Java Spring安全自定义ldap身份验证提供程序
我当前的ldap身份验证上下文设置如下:Java Spring安全自定义ldap身份验证提供程序,java,authentication,spring-security,Java,Authentication,Spring Security,我当前的ldap身份验证上下文设置如下: <ldap-server url="ldap://host/dn" manager-dn="cn=someuser" manager-password="somepass" /> <authentication-manager> <ldap-authentication-provider user-search-filter="(samaccountname={
<ldap-server url="ldap://host/dn"
manager-dn="cn=someuser"
manager-password="somepass" />
<authentication-manager>
<ldap-authentication-provider user-search-filter="(samaccountname={0})"/>
</authentication-manager>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldaps://url/dc=mock,dc=com" />
<property name="userDn" value="cn=username,ou=People,dc=mock,dc=com" />
<property name="password" value="password" />
</bean>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userDnPatterns">
<list>
<value>uid={0},ou=People</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="com.mock.MyCustomAuthoritiesPopulator">
</bean>
</constructor-arg>
</bean>
):
uid={0},ou=人
但是,如何在安全上下文中将“ldapAuthProvider”引用到ldap服务器
我也在使用spring security 3,因此“”不存在…我所做的只是将其添加到安全上下文中:
<authentication-manager>
<authentication-provider ref='ldapAuthProvider'/>
</authentication-manager>
然后,按如下方式配置“ldapAuthProvider”bean:
<ldap-server url="ldap://host/dn"
manager-dn="cn=someuser"
manager-password="somepass" />
<authentication-manager>
<ldap-authentication-provider user-search-filter="(samaccountname={0})"/>
</authentication-manager>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldaps://url/dc=mock,dc=com" />
<property name="userDn" value="cn=username,ou=People,dc=mock,dc=com" />
<property name="password" value="password" />
</bean>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userDnPatterns">
<list>
<value>uid={0},ou=People</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="com.mock.MyCustomAuthoritiesPopulator">
</bean>
</constructor-arg>
</bean>
uid={0},ou=人
MyCustomAuthoritiesPopulator的实现如下:
public class MyCustomAuthoritiesPopulator implements LdapAuthoritiesPopulator {
public Collection<GrantedAuthority> getGrantedAuthorities(
DirContextOperations arg0, String arg1) {
ArrayList<GrantedAuthority> list = new ArrayList<GrantedAuthority>();
list.add((new SimpleGrantedAuthority("ROLE_USER"));
return list;
}
}
公共类MyCustomAuthoritiesPopulator实现LdapAuthoritiesPopulator{
获得授权的公共收集机构(
DirContextOperations arg0,字符串arg1){
ArrayList=新建ArrayList();
添加((新的SimpleGrantedAuthority(“角色用户”));
退货清单;
}
}
如果使用自定义的LdapUserDetailsMapper
,则record spring配置更简单,因为
上有一个专用参数用户上下文映射器ref
,允许您使用短配置样式:
<authentication-manager>
<ldap-authentication-provider
user-search-filter="sAMAccountName={0}"
user-search-base="OU=Users"
group-search-filter="(&(objectclass=group)(member={0}))"
group-search-base="OU=Groups"
user-context-mapper-ref="customUserContextMapper" />
</authentication-manager>
<ldap-server url="ldap://url:389/DC=mock,DC=com"
manager-dn="manager"
manager-password="pass" />
如果您想避免难看的bean定义(DefaultSpringSecurityContextSource、LdapAuthenticationProvider、BindAuthenticator、+100)并使用“酷”的xml定义,如
<authentication-manager>
<ldap-authentication-provider... />
</authentication-manager>
当我看到你的标题问题并阅读下面的信息时,我感到相当困惑。对我来说,身份验证与用户名和密码有关,而据我所知,你的实际问题是授权。下面的答案已经提到了这样的自定义填充器。你可以改为将文本更改为授权填充器吗?:)感谢您提供覆盖getAdditionalRoles的提示。我能够从AD LDAP检索嵌套组。SpringLDAP显然不支持这一点。
<ldap-server id="ldapServer" url="${ldap.url}" manager-dn="${ldap.manager.dn}" manager-password="${ldap.manager.password}"/>
<authentication-manager>
<ldap-authentication-provider user-search-filter="${ldap.userSearch.filter}" user-search-base="${ldap.searchBase}"
group-search-base="${ldap.groupSearchBase}"/>
</authentication-manager>
package com.example.access.ldap;
import java.util.Collection;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.stereotype.Component;
@Component
public class UserGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper{
public Collection<? extends GrantedAuthority> mapAuthorities(final Collection<? extends GrantedAuthority> authorities) {
...
return roles;
}
}
package com.example.access.ldap;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.stereotype.Component;
@Component
public class AuthenticationProviderPostProcessor implements BeanPostProcessor{
@Autowired
private GrantedAuthoritiesMapper grantedAuthoritiesMapper;
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName)
throws BeansException {
return bean;
}
@Override
public Object postProcessAfterInitialization(Object bean, String beanName)
throws BeansException {
if(bean != null && bean instanceof AbstractLdapAuthenticationProvider){
setProviderAuthoritiesMapper((AbstractLdapAuthenticationProvider)bean);
}
return bean;
}
protected void setProviderAuthoritiesMapper(AbstractLdapAuthenticationProvider authenticationProvider){
if(authenticationProvider != null){
authenticationProvider.setAuthoritiesMapper(grantedAuthoritiesMapper);
}
}
}