使用Spring安全性和JBoss 7.2进行身份验证
我正在寻找一种在运行于JBoss7.2上的SpringSecurityWeb应用程序中根据Active Directory对我的用户进行身份验证的方法 接下来,我总是得到“匿名用户”,但希望看到我自己的用户名。当主身份验证策略不起作用时,Spring Security似乎使用匿名身份验证 以下是我的设置:使用Spring安全性和JBoss 7.2进行身份验证,spring,spring-mvc,jboss,spring-security,Spring,Spring Mvc,Jboss,Spring Security,我正在寻找一种在运行于JBoss7.2上的SpringSecurityWeb应用程序中根据Active Directory对我的用户进行身份验证的方法 接下来,我总是得到“匿名用户”,但希望看到我自己的用户名。当主身份验证策略不起作用时,Spring Security似乎使用匿名身份验证 以下是我的设置: 春季4.0.6 Spring Security 3.2.4 SecurityConfig.java @Configuration @EnableWebMvcSecurity public
- 春季4.0.6
- Spring Security 3.2.4
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void registerGlobalAuthentication(AuthenticationManagerBuilder auth) throws Exception {
DefaultSpringSecurityContextSource context = new DefaultSpringSecurityContextSource("ldap://my_ldap_server:389");
context.setUserDn("MY_SERVICE_ACCOUNT_DISTINGUISHED_NAME");
context.setPassword("MY_SERVICE_ACCOUNT_PASSWORD");
context.afterPropertiesSet();
auth
.ldapAuthentication()
.contextSource(context)
.userDnPatterns("(sAMAccountName={0})")
.rolePrefix("");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
/*
http
.authorizeRequests()
.anyRequest().authenticated();
*/
}
}
@Controller
public class LoginController {
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String strRemoteUser = auth.getName();
System.out.println("[SPRING4BASE] Welcome " + strRemoteUser);
return "welcome";
}
}
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void registerGlobalAuthentication(AuthenticationManagerBuilder auth) throws Exception {
DefaultSpringSecurityContextSource context = new DefaultSpringSecurityContextSource("ldap://my_ldap_server:389");
context.setUserDn("MY_SERVICE_ACCOUNT_DISTINGUISHED_NAME");
context.setPassword("MY_SERVICE_ACCOUNT_PASSWORD");
context.afterPropertiesSet();
auth
.ldapAuthentication()
.contextSource(context)
.userDnPatterns("(sAMAccountName={0})")
.rolePrefix("");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
/*
http
.authorizeRequests()
.anyRequest().authenticated();
*/
}
}
@Controller
public class LoginController {
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String strRemoteUser = auth.getName();
System.out.println("[SPRING4BASE] Welcome " + strRemoteUser);
return "welcome";
}
}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">
<jboss-web>
<security-domain>java:/jaas/other</security-domain>
</jboss-web>
java:/jaas/other
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url" value="ldap://my_ldap_server:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="java.naming.referral" value="follow"/>
<module-option name="bindDN" value="MY_SERVICE_ACCOUNT_DISTINGUISHED_NAME"/>
<module-option name="bindCredential" value="MY_SERVICE_ACCOUNT_PASSWORD"/>
<module-option name="baseCtxDN" value="MY_BASE_LDAP_CONTEXT"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="MY_BASE_LDAP_CONTEXT"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="CN"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
非常感谢您的帮助。最终用户是在windows或unix上登录到您的企业网络的吗?@6ton:在windows上。我知道在过去(JBoss4.2.3),我们使用JCIFS将当前用户信息注入请求对象。但是现在,我们的组织倾向于Kerberos(PicketLink),所以这可能是我的问题。在我的情况下可能需要Kerberos配置。我还没有真正研究过这一点,但这似乎是相关的: