies with:

play deps --sync

We also need to add some Configration Settings to the conf/application.conf File:
(there are some more, since the Example Directory did not match to the Libraries default LDAP Layout)


...
# Settings for LiQID
# ~~~~~
# Basic LDAP objectClasses for Users and Groups
ldap.user.objectClasses=person
ldap.group.objectClasses=groupOfUniqueNames

# You can add several LDAP for Writing Changes, but you need one default LDAP for Access without a specifiy Instance String (e.g. ldap1, ldap2, etc).
default.ldap=ldap1
ldap.listing=ldap1

# Instance specific settings (e.g. credentials, layout, etc. )

ldap1.ou_people=ou=users
ldap1.ou_group=ou=roles
ldap1.url=ldap://localhost:3890
ldap1.principal=dc=Manager,dc=example,dc=com
ldap1.credentials=password

ldap1.base_dn=dc=example,dc=com
ldap1.admin.group.id=admin

ldap1.user.id.attribute=cn
ldap1.user.object.class=person

ldap1.group.id.attribute=cn
ldap1.group.object.class=groupOfUniqueNames
ldap1.group.member.attribute=uniqueMember

Implementation

We will use two different techniques:

  • Controller inheritance
  • Before Filters

The goal is, that for a specific Count of Controllers, the Request should be checked for a valid Autorization Header.
So all Controllers that need to be “protected” will inherit from a Controller named SecureApplication.
This SecureApplication Controller will implement a Before Filter and some Utility Methods to perform all necessary Login Verification.

This is the basic Implementation of that Controller:


package controllers;

import com.innoq.ldap.connector.LdapHelper;
import com.innoq.liqid.utils.Configuration;

import play.Logger;
import play.Play;
import play.mvc.Before;
import play.mvc.Controller;

public class SecureApplication extends Controller {
    private final static LdapHelper HELPER = getLdapHelper();
    @Before
    public static void checkLogin() {
        if (request.user == null || request.password == null
                || !HELPER.checkCredentials(request.user, request.password)) {
            unauthorized("You need to Login first!");
        }
    }
    private static LdapHelper getLdapHelper() {
        Configuration.setPropertiesLocation(Play.applicationPath
                + "/conf/application.conf");
        return LdapHelper.getInstance();
    }   
}

In the getLdapHelper() Methods you also see, that the location of the Configuration is changed to ../conf/application.conf.
Otherwise the Default Location would be in ~/.liqid/ldap.properties.

The Before Action checkLogin is triggered on every Request to a Controller that inherits from SecureApplication.
All other Controllers (inheriting the normal Controller Class), won’t trigger that Application.

You also can access all Data stored in the LDAP Directory. So if you want to access Attributes like cn, dn and sn, you need to add some more Code:
First we will create a basic POJO that contains all User data:


package models;

public class User {
    public String cn;
    public String sn;
    public String dn;

    public User(String cn, String sn, String dn) {
        this.cn = cn;
        this.sn = sn;
        this.dn = dn;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("cn: ").append(cn).append("\n");
        sb.append("sn: ").append(sn).append("\n");
        sb.append("dn: ").append(dn).append("\n");
        return sb.toString();
    }
}

We then will update our SecureApplication Class:


package controllers;

import models.User;

import com.innoq.ldap.connector.LdapHelper;
import com.innoq.ldap.connector.LdapNode;
import com.innoq.liqid.model.Node;
import com.innoq.liqid.utils.Configuration;

import play.Logger;
import play.Play;
import play.mvc.Before;
import play.mvc.Controller;

public class SecureApplication extends Controller {
    private final static LdapHelper HELPER = getLdapHelper();
    protected static User ActiveUser;
    @Before
    public static void checkLogin() {
        if (request.user == null || request.password == null
                || !HELPER.checkCredentials(request.user, request.password)) {
            unauthorized("You need to Login first!");
        } else {
            ActiveUser = getUser(request.user);
        }
    }

    private static LdapHelper getLdapHelper() {
        Configuration.setPropertiesLocation(Play.applicationPath
                + "/conf/application.conf");
        return LdapHelper.getInstance();
    }

    private static User getUser(String cn){
        LdapNode ldapNode = (LdapNode) HELPER.getUser(cn);
        return new User(cn, ldapNode.get("sn"), ldapNode.getDn());
    }
}

As you can see, there is a specific NodeType LdapNode that has some Convenience Methods for accessing the LDAP Data.
As Example you can invoke the toString() Method of an User Object in your template.

So first we will have to create our Admin Controller:


package controllers;

import models.User;

public class Admin extends SecureApplication {
    public static void index(){
        User u = ActiveUser;
        render(u);
    }
}

You have to use another Object u for that User, since Play! 1 has a specific Behavior of how to map Variables in Templates.
Our Template app/views/Admin/index.html might look like this:


#{extends 'main.html' /}
#{set title:'Admin Area' /}
Hello Admin!
<pre>
${u}
</pre>

If you login then with the Credendials build/build your output might look then like this:

 Index | Administration
Hello Admin!

cn: build
sn: The account to use to demonstrate managing builds only
dn: cn=build,ou=users,dc=example,dc=com

Links

You can find the Sources of that Library here: https://github.com/innoq/LiQID
You can find an example Project here: https://github.com/phaus/play-ldap/tree/master/play1-ldap-example

Feel free to add issues about bugs or missing features to this :-).

2 comments

  • Ali has written:

    Hi,

    thx for help,but i have a problem. i connect the ldap, and i fill the information of ldap settings(url,principals vs.)
    The problem is “HELPER.getUser(cn) is null” can you help me for solution?

  • Philipp has written:

    Try to change

    ldap1.user.id.attribute=cn

    to

    ldap1.user.id.attribute=uid

    Don’t know what user id Attribut you use.

Leave a Reply