Linux上java远程active directory的身份验证
我的场景与本问题中描述的类似,只是我们的web应用程序是基于Java的,并且在CentOS Linux下运行 我已经搜索和阅读了很多,但似乎无法找到适合我的场景的有用信息,原因如下:Linux上java远程active directory的身份验证,java,linux,authentication,active-directory,Java,Linux,Authentication,Active Directory,我的场景与本问题中描述的类似,只是我们的web应用程序是基于Java的,并且在CentOS Linux下运行 我已经搜索和阅读了很多,但似乎无法找到适合我的场景的有用信息,原因如下: 虽然基于Java的应用程序有不同的解决方案可以针对AD进行身份验证(Kerberos、NTLM、LDAP),但我认为它们不适用于远程AD身份验证 Kerberos被认为是微软推荐的广告认证的“新”机制。然而,它似乎需要conf文件或系统属性才能工作。我们的web应用程序是基于SaaS的,因此相同的代码库将服务于多个
欢迎提出任何意见和建议 我们可以通过LDAP协议访问远程AD。在我的场景中,我在远程服务器上配置了LDAP。我已经安装了ApacheActiveDS,以便在我的终端创建远程目录的实例。因此,我可以在我的末端有一个配置详细信息。为此,我们需要域名和绑定凭据。您可以从此链接下载并创建新连接。看 Tomcat的LDAP配置:
public LdapContext getLdapContext() {
// Set up environment for creating initial context
Hashtable<String, Object> env = new Hashtable<String, Object>(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// e.g., ldap://IP address of remote m/c:10389/dc=sevenseas,dc=com
env.put(Context.PROVIDER_URL, LDAP_PROVIDER_URL + Constant.FORWARD_SLASH + LDAP_DOMAIN);
// Authenticate as User and password
env.put(Context.SECURITY_AUTHENTICATION, "simple");
// e.g., "uid=admin,ou=system"
env.put(Context.SECURITY_PRINCIPAL, LDAP_ADMIN);
env.put(Context.SECURITY_CREDENTIALS, LDAP_DEFAULT_PASSWORD);
try {
// Create initial context
ldapContext = new InitialLdapContext(env, null);
if (ldapContext == null) {
LogManager.fatal("Invalid LDAP system properties. Please contact your administrator.",
LDAPUserManager.class.getName());
}
System.out.println("Organization : " + ldapContext.getNameInNamespace());
} catch (Exception e) {
StringWriter stack = new StringWriter();
e.printStackTrace(new PrintWriter(stack));
LogManager.fatal(stack.toString(), LDAPUserManager.class.getName());
}
return ldapContext;
}
在Tomcat的conf目录下的server.xml文件中的主机打开和主机关闭标记之间添加所需的领域配置。e、 g
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="cn=Manager,dc=mycompany,dc=com"
connectionPassword="secret"
connectionURL="ldap://localhost:389"
userPassword="userPassword"
userPattern="uid={0},ou=people,dc=mycompany,dc=com"
roleBase="ou=groups,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
<!-- other stuffs -->
</Host>
这是基本配置。但是,您可以使用LDAP映射特定的用户或组。看一看。您还可以通过在web资源集合
标记下为特定文件夹添加url模式,仅将安全性添加到该文件夹
<url-pattern>/Admin/*</url-pattern> // Restrict access to Admin folder
<url-pattern>/Employee/*</url-pattern> // Restrict access to Employee folder
示例LDAP用户管理器(JBOSS):
public LdapContext getLdapContext() {
// Set up environment for creating initial context
Hashtable<String, Object> env = new Hashtable<String, Object>(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// e.g., ldap://IP address of remote m/c:10389/dc=sevenseas,dc=com
env.put(Context.PROVIDER_URL, LDAP_PROVIDER_URL + Constant.FORWARD_SLASH + LDAP_DOMAIN);
// Authenticate as User and password
env.put(Context.SECURITY_AUTHENTICATION, "simple");
// e.g., "uid=admin,ou=system"
env.put(Context.SECURITY_PRINCIPAL, LDAP_ADMIN);
env.put(Context.SECURITY_CREDENTIALS, LDAP_DEFAULT_PASSWORD);
try {
// Create initial context
