Security 使用LDAP和Spring安全性时在何处以及如何定义角色
我正在使用Spring安全性并从LDAP数据库进行身份验证。身份验证工作正常,但我无法使用角色 在spring-security.xml中有以下标记:Security 使用LDAP和Spring安全性时在何处以及如何定义角色,security,authentication,spring-security,ldap,role-base-authorization,Security,Authentication,Spring Security,Ldap,Role Base Authorization,我正在使用Spring安全性并从LDAP数据库进行身份验证。身份验证工作正常,但我无法使用角色 在spring-security.xml中有以下标记: <security:intercept-url pattern="/app/main/admin" access="hasRole('ROLE_USER')"/> 我的问题是,“角色\用户”在哪里定义?如何将用户设置为属于特定角色?在LDAP数据库中是否会发生这种情况?如果是,我该怎么做?我对LDAP知之甚少。它是我定义角色的另
<security:intercept-url pattern="/app/main/admin" access="hasRole('ROLE_USER')"/>
我的问题是,“角色\用户”在哪里定义?如何将用户设置为属于特定角色?在LDAP数据库中是否会发生这种情况?如果是,我该怎么做?我对LDAP知之甚少。它是我定义角色的另一个配置文件吗
谢谢你的帮助 我知道有两种方法可以在LDAP身份验证后将角色分配给用户
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg name="authenticator">
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userSearch">
<beans:bean
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg name="searchBase"
value="ou=example,dc=springframework,dc=org" />
<beans:constructor-arg name="searchFilter"
value="(uid={0})" />
<beans:constructor-arg name="contextSource"
ref="contextSource" />
</beans:bean>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg name="authoritiesPopulator"
ref="myLDAPAuthPopulator" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="ldapAuthProvider" />
</authentication-manager>
@Component("myLDAPAuthPopulator")
public class MyLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
@Autowired
private UserDao userDao;
@Override
public Collection<? extends GrantedAuthority> getGrantedAuthorities(
DirContextOperations userData, String username) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
List<String> roleList = userDao.getRoles(username);
if (!roleList.isEmpty()) {
for (String role : roleList) {
System.out.println(role);
authorities.add(new SimpleGrantedAuthority(role));
}
}
else
{
//We know that user is authenticated. So you can add a role here and save it in the database.
}
return authorities;
}
MyLDAP AuthPopulator的实现:
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg name="authenticator">
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userSearch">
<beans:bean
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg name="searchBase"
value="ou=example,dc=springframework,dc=org" />
<beans:constructor-arg name="searchFilter"
value="(uid={0})" />
<beans:constructor-arg name="contextSource"
ref="contextSource" />
</beans:bean>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg name="authoritiesPopulator"
ref="myLDAPAuthPopulator" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="ldapAuthProvider" />
</authentication-manager>
@Component("myLDAPAuthPopulator")
public class MyLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
@Autowired
private UserDao userDao;
@Override
public Collection<? extends GrantedAuthority> getGrantedAuthorities(
DirContextOperations userData, String username) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
List<String> roleList = userDao.getRoles(username);
if (!roleList.isEmpty()) {
for (String role : roleList) {
System.out.println(role);
authorities.add(new SimpleGrantedAuthority(role));
}
}
else
{
//We know that user is authenticated. So you can add a role here and save it in the database.
}
return authorities;
}
@Component(“MyldAppAuthPopulator”)
公共类MyDapAuthoritiesPopulator实现了LdapAuthoritiesPopulator{
@自动连线
私有UserDao UserDao;
@凌驾
public CollectionAnt singh,感谢您的回答。因此,这意味着我应该将用户分配到ldap之外的角色,在应用程序数据库中?每当我们有一个新用户时,他们将在ldap以及应用程序数据库中进行设置?将尝试一下,看看情况如何。再次感谢。ldap有组,所以我们不应该在s中直接使用它们吗ome或其他方式。一个组应该暗示一个角色。对。这将在很大程度上简化授权。spring不支持此-使用ldap组(角色)进行授权。