如何配置嵌入式Jetty以使用LdapLoginModule?
我对Jetty Servlet进行了以下初始化。HashLoginService可以工作,但是如果LdapLoginModule未连接到JAASLoginService,“LdapLoginModule”指的是默认的ldap-loginModule.conf,我希望跳过它并传递选项映射中的所有参数(或者以某种方式指定为文件位置)如何配置嵌入式Jetty以使用LdapLoginModule?,ldap,jetty,embedded-jetty,jetty-9,Ldap,Jetty,Embedded Jetty,Jetty 9,我对Jetty Servlet进行了以下初始化。HashLoginService可以工作,但是如果LdapLoginModule未连接到JAASLoginService,“LdapLoginModule”指的是默认的ldap-loginModule.conf,我希望跳过它并传递选项映射中的所有参数(或者以某种方式指定为文件位置) 如果不使用配置文件(jetty服务器作为动态加载的jar嵌入另一个应用程序中),我如何才能使其正常工作?听起来我们缺少一个api供您执行此操作,请在以下位置打开增强请求
如果不使用配置文件(jetty服务器作为动态加载的jar嵌入另一个应用程序中),我如何才能使其正常工作?听起来我们缺少一个api供您执行此操作,请在以下位置打开增强请求:
随时欢迎拉取请求。:) 我成功地为嵌入式Jetty编写了一个
LoginService
,它似乎可以查看LDAP,而不会让人讨厌“jvm参数,您必须使用它,因为它是jvm需求”(或者当他们在这里解决一个问题时,他们的意思是什么)
请注意,由于缺乏“命名”和LDAP方面的经验,我并不总是理解我在做什么,所以请随意改进这段代码
这是一个匿名类,在将其放入ConstraintSecurityHandler
之前,我正在内联创建它。组被视为角色
LoginService loginService = new AbstractLoginService() {
private final InitialLdapContext _ldap = _getLdap(
"cn=" + CONFIG.getString("ldap.manager") + "," + CONFIG.getString("ldap.baseDn"),
CONFIG.getString("ldap.managerPassword"));
@Override
protected void finalize() throws Throwable {
_ldap.close();
}
private InitialLdapContext _getLdap(String userDn, String password) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, CONFIG.getString("ldap.server"));
env.put(Context.SECURITY_PRINCIPAL, userDn);
env.put(Context.SECURITY_CREDENTIALS, password);//dn user password
try {
InitialLdapContext ldap = new InitialLdapContext(env, null);
return ldap;
} catch (AuthenticationException e) {
return null;
} catch (NamingException e) {
return null;
}
}
// Based on https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
private String _escapeLDAPSearchFilter(String filter) {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < filter.length(); i++) {
char curChar = filter.charAt(i);
switch (curChar) {
case '\\':
sb.append("\\5c");
break;
case '*':
sb.append("\\2a");
break;
case '(':
sb.append("\\28");
break;
case ')':
sb.append("\\29");
break;
case '\u0000':
sb.append("\\00");
break;
default:
sb.append(curChar);
}
}
return sb.toString();
}
@Override
protected String[] loadRoleInfo(AbstractLoginService.UserPrincipal user) {
String groupBaseDn = CONFIG.getString("ldap.groupBaseDn") + "," + CONFIG.getString("ldap.baseDn");
String search = CONFIG.getString("ldap.groupFilter");
String userDn;
if (CONFIG.getBoolean("ldap.usePosixGroups", true)) {
userDn = user.getName();
} else {
userDn = "uid=" + user.getName() + "," + CONFIG.getString("ldap.userBaseDn") + "," + CONFIG.getString("ldap.baseDn"); // TODO: not sure in this, never tested
}
search = search + "(" + CONFIG.getString("ldap.groupMemberAttribute") + "=" + _escapeLDAPSearchFilter(userDn) + ")";
search = "(&" + search + ")";
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchControls.setTimeLimit(30000);
NamingEnumeration<SearchResult> enumeration = null;
ArrayList<String> roles = new ArrayList<>();
try {
enumeration = _ldap.search(groupBaseDn, search, searchControls);
while(enumeration.hasMore()){
SearchResult result = enumeration.nextElement();
final Attributes attributes = result.getAttributes();
Attribute attribute = attributes.get(CONFIG.getString("ldap.groupIdAttribute"));
if (attribute != null) {
roles.add((String) attribute.get());
}
}
} catch (NamingException e) {
} finally {
if (enumeration != null) {
try {
enumeration.close();
} catch (NamingException ee) {
}
}
}
String[] ret = new String[roles.size()];
return roles.toArray(ret);
}
@Override
protected AbstractLoginService.UserPrincipal loadUserInfo(String username) {
final Credential credential = new Credential() {
@Override
public boolean check(Object credentials) {
InitialLdapContext myLdap = _getLdap(
"uid=" + username + "," + CONFIG.getString("ldap.userBaseDn") + "," + CONFIG.getString("ldap.baseDn"),
(String) credentials);
if (myLdap == null) {
return false;
} else {
try {
myLdap.close();
} catch (NamingException e) {
//okay...