ldapContext = new InitialLdapContext(env, null);
if (ldapContext == null) {
LogManager.fatal("Invalid LDAP system properties. Please contact your administrator.",
LDAPUserManager.class.getName());
}
System.out.println("Organization : " + ldapContext.getNameInNamespace());
} catch (Exception e) {
StringWriter stack = new StringWriter();
e.printStackTrace(new PrintWriter(stack));
LogManager.fatal(stack.toString(), LDAPUserManager.class.getName());
}
return ldapContext;
}
public LdapContext getLdapContext(){
//设置用于创建初始上下文的环境
Hashtable env=新的Hashtable(11);
put(Context.INITIAL\u Context\u工厂,“com.sun.jndi.ldap.LdapCtxFactory”);
//例如:。,ldap://IP 远程m/c地址:10389/dc=sevenseas,dc=com
put(Context.PROVIDER\u URL、LDAP\u PROVIDER\u URL+Constant.FORWARD\u SLASH+LDAP\u DOMAIN);
//作为用户和密码进行身份验证
环境put(Context.SECURITY_认证,“simple”);
//例如,“uid=admin,ou=system”
环境put(Context.SECURITY\u PRINCIPAL,LDAP\u ADMIN);
环境put(Context.SECURITY\u凭证、LDAP\u默认密码);
试一试{
//创建初始上下文
ldapContext=新的初始ldapContext(env,null);
如果(ldapContext==null){
LogManager.fatal(“无效的LDAP系统属性。请与管理员联系。”,
LDAPUserManager.class.getName());
}
System.out.println(“组织:+ldapContext.getNameInNamespace());
}捕获(例外e){
StringWriter堆栈=新StringWriter();
e、 printStackTrace(新的PrintWriter(堆栈));
致命(stack.toString(),LDAPUserManager.class.getName());
}
返回ldapContext;
}
这将使用环境参数构造初始上下文以连接LDAP服务器
现在,要从AD获取用户数据,请使用以下代码:
try {
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attrIDs = { "cn", "sn", "givenName", "uid", "mail", "userPassword" };
constraints.setReturningAttributes(attrIDs);
// Search for user in LDAP server by emailId
NamingEnumeration<SearchResult> answer = ldapContext.search(LDAP_GROUP, "mail=" + emailId, constraints);
if (answer.hasMore()) {
LogManager.info("User with email id '" + emailId + "' found.", LDAPUserManager.class.getName());
Attributes attrs = answer.next().getAttributes();
userDTO = new UserDTO();
// Store user details temporarily
Attribute firstNameAttr = attrs.get("givenName");
String firstName = "";
if (firstNameAttr == null) {
userDTO.setFirstName(firstName);
} else {
firstName = firstNameAttr.get().toString();
if (firstName == null) {
userDTO.setFirstName("");
}
userDTO.setFirstName(firstName);
}
Attribute lastNameAttr = attrs.get("sn");
String lastName = "";
if (lastNameAttr == null) {
userDTO.setLastName(lastName);
} else {
lastName = lastNameAttr.get().toString();
if (lastName == null) {
userDTO.setLastName("");
}
userDTO.setLastName(lastName);
}
return userDTO;
} else {
LogManager.fatal("Invalid User.", LDAPUserManager.class.getName());
return userDTO;
}
} catch (Exception e) {
StringWriter stack = new StringWriter();
e.printStackTrace(new PrintWriter(stack));
LogManager.fatal(stack.toString(), LDAPUserManager.class.getName());
}
试试看{
SearchControls约束=新的SearchControls();
约束.setSearchScope(SearchControls.SUBTREE_范围);
字符串[]attrIDs={“cn”、“sn”、“givenName”、“uid”、“mail”、“userPassword”};
约束。设置ReturningAttribute(属性ID);
//按emailId在LDAP服务器中搜索用户
NamingEnumeration answer=ldapContext.search(LDAP_组,“mail=“+emailId,约束);
if(answer.hasMore()){
