Java 对ldap用户进行身份验证的Spring安全配置
我一直在我们公司从事SpringWeb应用程序的工作,该应用程序通过数据库对用户进行身份验证。但是我们希望在我们公司中使用active directory服务器,而不是数据库。不幸的是,我无法连接到服务器。 这是我的spring-security.xmlJava 对ldap用户进行身份验证的Spring安全配置,java,spring,spring-security,active-directory,spring-ldap,Java,Spring,Spring Security,Active Directory,Spring Ldap,我一直在我们公司从事SpringWeb应用程序的工作,该应用程序通过数据库对用户进行身份验证。但是我们希望在我们公司中使用active directory服务器,而不是数据库。不幸的是,我无法连接到服务器。 这是我的spring-security.xml <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xm
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<beans:bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/App/Index" />
</beans:bean>
<beans:bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/App/loginError" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/App/Login" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl">
</beans:bean>
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<http auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
<intercept-url pattern="/Content/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/Desktop/New_Them/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/App/Index" access="ROLE_USER" />
<intercept-url pattern="/App/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/rest/clc/ClcLogPhon/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
<logout logout-success-url="/App/Login" />
<remember-me key="myAppKey" />
<session-management
session-authentication-strategy-ref="sas">
</session-management>
<csrf />
<headers>
<xss-protection />
</headers>
</http>
<global-method-security pre-post-annotations="enabled"
secured-annotations="enabled" proxy-target-class="true" />
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/App/Login" />
</beans:bean>
<beans:bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<beans:constructor-arg index="0" value="256" />
</beans:bean>
<ldap-server id="ldapServer"
url="ldap://192.168.1.143/dc=springframework,dc=org" />
<authentication-manager>
<ldap-authentication-provider server-ref="ldapServer"
user-dn-pattern="uid={0},ou=people" />
</authentication-manager>
</beans:beans>
实际上,我只是删除了与数据库相关的bean,然后添加了ldap服务器和身份验证管理器,以便使我们的应用程序使用ldap进行身份验证。我正在使用Spring4.0.1和SpringSecurity3.2.1,以及Java1.7。虽然web应用程序启动了,但我在登录页面中输入的任何信息都被拒绝,并且我在eclipse中的控制台中获得的访问被拒绝错误。
此外,我将Ldap url更改为错误的IP地址,只是为了测试应用程序是否失败。但这一点都没有改变。因此,我甚至怀疑它是否试图连接到服务器。由于我在这里没有收到任何答案,我搜索以解决我的问题。
首先,我应该像设置Active directory一样设置url。例如,我完全忽略了IP地址之后的端口地址,默认为389。此外,我将url地址末尾的域更改为我的特定active directory域地址。
最后,我的url地址改为
ldap://192.168.1.143:389/DC=myDomain,DC=org
其次,我应该使用用户名密码连接到Ldap。因此,我更改了我的spring-security.xml,如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<beans:bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/App/Index" />
</beans:bean>
<beans:bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/App/loginError" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/App/Login" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl">
</beans:bean>
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<http auto-config="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<intercept-url pattern="/Content/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/Desktop/New_Them/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/App/Index" access="ROLE_USER" />
<intercept-url pattern="/App/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/rest/clc/ClcLogPhon/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
<logout logout-success-url="/App/Login" />
<remember-me key="myAppKey" />
<session-management
session-authentication-strategy-ref="sas">
</session-management>
<csrf />
<headers>
<xss-protection />
</headers>
</http>
<global-method-security pre-post-annotations="enabled"
secured-annotations="enabled" proxy-target-class="true" />
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/App/Login" />
</beans:bean>
<beans:bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<beans:constructor-arg index="0" value="256" />
</beans:bean>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://192.168.1.143:389/DC=myDomain,DC=org" />
<beans:property name="userDn"
value="CN=username,CN=Users,DC=myDomain,DC=org" />
<beans:property name="password" value="password" />
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>uid={0},ou=users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="ou=groups" />
<beans:property name="groupRoleAttribute" value="ou" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<authentication-manager>
<authentication-provider ref="ldapAuthProvider"/>
</authentication-manager>
</beans:beans>
uid={0},ou=用户
首先连接到Ldap