Restrict users based on AD-group

dinkske · June 4, 2020, 8:08am

Hi,

I’ve been struggling to to get the group filter to work. Only users of the “GG_APP_ShinyProxy” AD-group should be allowed to login, but with my config everybody can login.

application.yml

proxy:
port: 8080
authentication: ldap
admin-groups: admins
ldap:
url: ldaps://<server>.<domain>:636/DC=…,DC=…
manager-dn: CN=…,OU=Service Accounts,OU=Users,OU=…,DC=…,DC=…
manager-password: …
user-search-base: OU=Users,OU=…
user-search-filter: (sAMAccountName={0})
group-search-filter: (CN=GG_APP_ShinyProxy)
group-search-base: OU=Application Groups,OU=Groups,OU=…
docker:
internal-networking: true
specs:

id: 01_hello
display-name: Hello Application
description: Application which demonstrates the basics of a Shiny app
container-cmd: [“R”, “-e”, “shinyproxy::run_01_hello()”]
container-image: openanalytics/shinyproxy-demo
container-network: shineyproxyn-net

id: 06_tabsets
container-cmd: [“R”, “-e”, “shinyproxy::run_06_tabsets()”]
container-image: openanalytics/shinyproxy-demo
container-network: shineyproxyn-net

logging:
file:
shinyproxy.log

Anybody who can help me out? Thanks!

dinkske · June 4, 2020, 10:09am

Could someone suggest ways to troubleshoot this issue?

LDAP search returns the correct group and it’s members:

root@a6e16bb086d7:/opt/shinyproxy# ldapsearch -H ldaps://server.domain.xx:636 -b dc=“domain,dc=xx” -D “CN=s-svrapl089-ldap,OU=Service Accounts,OU=Users,OU=xxx,DC=domain,DC=xx” -W -b “OU=Application Groups,OU=Groups,OU=xxx” “(&(objectclass=group)(cn=GG_APP_ShinyProxy))”

I’ve changed the log level

logging:
level:
org.springframework.security: debug

It seems that both the member and the non-member of the group get assigned the [GG_APP_ShinyProxy] role…

