Active directory 是否无法将bindAuthentication与Spring和Active Directory一起使用？

我想根据我们的内部active directory对我的Web应用程序的用户进行身份验证。 我将applicationContext安全设置如下：

<beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

        <!-- HTTP security configurations -->
        <http auto-config="true" use-expressions="true">
                <form-login login-processing-url="/static/j_spring_security_check"
                        login-page="/login" authentication-failure-url="/login?login_error=t" />
                <logout logout-url="/static/j_spring_security_logout" />


                <!-- Configure these elements to secure URIs in your application -->
                <!--
                        <intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/>
                -->
                <!--
                        <intercept-url pattern="/member/**" access="isAuthenticated()" />
                -->
                <intercept-url pattern="/resources/**" access="permitAll" />
                <intercept-url pattern="/static/**" access="permitAll" />
                <intercept-url pattern="/login" access="permitAll" />
                <intercept-url pattern="/**" access="isAuthenticated()" />
        </http>

        <!-- Configure Authentication mechanism -->
        <authentication-manager alias="authenticationManager">
                <!--
                        SHA-256 values can be produced using 'echo -n your_desired_password |
                        sha256sum' (using normal *nix environments)
                -->
                <authentication-provider>
                        <password-encoder hash="sha-256" />
                        <user-service>
                                <user name="admin"
                                        password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
                                        authorities="ROLE_ADMIN" />
                                <user name="user"
                                        password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb"
                                        authorities="ROLE_USER" />
                        </user-service>
                </authentication-provider>

                <ldap-authentication-provider user-dn-pattern="{0}@company.domain"/>
                <!-- <ldap-authentication-provider user-search-filter="(sAMAccountName={0})" user-search-base="OU=UNIT,OU=CE,OU=company,OU=Accounts"/>-->


        </authentication-manager>

        <!-- LDAP Security Configuration -->
        <ldap-server url="ldap://10.9.1.1:389/DC=company,DC=domain"/>

我的问题是：我不知道如何创建正确的DN来使用绑定身份验证

---

上面的值（{0]@company.domain）将在windows上运行（AD的特殊“功能”），但spring security将不接受它，因为它不符合DN的正确语法。

好的。我没有编写自己的用户详细信息服务。相反，我使用了低权限的帐户（仅限读取访问）对具有匹配凭据的用户执行ldap搜索

这很难看，因为我仍然需要在Active Directory中为我的应用程序提供帐户。但到目前为止，它仍然可以工作。我也不知道如何使用新的spring安全命名空间正确地设置ldapAuthenticationProvider。因此，我用“旧方法”将必要的bean连接在一起进行配置

这是我的样品

它使用两个身份验证提供程序：一个简单的、用户名和密码存储在配置文件中的身份验证提供程序和一个ldapAuthenticationProvider

希望有帮助：

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- HTTP security configurations -->
    <http auto-config="true" use-expressions="true">
        <form-login login-processing-url="/static/j_spring_security_check"
            login-page="/login" authentication-failure-url="/login?login_error=t" />
        <logout logout-url="/static/j_spring_security_logout" />


        <!-- Configure these elements to secure URIs in your application -->
        <!--
            <intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/>
        -->
        <!--
            <intercept-url pattern="/member/**" access="isAuthenticated()" />
        -->
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/static/**" access="permitAll" />
        <intercept-url pattern="/login" access="permitAll" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
    </http>

    <!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
        <!--
            SHA-256 values can be produced using 'echo -n your_desired_password |
            sha256sum' (using normal *nix environments)
        -->
        <authentication-provider>
            <password-encoder hash="sha-256" />
            <user-service>
                <user name="admin"
                    password="8c6976e5b5410415mydepartmente908mydepartment4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
                    authorities="ROLE_ADMIN" />
                <user name="user"
                    password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb"
                    authorities="ROLE_USER" />
            </user-service>
        </authentication-provider> 

        <authentication-provider ref="ldapAuthProvider">

        </authentication-provider>

    </authentication-manager>

    <beans:bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://10.9.1.1:389/DC=mydomain,DC=com" />
        <beans:property name="userDn"
            value="CN=ReadOnly,OU=Services,DC=mydomain,DC=com" />
        <beans:property name="password" value="thesecret" />
    </beans:bean>

    <beans:bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource" />
                <beans:property name="userSearch">
                    <beans:bean id="userSearch"
                        class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
                        <beans:constructor-arg index="0" value="" />
                        <beans:constructor-arg index="1"
                            value="(&amp;(sAMAccountName={0})(objectclass=user))" />
                        <beans:constructor-arg index="2" ref="contextSource" />
                    </beans:bean>
                </beans:property>

            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource" />
                <beans:constructor-arg value="ou=groups" />
                <beans:property name="groupRoleAttribute" value="ou" />
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>

</beans:beans>

没有什么是不可能的，但您可能需要编写自己的用户详细信息服务。好的。这就是我想要避免的。我想知道为什么没有一个用于进行广告登录的类。我想广告并不少见；-）