Active directory 是否无法将bindAuthentication与Spring和Active Directory一起使用?
我想根据我们的内部active directory对我的Web应用程序的用户进行身份验证。 我将applicationContext安全设置如下:Active directory 是否无法将bindAuthentication与Spring和Active Directory一起使用?,active-directory,ldap,spring-security,Active Directory,Ldap,Spring Security,我想根据我们的内部active directory对我的Web应用程序的用户进行身份验证。 我将applicationContext安全设置如下: <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSc
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/static/j_spring_security_check"
login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/static/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<!--
<intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/>
-->
<!--
<intercept-url pattern="/member/**" access="isAuthenticated()" />
-->
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/static/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<!--
SHA-256 values can be produced using 'echo -n your_desired_password |
sha256sum' (using normal *nix environments)
-->
<authentication-provider>
<password-encoder hash="sha-256" />
<user-service>
<user name="admin"
password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
authorities="ROLE_ADMIN" />
<user name="user"
password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
<ldap-authentication-provider user-dn-pattern="{0}@company.domain"/>
<!-- <ldap-authentication-provider user-search-filter="(sAMAccountName={0})" user-search-base="OU=UNIT,OU=CE,OU=company,OU=Accounts"/>-->
</authentication-manager>
<!-- LDAP Security Configuration -->
<ldap-server url="ldap://10.9.1.1:389/DC=company,DC=domain"/>
我的问题是:我不知道如何创建正确的DN来使用绑定身份验证
上面的值({0]@company.domain)将在windows上运行(AD的特殊“功能”),但spring security将不接受它,因为它不符合DN的正确语法。好的。我没有编写自己的用户详细信息服务。相反,我使用了低权限的帐户(仅限读取访问)对具有匹配凭据的用户执行ldap搜索 这很难看,因为我仍然需要在Active Directory中为我的应用程序提供帐户。但到目前为止,它仍然可以工作。我也不知道如何使用新的spring安全命名空间正确地设置ldapAuthenticationProvider。因此,我用“旧方法”将必要的bean连接在一起进行配置 这是我的样品 它使用两个身份验证提供程序:一个简单的、用户名和密码存储在配置文件中的身份验证提供程序和一个ldapAuthenticationProvider 希望有帮助:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/static/j_spring_security_check"
login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/static/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<!--
<intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/>
-->
<!--
<intercept-url pattern="/member/**" access="isAuthenticated()" />
-->
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/static/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<!--
SHA-256 values can be produced using 'echo -n your_desired_password |
sha256sum' (using normal *nix environments)
-->
<authentication-provider>
<password-encoder hash="sha-256" />
<user-service>
<user name="admin"
password="8c6976e5b5410415mydepartmente908mydepartment4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
authorities="ROLE_ADMIN" />
<user name="user"
password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
<authentication-provider ref="ldapAuthProvider">
</authentication-provider>
</authentication-manager>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://10.9.1.1:389/DC=mydomain,DC=com" />
<beans:property name="userDn"
value="CN=ReadOnly,OU=Services,DC=mydomain,DC=com" />
<beans:property name="password" value="thesecret" />
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userSearch">
<beans:bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="" />
<beans:constructor-arg index="1"
value="(&(sAMAccountName={0})(objectclass=user))" />
<beans:constructor-arg index="2" ref="contextSource" />
</beans:bean>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="ou=groups" />
<beans:property name="groupRoleAttribute" value="ou" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
</beans:beans>
没有什么是不可能的,但您可能需要编写自己的用户详细信息服务。好的。这就是我想要避免的。我想知道为什么没有一个用于进行广告登录的类。我想广告并不少见;-)