}
return true;
}
}
};
final AbstractLoginService.UserPrincipal webUser = new UserPrincipal(username, credential);
return webUser;
}
};
Ldap已在上配置ldap://192.168.100.200 使用以下设置(我想,这是很久以前的事了)
如果任何地方都有一个两三个方法的包装库,它可以做同样的事情,但是在不同的环境中测试,那就太好了,这样我就不必写这个了 转到Hi Marc,你最终找到了怎么做的方法吗?恐怕没有,另一个项目获得了优先权:-(我尝试了下面fedd的答案,结果成功了。用户转向jetty项目问题,在那里它成功地关闭了=(如果你能让想做你正在做的事情的人更容易做的话,我很高兴在这个问题上有一个拉请求。我想前几天我看到其他人在问关于spnego的类似问题。@Jessemconnell我希望我是一个真正的程序员,能够为所有伟大的项目提供改进。责任太大了!
java.io.IOException: ldap-loginModule.conf (No such file or directory)
LoginService loginService = new AbstractLoginService() {
private final InitialLdapContext _ldap = _getLdap(
"cn=" + CONFIG.getString("ldap.manager") + "," + CONFIG.getString("ldap.baseDn"),
CONFIG.getString("ldap.managerPassword"));
@Override
protected void finalize() throws Throwable {
_ldap.close();
}
private InitialLdapContext _getLdap(String userDn, String password) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, CONFIG.getString("ldap.server"));
env.put(Context.SECURITY_PRINCIPAL, userDn);
env.put(Context.SECURITY_CREDENTIALS, password);//dn user password
try {
InitialLdapContext ldap = new InitialLdapContext(env, null);
return ldap;
} catch (AuthenticationException e) {
return null;
} catch (NamingException e) {
return null;
}
}
// Based on https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
private String _escapeLDAPSearchFilter(String filter) {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < filter.length(); i++) {
char curChar = filter.charAt(i);
switch (curChar) {
case '\\':
sb.append("\\5c");
break;
case '*':
sb.append("\\2a");
break;
case '(':
sb.append("\\28");
break;
case ')':
sb.append("\\29");
break;
case '\u0000':
sb.append("\\00");
break;
default:
sb.append(curChar);
}
}
return sb.toString();
}
@Override
protected String[] loadRoleInfo(AbstractLoginService.UserPrincipal user) {
String groupBaseDn = CONFIG.getString("ldap.groupBaseDn") + "," + CONFIG.getString("ldap.baseDn");
String search = CONFIG.getString("ldap.groupFilter");
String userDn;
if (CONFIG.getBoolean("ldap.usePosixGroups", true)) {
userDn = user.getName();
} else {
userDn = "uid=" + user.getName() + "," + CONFIG.getString("ldap.userBaseDn") + "," + CONFIG.getString("ldap.baseDn"); // TODO: not sure in this, never tested
}
search = search + "(" + CONFIG.getString("ldap.groupMemberAttribute") + "=" + _escapeLDAPSearchFilter(userDn) + ")";
search = "(&" + search + ")";
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchControls.setTimeLimit(30000);
NamingEnumeration<SearchResult> enumeration = null;
ArrayList<String> roles = new ArrayList<>();
try {
enumeration = _ldap.search(groupBaseDn, search, searchControls);
while(enumeration.hasMore()){
SearchResult result = enumeration.nextElement();
final Attributes attributes = result.getAttributes();
Attribute attribute = attributes.get(CONFIG.getString("ldap.groupIdAttribute"));
if (attribute != null) {
roles.add((String) attribute.get());
}
}
} catch (NamingException e) {
} finally {
if (enumeration != null) {
try {
enumeration.close();
} catch (NamingException ee) {
}
}
}
String[] ret = new String[roles.size()];
return roles.toArray(ret);
}
@Override
protected AbstractLoginService.UserPrincipal loadUserInfo(String username) {
final Credential credential = new Credential() {
@Override
public boolean check(Object credentials) {
InitialLdapContext myLdap = _getLdap(
"uid=" + username + "," + CONFIG.getString("ldap.userBaseDn") + "," + CONFIG.getString("ldap.baseDn"),
(String) credentials);
if (myLdap == null) {
return false;
} else {
try {
myLdap.close();
} catch (NamingException e) {
//okay...
}
return true;
}
}
};
final AbstractLoginService.UserPrincipal webUser = new UserPrincipal(username, credential);
return webUser;
}
};
ldap.server=ldap://192.168.100.200
ldap.manager=admin
ldap.managerPassword=ldapadmin
ldap.baseDn=dc=example,dc=com
ldap.userBaseDn=ou=People
ldap.groupBaseDn=ou=Groups
ldap.groupMemberAttribute=memberUid
ldap.usePosixGroups=true
ldap.userFilter=(objectClass=inetOrgPerson)
ldap.groupFilter=(objectClass=posixGroup)
ldap.groupIdAttribute=cn
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: uid=testuser01,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser01
sn: User01
givenName: Test01
cn: testuser01
displayName: Test User 01
uidNumber: 10001
gidNumber: 10001
userPassword: 12345qw
homeDirectory: /home/testuser01
dn: uid=testuser02,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser02
sn: User02
givenName: Test02
cn: testuser02
displayName: Test User 02
uidNumber: 10002
gidNumber: 10002
userPassword: 12345qw
homeDirectory: /home/testuser02
dn: uid=testuser03,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser03
sn: User03
givenName: Test03
cn: testuser03
displayName: Test User 03
uidNumber: 10003
gidNumber: 10003
userPassword: 12345qw
homeDirectory: /home/testuser03
dn: cn=admins,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: admins
gidNumber: 5000
memberUid: testuser01
dn: cn=staff,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: staff
gidNumber: 5001
memberUid: testuser01
memberUid: testuser02
memberUid: testuser03
dn: cn=management,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: management
gidNumber: 5003
memberUid: testuser02