WSO2 API Cloud: Spring Boot REST API for Active Directory User Validation
WSO2 API Cloud provides a feature to configure a RESTful service to connect to the Active Directory and integrate with external users.
Refer to the link for further details.
In this blog we are going to explore, how we can connect external users to WSO2 API Cloud using a Spring Boot RESTful API which integrates with an Active Directory user store and validates the user credentials.
WSO2 API Cloud External User Authentication Flow
WSO2 API Cloud User Validation REST API Specification
The RESTful api should expose a POST resource accepting the following request payload with Basic authentication,
{
"credentials": {
"username": "<username>",
"password": "<password>"
}
}Depending on the provided user credentials, the RESTful api should respond a 200 OK with the following response payload,
{
"response": {
"status": "true"
}
}Implementation and Configuration
Implementation
A RESTful service connecting to Active Directory for user validation is implemented as a Spring Boot application, packaged and deployed as a docker image.
The source code for the Spring Boot REST API is available in Seralahthan/active-directory-user-validation-service
SSL KeyStore/TrustStore Configuration
Requirement
In order to expose the RESTful API over HTTP with SSL and to communicate with the Active Directory user store over LDAP with SSL, I have created and configured a Java KeyStore (spring-security-ad.jks) in the project.
The Java KeyStore spring-security-ad.jks can be found in the src/main/resources/keystore/ directory of the project.
SSL Application Properties Configuration
This Java KeyStore is configured as both SSL KeyStore and TrustStore as shown below in the application.properties file found in the src/main/resources/ directory of the project.
SSL Passwords Encryption
As observed from above the keystore and truststore passwords in the properties file are encrypted using Java Simplified Encryption plugin (Jasypt) Maven plugin.
It is highly recommended to encrypt the passwords in the application.properties file and decrypt them at the run-time to hide passwords from configuration files.
Kindly refer to the section “Jasypt Encryption On Application Properties” for further details on encrypting properties and deploying artifacts with Jasypt encryption.
plain text passwords used for the SSL keystore/truststore are the following,
The passwords are randomly picked. If you are going forward with using the Java keystore shared in the project you can refer to the above credentials.
It is always recommended to create your own Java KeyStore to be used as the SSL KeyStore/TrustStore with your own secure passwords.
Instructions to create your own Java keystore can be found below.
SSL KeyStore/TrustStore Creation
Following command can be used to generate a new Java keystore to be used as the SSL keystore/truststore.
The parameters key_alias, keystore_name and keystore_password needs to be passed as per the requirement.
Import the Active Directory Public Certificate to the Java KeyStore
In order to connect with the Active Directory over Secure LDAP (LDAPS) we need to import the public certificate of the Active Directory to the SSL TrustStore
Since we are using a single Java KeyStore as both SSL KeyStore and TrustStore we can import the Active Directory public certificate to that Java KeyStore.
Extract the Active Directory Public Certificate using OpenSSL Command
Active Directory public certificate can be extracted by executing the following OpenSSL command against the Active Directory IP and Port,
The parameters active_directory_ip and active_directory_port need to be substituted with the actual values. The public certificate will be stored in the file adcert.pem
Import Active Directory Public Certificate to TrustStore
Import the Active Directory public certificate to the KeyStore using the following command,
Active Directory Configurations
In order to successfully connect and perform user search on the Active Directory user store the following Active Directory related parameters need to be configured in the application.properties file.
The ad_hostname, ad_port and ad_user_password need to be configured as per Active Directory configuration.
I have provided some sample configuration values for the ad.baseDN, ad.userSearchBase, ad.userDN, ad.userObjectClass and ad.userNameAttribute. These values need to be configured as per Active Directory configuration.
Note:
In order to successfully authenticate external users with WSO2 API Cloud, WSO2 API Cloud expects the username to be passed as an email address.
So the ad.userNameAttribute needs to be configured as mail
Also, the Active Directory user store should support authenticating users by passing the users email address as the username.
The ad.userPassword is specified in plain text format with DEC(…) tag; it needs to be encrypted with Jasypt encryption.
Kindly refer to the section “Jasypt Encryption On Application Properties” for further details on encrypting properties and deploying artifacts with Jasypt encryption.
Jasypt Encryption On Application Properties
As a best practice, in order to hide the plain text passwords in the application.properties file we need to encrypt it with Java Simplified Encryption (Jasypt) installing it as a Maven plugin.
Jasypt (Java Simplified Encryption), provides encryption support for property sources in Spring Boot Applications. It will help you to add basic encryption features to your projects with very fewer efforts and without writing any code with the help of a few additions in your project here and there
Please refer to the link for further details on Jasypt encryption.
Configuring Jasypt Maven Plugin
There is an out of the box maven plugin available which can be used to integrate Jasypt encryption to the Spring Boot project.
In order to enable Jasypt encryption add the following maven plugin and dependency to the Spring Boot project’s pom.xml file. It is already added in the shared project.
Encrypting/Decrypting Passwords in Application Properties using Jasypt
Encryption
In order to encrypt plain text passwords in application.properties file, the plain text passwords need to be initially configured with DEC(…) tag as shown below.
Once all the passwords in the properties file are wrapped with DEC tag execute the following command to encrypt all the plain text passwords in the application.properties file.
In order for the Jasypt encryption and decryption to work properly, it is required to maintain a unique master key for Jasypt Encryptor.
Any password can be used as jasypt.encryptor.password (master key).
The encrypted passwords will be displayed with an encrypted value inside the ENC(…) tag as shown below.
Decryption
In order to decrypt the passwords in the application.properties file and revert back to the plain text format, execute the following command,
Building and Deploying the Spring Boot Application
Compile time and Runtime Password Decryption
Now that the passwords in the properties file is encrypted, it must be decrypted at the compile time (building the docker image) and runtime (running the docker image)
By default, the jasypt encryption command uses the PBEWITHHMACSHA512ANDAES_256 encryption algorithm for password encryption. So, the same algorithm needs to be configured to be used when decrypting the passwords at runtime.
Following property is added to the application.properties file to specify the Jasypt encryption algorithm.
Following command can be used to build the docker image passing the jasypt.encryptor.password (master key)
Following command can be used to run the docker image with the jasypt encryptor password passed as an environment variable.
Integrating AD User Validation REST API with WSO2 API Cloud
Once the Spring Boot user validation REST api is hosted and exposed to be accessible publicly over the internet via Secure HTTP (HTTPS), it can be integrated with WSO2 API Cloud following the documentation.
The project shared exposes the REST api url as POST resource with localhost via, https://localhost:8080/validate
The sample curl request to invoke the REST api is the following,
References:
[1] https://cloud.docs.wso2.com/en/latest/learn/cloud-administration/authenticate-external-users-for-api-invocations/
[2] https://github.com/Seralahthan/active-directory-user-validation-service
[3] http://www.jasypt.org/
[4] https://mvnrepository.com/artifact/com.github.ulisesbocchio/jasypt-spring-boot-starter/3.0.3
Hope you enjoyed the blog and got something to take away.
Thank you for Reading!
Cheers!!!
