Java 根据ldap组的spring引导应用程序
我正在使用ldap身份验证来保护spring boot应用程序。我想为ldap服务器的特定组授权端点。有什么建议吗 这是我的SecurityConfig.java文件Java 根据ldap组的spring引导应用程序,java,spring,spring-boot,ldap,authorization,Java,Spring,Spring Boot,Ldap,Authorization,我正在使用ldap身份验证来保护spring boot应用程序。我想为ldap服务器的特定组授权端点。有什么建议吗 这是我的SecurityConfig.java文件 @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMat
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/403","/login","/footer").permitAll()
.antMatchers("/","/LifeForm**","/home").fullyAuthenticated()
//.anyRequest().authenticated()
.and()
//.httpBasic()
//.and()
.formLogin()
.loginPage("/login").failureUrl("/403").permitAll()
.and()
.logout().logoutUrl("/403").invalidateHttpSession(true).deleteCookies("JSESSIONID").logoutSuccessUrl("/login");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
if(Boolean.parseBoolean(ldapEnabled)) {
auth
.ldapAuthentication()
.userSearchFilter("(&(objectClass=user)(sAMAccountName={0}))")
.groupRoleAttribute("cn")
.groupSearchFilter("(&(objectClass=groupOfNames)(member={0}))")
.groupSearchBase("ou=groups")
.contextSource()
.url(ldapUrls + ldapBaseDn)
.managerDn(ldapSecurityPrincipal)
.managerPassword(ldapPrincipalPassword);
} else {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER")
.and()
.withUser("admin").password("admin").roles("ADMIN");
}
}
尝试添加一个“antMatcher”来验证Ldap中的一个权限
例如:
.antMatchers("/admins").hasAuthority("GROUP-SPAIN")
我的应用程序中有此配置
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
//.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
// allow anonymous resource requests
.antMatchers(
HttpMethod.GET,
"/",
"/v2/api-docs", // swagger
"/webjars/**", // swagger-ui webjars
"/swagger-resources/**", // swagger-ui resources
"/configuration/**", // swagger configuration
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js"
).permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/management/**/*", "/management/*.json").hasAuthority("ADMIN")
.antMatchers("/admins").hasAuthority("GROUP-SPAIN"")
.anyRequest().authenticated();
}
您需要为添加所需的权限而不是用户组创建UserDetailsService类。在本例中,我以数据库为例,您需要为ldap连接更改我的userDao
@Component
public class TodoListUserDetailsService implements UserDetailsService {
@Autowired
private UserDao userDao; //Change for ldap conection
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//Get the user from ldap.
AppUser user = userDao.findByUsername(username);
if (null == user) {
throw new UsernameNotFoundException(String.format("Username {0} doesn't exist", username));
}
List<GrantedAuthority> authorities = new ArrayList<>();
//this part is pseudocode
user.getGroups().forEach(ldapGroup -> {
authorities.add(new SimpleGrantedAuthority(ldapGroup.toString()));
});
UserDetails userDetails = new User(user.getUsername(), user.getPassword(), authorities);
return userDetails;
}
}
@组件
公共类TodoListUserDetailsService实现UserDetailsService{
@自动连线
私有UserDao UserDao;//更改ldap连接
@凌驾
public UserDetails loadUserByUsername(字符串用户名)引发UsernameNotFoundException{
//从ldap获取用户。
AppUser=userDao.findByUsername(用户名);
if(null==用户){
抛出新的UsernameNotFoundException(String.format(“用户名{0}不存在”,Username));
}
列表权限=新建ArrayList();
//这部分是伪代码
user.getGroups().forEach(ldapGroup->{
添加(新的SimpleGrantedAuthority(ldapGroup.toString());
});
UserDetails UserDetails=新用户(User.getUsername(),User.getPassword(),authorities);
返回用户详细信息;
}
}
当用户尝试访问应用程序时,Spring将使用您的UserDetails服务。是,但这是关于角色而不是组的。对吗?我不知道Ldap服务器中的角色名称。我想根据组名授权我的应用程序。你是否能正常工作?我现在正在努力解决同样的问题,我的LDAP配置与您的类似,但我的组没有映射到权限?欢迎任何帮助!