Geek Answers Handbook

How to add LDAP cache in Spring LDAP?

I want to localize local LDAP data locally to provide faster queries. Does Spring LDAP offer such functionality? How can i do this?

I use Spring Security 3.1 and Spring LDAP 1.3.1 for authentication and authorization. It would be nice to have a cache for LDAP using the built-in mechanism, if one exists.

Spring LDAP Configuration:

ApplicationContext-ldap.xml:

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jee="http://www.springframework.org/schema/jee" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd "> <!-- Ldap --> <jee:jndi-lookup id="ldapUrl" jndi-name="appName/ldapUrl" expected-type="java.lang.String" /> <jee:jndi-lookup id="ldapUser" jndi-name="appName/ldapUser" expected-type="java.lang.String" /> <jee:jndi-lookup id="ldapPassword" jndi-name="appName/ldapPassword" expected-type="java.lang.String" /> <!-- for authentication and search purpose --> <bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="url" ref="ldapUrl" /> <property name="userDn" ref="ldapUser" /> <property name="password" ref="ldapPassword" /> <property name="pooled" value="true" /> </bean> <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate"> <property name="contextSource" ref="ldapContextSource" /> </bean> <!-- for pagination search purpose --> <bean id="dirContext" factory-bean="ldapContextSource" factory-method="getReadOnlyContext" scope="session"/> <bean id="singleLdapContextSource" class="org.springframework.ldap.core.support.SingleContextSource" scope="session"> <constructor-arg ref="dirContext"/> </bean> <bean id="singleLdapTemplate" class="org.springframework.ldap.core.LdapTemplate" scope="session"> <property name="contextSource" ref="singleLdapContextSource" /> </bean> </beans>

Spring Security Configuration:

spring -security.xml:

 <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- This is where we configure Spring-Security --> <security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" > <security:intercept-url pattern="/login" access="permitAll"/> <security:intercept-url pattern="/app/admin" access="permitAll"/> <security:intercept-url pattern="/app/common" access="hasRole('User')"/> <security:intercept-url pattern="/viol/home" access="permitAll"/> <security:intercept-url pattern="/app/users" access="permitAll"/> <security:intercept-url pattern="/admin/edit/*" access="hasRole('Administrator')"/> <security:form-login login-page="/auth/login" authentication-failure-url="/auth/loginFailure" default-target-url="/auth/authorize"/> <security:logout invalidate-session="true" logout-success-url="/auth/login" logout-url="/logout"/> </security:http> <security:authentication-manager> <security:ldap-authentication-provider server-ref="ldapContextSource" user-search-filter="(sAMAccountName={0})" user-search-base="dc=myDomain,dc=com" /> </security:authentication-manager> </beans>

Many thanks for your help!

+4
source share
2 answers

If you configure EhCacheBasedUserCache and use ldap-user-service , then you can use the cache as:

  <authentication-manager> <authentication-provider> <ldap-user-service user-search-filter="(sAMAccountName={0})" user-search-base="dc=myDomain,dc=com" cache-ref="userCache" /> </authentication-provider> </authentication-manager>
+3
source

I don't think Spring offers LDAP client-side caching out of the box, since caching the results of an LDAP query on the client poses a security risk. The cache will certainly store outdated data at some point, which is not a big problem if it is, for example, the user's email address / home address, but much worse when it comes to, for example, role assignments and other data, associated with authentication / authorization. You will be much better off by scaling the server side so that it can handle the load.

At the same time, introducing caching is quite simple, since Spring 3.1, because it provides excellent support for it. In your case, it is enough to use a custom LdapContextSource , as shown below:

 public class CachingLdapContextSource extends AbstractContextSource { @Override protected DirContext getDirContextInstance(Hashtable environment) throws NamingException { InitialLdapContext context = new InitialLdapContext(environment, null); return new CachingDirContextWrapper(context); } }

The wrapper class simply delegates all the DirContext methods to the base implementation and decorates the methods cached with @Cacheable .

 class CachingDirContextWrapper implements DirContext { private final DirContext delegate; CachingDirContextWrapper(DirContext delegate) { this.delegate = delegate; } @Override @Cacheable(value = "search") public NamingEnumeration<SearchResult> search(...) { return delegate.search(name, matchingAttributes, attributesToReturn); } ... }

Check out the official documentation and this tutorial on how to set up the cache storage that Spring will use.

But, again, you better not do this, I think.

+2
source

More articles:


All Articles