Member of group GG_APP_ShinyProxy
2020-06-04 09:54:18.677 DEBUG 1 — [XNIO-2 task-1] w.a.UsernamePasswordAuthenticationFilter : Request is to process authentication
2020-06-04 09:54:18.677 DEBUG 1 — [XNIO-2 task-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2020-06-04 09:54:18.677 DEBUG 1 — [XNIO-2 task-1] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: my_account
2020-06-04 09:54:18.677 DEBUG 1 — [XNIO-2 task-1] o.s.s.l.s.FilterBasedLdapUserSearch : Searching for user ‘my_account’, with user search [ searchFilter: ‘(sAMAccountName={0})’, searchBase: ‘OU=Users,OU=AZA’, scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2020-06-04 09:54:18.757 DEBUG 1 — [XNIO-2 task-1] o.s.s.ldap.SpringSecurityLdapTemplate : Searching for entry under DN ‘dc=domain,dc=xx’, base = ‘ou=Users,ou=AZA’, filter = ‘(sAMAccountName={0})’
2020-06-04 09:54:18.758 DEBUG 1 — [XNIO-2 task-1] o.s.s.ldap.SpringSecurityLdapTemplate : Found DN: CN=my_account,OU=TICK:15193,OU=Test,OU=Standard Accounts,OU=Users,OU=AZA
2020-06-04 09:54:18.760 DEBUG 1 — [XNIO-2 task-1] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=my_account,ou=TICK:15193,ou=Test,ou=Standard Accounts,ou=Users,ou=AZA,dc=domain,dc=xx
2020-06-04 09:54:18.760 DEBUG 1 — [XNIO-2 task-1] s.s.l.DefaultSpringSecurityContextSource : Removing pooling flag for user cn=my_account,ou=TICK:15193,ou=Test,ou=Standard Accounts,ou=Users,ou=AZA,dc=domain,dc=xx
2020-06-04 09:54:18.849 DEBUG 1 — [XNIO-2 task-1] o.s.s.l.a.BindAuthenticator : Retrieving attributes…
2020-06-04 09:54:18.851 DEBUG 1 — [XNIO-2 task-1] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=my_account,ou=TICK:15193,ou=Test,ou=Standard Accounts,ou=Users,ou=AZA,dc=domain,dc=xx
2020-06-04 09:54:18.852 DEBUG 1 — [XNIO-2 task-1] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user ‘my_account’, DN = ‘cn=my_account,ou=TICK:15193,ou=Test,ou=Standard Accounts,ou=Users,ou=AZA,dc=domain,dc=xx’, with filter (CN=GG_APP_ShinyProxy) in search base ‘OU=Application Groups,OU=Groups,OU=AZA’
2020-06-04 09:54:18.852 DEBUG 1 — [XNIO-2 task-1] o.s.s.ldap.SpringSecurityLdapTemplate : Using filter: (CN=GG_APP_ShinyProxy)
2020-06-04 09:54:18.925 DEBUG 1 — [XNIO-2 task-1] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Roles from search: [GG_APP_ShinyProxy]
2020-06-04 09:54:18.925 DEBUG 1 — [XNIO-2 task-1] o.s.s.l.u.LdapUserDetailsMapper : Mapping user details from context with DN: cn=my_account,ou=TICK:15193,ou=Test,ou=Standard Accounts,ou=Users,ou=AZA,dc=domain,dc=xx
2020-06-04 09:54:18.925 INFO 1 — [XNIO-2 task-1] e.o.containerproxy.service.UserService : User logged in [user: my_account]
2020-06-04 09:54:18.925 DEBUG 1 — [XNIO-2 task-1] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@1530c739
2020-06-04 09:54:18.926 DEBUG 1 — [XNIO-2 task-1] w.a.UsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1a368243: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@d4573336: Dn: cn=my_account,ou=TICK:15193,ou=Test,ou=Standard Accounts,ou=Users,ou=AZA,dc=domain,dc=xx; Username: my_account; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_GG_APP_SHINYPROXY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@59b2: RemoteIpAddress: xx.xx.xx.xx; SessionId: null; Granted Authorities: ROLE_GG_APP_SHINYPROXY
2020-06-04 09:54:18.926 INFO 1 — [XNIO-2 task-1] e.o.containerproxy.service.UserService : User logged in [user: my_account]
2020-06-04 09:54:18.926 DEBUG 1 — [XNIO-2 task-1] RequestAwareAuthenticationSuccessHandler : Using default Url: /
2020-06-04 09:54:18.926 DEBUG 1 — [XNIO-2 task-1] o.s.s.web.DefaultRedirectStrategy : Redirecting to ‘/’
2020-06-04 09:54:18.926 DEBUG 1 — [XNIO-2 task-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2d4d5aff
2020-06-04 09:54:18.926 DEBUG 1 — [XNIO-2 task-1] w.c.HttpSessionSecurityContextRepository : HttpSession xxing created as SecurityContext is non-default
2020-06-04 09:54:18.926 DEBUG 1 — [XNIO-2 task-1] w.c.HttpSessionSecurityContextRepository : SecurityContext ‘org.springframework.security.core.context.SecurityContextImpl@1a368243: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1a368243: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@d4573336: Dn: cn=my_account,ou=TICK:15193,ou=Test,ou=Standard Accounts,ou=Users,ou=AZA,dc=domain,dc=xx; Username: my_account; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_GG_APP_SHINYPROXY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@59b2: RemoteIpAddress: xx.xx.xx.xx; SessionId: null; Granted Authorities: ROLE_GG_APP_SHINYPROXY’ stored to HttpSession: 'io.undertow.servlet.spec.HttpSessionImpl@7a8816e

Non authorised user
2020-06-04 09:59:54.026 DEBUG 1 — [XNIO-2 task-3] w.a.UsernamePasswordAuthenticationFilter : Request is to process authentication
2020-06-04 09:59:54.026 DEBUG 1 — [XNIO-2 task-3] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2020-06-04 09:59:54.026 DEBUG 1 — [XNIO-2 task-3] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: test_user
2020-06-04 09:59:54.026 DEBUG 1 — [XNIO-2 task-3] o.s.s.l.s.FilterBasedLdapUserSearch : Searching for user ‘test_user’, with user search [ searchFilter: ‘(sAMAccountName={0})’, searchBase: ‘OU=Users,OU=AZA’, scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2020-06-04 09:59:54.097 DEBUG 1 — [XNIO-2 task-3] o.s.s.ldap.SpringSecurityLdapTemplate : Searching for entry under DN ‘dc=domain,dc=xx’, base = ‘ou=Users,ou=AZA’, filter = ‘(sAMAccountName={0})’
2020-06-04 09:59:54.099 DEBUG 1 — [XNIO-2 task-3] o.s.s.ldap.SpringSecurityLdapTemplate : Found DN: CN=ict,OU=Unit Accounts,OU=Users,OU=AZA
2020-06-04 09:59:54.101 DEBUG 1 — [XNIO-2 task-3] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=ict,ou=Unit Accounts,ou=Users,ou=AZA,dc=domain,dc=xx
2020-06-04 09:59:54.102 DEBUG 1 — [XNIO-2 task-3] s.s.l.DefaultSpringSecurityContextSource : Removing pooling flag for user cn=ict,ou=Unit Accounts,ou=Users,ou=AZA,dc=domain,dc=xx
2020-06-04 09:59:54.172 DEBUG 1 — [XNIO-2 task-3] o.s.s.l.a.BindAuthenticator : Retrieving attributes…
2020-06-04 09:59:54.177 DEBUG 1 — [XNIO-2 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=ict,ou=Unit Accounts,ou=Users,ou=AZA,dc=domain,dc=xx
2020-06-04 09:59:54.177 DEBUG 1 — [XNIO-2 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user ‘test_user’, DN = ‘cn=ict,ou=Unit Accounts,ou=Users,ou=AZA,dc=domain,dc=xx’, with filter (CN=GG_APP_ShinyProxy) in search base ‘OU=Application Groups,OU=Groups,OU=AZA’
2020-06-04 09:59:54.177 DEBUG 1 — [XNIO-2 task-3] o.s.s.ldap.SpringSecurityLdapTemplate : Using filter: (CN=GG_APP_ShinyProxy)
2020-06-04 09:59:54.238 DEBUG 1 — [XNIO-2 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Roles from search: [GG_APP_ShinyProxy]
2020-06-04 09:59:54.241 DEBUG 1 — [XNIO-2 task-3] o.s.s.l.u.LdapUserDetailsMapper : Mapping user details from context with DN: cn=ict,ou=Unit Accounts,ou=Users,ou=AZA,dc=domain,dc=xx
2020-06-04 09:59:54.241 INFO 1 — [XNIO-2 task-3] e.o.containerproxy.service.UserService : User logged in [user: test_user]
2020-06-04 09:59:54.241 DEBUG 1 — [XNIO-2 task-3] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@1530c739
2020-06-04 09:59:54.241 DEBUG 1 — [XNIO-2 task-3] w.a.UsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@df31f628: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@1150475d: Dn: cn=ict,ou=Unit Accounts,ou=Users,ou=AZA,dc=domain,dc=xx; Username: test_user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_GG_APP_SHINYPROXY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@59b2: RemoteIpAddress: xx.xx.xx.xx; SessionId: null; Granted Authorities: ROLE_GG_APP_SHINYPROXY
2020-06-04 09:59:54.242 INFO 1 — [XNIO-2 task-3] e.o.containerproxy.service.UserService : User logged in [user: test_user]
2020-06-04 09:59:54.242 DEBUG 1 — [XNIO-2 task-3] RequestAwareAuthenticationSuccessHandler : Using default Url: /
2020-06-04 09:59:54.242 DEBUG 1 — [XNIO-2 task-3] o.s.s.web.DefaultRedirectStrategy : Redirecting to ‘/’
2020-06-04 09:59:54.242 DEBUG 1 — [XNIO-2 task-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2d4d5aff
2020-06-04 09:59:54.242 DEBUG 1 — [XNIO-2 task-3] w.c.HttpSessionSecurityContextRepository : HttpSession xxing created as SecurityContext is non-default
[…snip…]
2020-06-04 09:59:54.265 DEBUG 1 — [XNIO-2 task-8] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@df31f628: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@1150475d: Dn: cn=ict,ou=Unit Accounts,ou=Users,ou=AZA,dc=domain,dc=xx; Username: test_user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_GG_APP_SHINYPROXY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@59b2: RemoteIpAddress: xx.xx.xx.xx; SessionId: null; Granted Authorities: ROLE_GG_APP_SHINYPROXY
2020-06-04 09:59:54.266 DEBUG 1 — [XNIO-2 task-8] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5e77b229, returned: 1
2020-06-04 09:59:54.266 DEBUG 1 — [XNIO-2 task-8] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2020-06-04 09:59:54.266 DEBUG 1 — [XNIO-2 task-8] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2020-06-04 09:59:54.266 DEBUG 1 — [XNIO-2 task-8] o.s.security.web.FilterChainProxy : / reached end of additional filter chain; proceeding with original chain
2020-06-04 09:59:54.270 DEBUG 1 — [XNIO-2 task-8] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2d4d5aff
2020-06-04 09:59:54.271 DEBUG 1 — [XNIO-2 task-8] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2020-06-04 09:59:54.271 DEBUG 1 — [XNIO-2 task-8] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

dinkske · June 4, 2020, 11:40am

This was the way to go:

ldap:
url: ldaps://server.domain.xx:636/DC=domain,DC=xx
manager-dn: CN=s-svrapl089-ldap,OU=Service Accounts,OU=Users,OU=AZ Alma,DC=domain,DC=xx
manager-password: *******************
user-search-base: OU=Users,OU=AZA
user-search-filter: (sAMAccountName={0})
group-search-filter: (member={0})
group-search-base: CN=GG_APP_ShinyProxy,OU=Application Groups,OU=Groups,OU=AZA

The ‘group-search-base’ must include the group. Then the role gets assigned which you have to configure in the app.