Authentication 使用Spring引导/Spring安全性对LDAP进行证书身份验证
我目前正在尝试实现一个springbootwebservice,它具有相互身份验证,需要用户认证,并根据ldap服务器对用户进行身份验证和授权 到目前为止,相互身份验证工作正常,服务器向用户标识自己并请求用户证书。以内存用户为例,整个身份验证和授权过程运行良好。然而,只要我实现LDAP连接,我就会得到一个“java.lang.IllegalStateException:UserDetailsService是必需的。”异常。有趣的是,当我使用登录页面时,LDAP配置本身工作正常,用户必须手动提示其凭证。简言之: 登录页面+LDAP工作 CERT+内存用户工作 证书+LDAP不工作 以下是我目前的代码: web/config/Application.javaAuthentication 使用Spring引导/Spring安全性对LDAP进行证书身份验证,authentication,spring-security,ldap,certificate,spring-boot,Authentication,Spring Security,Ldap,Certificate,Spring Boot,我目前正在尝试实现一个springbootwebservice,它具有相互身份验证,需要用户认证,并根据ldap服务器对用户进行身份验证和授权 到目前为止,相互身份验证工作正常,服务器向用户标识自己并请求用户证书。以内存用户为例,整个身份验证和授权过程运行良好。然而,只要我实现LDAP连接,我就会得到一个“java.lang.IllegalStateException:UserDetailsService是必需的。”异常。有趣的是,当我使用登录页面时,LDAP配置本身工作正常,用户必须手动提示其
@SpringBootApplication
@ComponentScan({ "web.*" })
public class Application extends SpringBootServletInitializer {
@Bean
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/WEB-INF/jsp/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
public static void main(String[] args) throws Exception {
SpringApplication.run(Application.class, args);
}
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory();
tomcat.addAdditionalTomcatConnectors(createSslConnector());
return tomcat;
}
// *************************************************************************************************
// Mutual Cert Authentication
// *************************************************************************************************
private Connector createSslConnector() {
Connector connector = new Connector(
"org.apache.coyote.http11.Http11NioProtocol");
Http11NioProtocol protocol = (Http11NioProtocol) connector
.getProtocolHandler();
try {
File keystore = new ClassPathResource("server.jks").getFile();
File truststore = new ClassPathResource("cacerts.jks").getFile();
connector.setScheme("https");
connector.setSecure(true);
connector.setPort(8443);
protocol.setSSLEnabled(true);
protocol.setKeystoreFile(keystore.getAbsolutePath());
protocol.setKeystorePass("toor"); //example password
protocol.setTruststoreFile(truststore.getAbsolutePath());
protocol.setTruststorePass("toor"); //example passsword
protocol.setKeyAlias("server");
protocol.setClientAuth("want");
protocol.setSslProtocol("TLS");
return connector;
} catch (IOException ex) {
throw new IllegalStateException("can't access keystore: ["
+ "keystore" + "] or truststore: [" + "keystore" + "]", ex);
}
}
// *************************************************************************************************
// The Authentication Manager Bean provides the source that userdata gets
// authenticated against. In this Scenario a ldap server is used.
// *************************************************************************************************
@Bean
public DefaultSpringSecurityContextSource getSource() throws Exception {
String address = "ldap://lokalhost:389/dc=ldap"; //example url
String ldapUser = "cn=admin,dc=ldap"; //example login
String ldapPassword = "toor"; //example password
DefaultSpringSecurityContextSource source = new DefaultSpringSecurityContextSource(
address);
source.setUserDn(ldapUser);
source.setPassword(ldapPassword);
source.afterPropertiesSet();
return source;
}
}
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DefaultSpringSecurityContextSource source;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication().contextSource(source)
.userSearchBase("dc=users,dc=ldap")
.userDnPatterns("cn={0},dc=users")
.groupSearchBase("ou=groups")
;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// *************************************************************************************************
// Insert pages that need propper authentication/authorization here
// *************************************************************************************************
http
.x509().subjectPrincipalRegex("CN=(.*?),").and()
.authorizeRequests()
.antMatchers("/**")
.access("hasRole('ROLE_USER')")
.and()
.csrf().disable();
}
}
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>SpringCertAuth</groupId>
<artifactId>spring-cert-authentication</artifactId>
<version>0.1.0</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.2.5.RELEASE</version>
</parent>
<dependencies>
<!-- ldap -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>org.apache.directory.server</groupId>
<artifactId>apacheds-server-jndi</artifactId>
<version>1.5.5</version>
</dependency>
<!-- end ldap -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<properties>
<main.basedir>${basedir}/../..</main.basedir>
<java.version>1.8</java.version>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
<%@page session="false"%>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<h1>Title : ${title}</h1>
<h1>Message : ${message}</h1>
</body>
</html>
标题:${Title}
消息:${Message}
多米尼克好的,我找到了解决办法。我将应用程序类改写为:
.