LogManager.info(“具有电子邮件id的用户”“+emailId+“'found.”,LDAPUserManager.class.getName());
Attributes attrs=answer.next().getAttributes();
userDTO=新的userDTO();
//暂时存储用户详细信息
属性firstNameAttr=attrs.get(“givenName”);
字符串firstName=“”;
if(firstNameAttr==null){
userDTO.setFirstName(firstName);
}否则{
firstName=firstNameAttr.get().toString();
if(firstName==null){
userDTO.setFirstName(“”);
}
userDTO.setFirstName(firstName);
}
属性lastNameAttr=attrs.get(“sn”);
字符串lastName=“”;
如果(lastNameAttr==null){
userDTO.setLastName(lastName);
}否则{
lastName=lastNameAttr.get().toString();
如果(lastName==n
public LdapContext getLdapContext() {
// Set up environment for creating initial context
Hashtable<String, Object> env = new Hashtable<String, Object>(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// e.g., ldap://IP address of remote m/c:10389/dc=sevenseas,dc=com
env.put(Context.PROVIDER_URL, LDAP_PROVIDER_URL + Constant.FORWARD_SLASH + LDAP_DOMAIN);
// Authenticate as User and password
env.put(Context.SECURITY_AUTHENTICATION, "simple");
// e.g., "uid=admin,ou=system"
env.put(Context.SECURITY_PRINCIPAL, LDAP_ADMIN);
env.put(Context.SECURITY_CREDENTIALS, LDAP_DEFAULT_PASSWORD);
try {
// Create initial context
ldapContext = new InitialLdapContext(env, null);
if (ldapContext == null) {
LogManager.fatal("Invalid LDAP system properties. Please contact your administrator.",
LDAPUserManager.class.getName());
}
System.out.println("Organization : " + ldapContext.getNameInNamespace());
} catch (Exception e) {
StringWriter stack = new StringWriter();
e.printStackTrace(new PrintWriter(stack));
LogManager.fatal(stack.toString(), LDAPUserManager.class.getName());
}
return ldapContext;
}
try {
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attrIDs = { "cn", "sn", "givenName", "uid", "mail", "userPassword" };
constraints.setReturningAttributes(attrIDs);
// Search for user in LDAP server by emailId
NamingEnumeration<SearchResult> answer = ldapContext.search(LDAP_GROUP, "mail=" + emailId, constraints);
if (answer.hasMore()) {
LogManager.info("User with email id '" + emailId + "' found.", LDAPUserManager.class.getName());
Attributes attrs = answer.next().getAttributes();
userDTO = new UserDTO();
// Store user details temporarily
Attribute firstNameAttr = attrs.get("givenName");
String firstName = "";
if (firstNameAttr == null) {
userDTO.setFirstName(firstName);
} else {
firstName = firstNameAttr.get().toString();
if (firstName == null) {
userDTO.setFirstName("");
}
userDTO.setFirstName(firstName);
}
Attribute lastNameAttr = attrs.get("sn");
String lastName = "";
if (lastNameAttr == null) {
userDTO.setLastName(lastName);
} else {
lastName = lastNameAttr.get().toString();
if (lastName == null) {
userDTO.setLastName("");
}
userDTO.setLastName(lastName);
}
return userDTO;
} else {
LogManager.fatal("Invalid User.", LDAPUserManager.class.getName());
return userDTO;
}
} catch (Exception e) {
StringWriter stack = new StringWriter();
e.printStackTrace(new PrintWriter(stack));
LogManager.fatal(stack.toString(), LDAPUserManager.class.getName());
}