.
.
public static DefaultSpringSecurityContextSource getSource() throws Exception {
String address = "ldap://lokalhost:389/dc=ldap"; //example url
String ldapUser = "cn=admin,dc=ldap"; //example login
String ldapPassword = "toor"; //example password
DefaultSpringSecurityContextSource source = new DefaultSpringSecurityContextSource(
address);
source.setUserDn(ldapUser);
source.setPassword(ldapPassword);
source.afterPropertiesSet();
return source;
}
@Bean
public static LdapAuthenticationProvider ldapAuthProvider() throws Exception{
LdapAuthenticationProvider provider = new LdapAuthenticationProvider(authenticator(),authPopulator());
return provider;
}
@Bean
public static BindAuthenticator authenticator() throws Exception{
String[] userDn = {"cn={0},dc=users"};
BindAuthenticator auth = new BindAuthenticator(getSource());
auth.setUserDnPatterns(userDn);
return auth;
}
//authenticator2 only neccessary if authentiction with passwordcompare instead of binduser is wanted.
@Bean
public static PasswordComparisonAuthenticator authenticator2() throws Exception{
String[] userDn = {"cn={0},dc=users"};
PasswordComparisonAuthenticator auth = new PasswordComparisonAuthenticator(getSource());
auth.setUserDnPatterns(userDn);
auth.setPasswordAttributeName("userPassword");
auth.setPasswordEncoder(Md5Encoder());
return auth;
}
@Bean
public static DefaultLdapAuthoritiesPopulator authPopulator() throws Exception{
DefaultLdapAuthoritiesPopulator authPop = new DefaultLdapAuthoritiesPopulator(getSource(),"dc=groups");
authPop.setGroupRoleAttribute("cn");
authPop.setGroupSearchFilter("(member={0})");
return authPop;
}
//Certificate Authentication
@Bean
public static LdapUserDetailsService CustomLdapUserDetailsService() throws Exception{
LdapUserDetailsService userDetails = new LdapUserDetailsService(userSearch(),authPopulator());
return userDetails;
}
@Bean
public static FilterBasedLdapUserSearch userSearch() throws Exception{
FilterBasedLdapUserSearch search = new FilterBasedLdapUserSearch("","cn={0}",getSource());
return search;
}
}
@Configuration
@EnableWebSecurity
@EnableAutoConfiguration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception{
auth.authenticationProvider(Application.ldapAuthProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// *************************************************************************************************
// Insert pages that need proper authentication/authorization here
// *************************************************************************************************
http
.exceptionHandling().accessDeniedPage("/403")
.and()
.x509().subjectPrincipalRegex("CN=(.*?),").userDetailsService(Application.CustomLdapUserDetailsService())
.and()
.authorizeRequests()
.antMatchers("/profile/**").access("hasRole('ROLE_VIEW') or hasRole('ROLE_ADMINISTRATOR')")
.antMatchers("/welcome**").permitAll()
.antMatchers("/authenticate").access("hasRole('ROLE_VIEW') or hasRole('ROLE_ADMIN')")
.antMatchers("/admin").access("hasRole('ROLE_ADMINISTRATOR')")
.and()
.formLogin()
.and()
.logout().logoutSuccessUrl("/welcome?logout").logoutUrl("/logout")
.deleteCookies("JSESSIONID")
.and()
.csrf().disable()
;
}
}
Dominik您必须在web/config/WebSecurity.java文件中添加UserDetailService 例如
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and()
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(userDetailsService());
}
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) {
if (username.equals("Bob")) {
return new User(username, "",
AuthorityUtils
.commaSeparatedStringToAuthorityList("ROLE_USER"));
}
throw new UsernameNotFoundException("User not found!");
}
};
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and()
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(userDetailsService());
}
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) {
if (username.equals("Bob")) {
return new User(username, "",
AuthorityUtils
.commaSeparatedStringToAuthorityList("ROLE_USER"));
}
throw new UsernameNotFoundException("User not found!");
}
};
}