1. 首頁
  2. 問答
  3. 春季安全定製LDAP身份驗證提供

春季安全定製LDAP身份驗證提供

2010-04-19 153 views
5

我現在有我的LDAP身份驗證的情況下建立這樣的:春季安全定製LDAP身份驗證提供

<ldap-server url="ldap://host/dn" 
     manager-dn="cn=someuser" 
     manager-password="somepass" /> 
    <authentication-manager> 
     <ldap-authentication-provider user-search-filter="(samaccountname={0})"/> 
    </authentication-manager>

現在,我需要能夠建立一個自定義當局映射器(它使用不同的LDAP服務器) - 所以我假設我需要設置我的LDAP服務器類似(http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ldap.html):

<bean id="ldapAuthProvider" 
     class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> 
    <constructor-arg> 
    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> 
     <constructor-arg ref="contextSource"/> 
     <property name="userDnPatterns"> 
     <list><value>uid={0},ou=people</value></list> 
     </property> 
    </bean> 
    </constructor-arg> 
    <constructor-arg> 
    <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> 
     <constructor-arg ref="contextSource"/> 
     <constructor-arg value="ou=groups"/> 
     <property name="groupRoleAttribute" value="ou"/> 
    </bean> 
    </constructor-arg> 
</bean>

但是,我怎麼引用「ldapAuthProvider」在安全方面的LDAP服務器?

我也使用彈簧安全3,所以「」不存在...

來源

2010-04-19 wuntee

+0

當我看到您的標題問題並閱讀下面的信息時,我感到非常困惑。對於我**身份驗證**連接到用戶名和密碼,而據我所知,它的實際問題是**授權**。由於下面的答案已經提到了定製populator,例如[自定義populator的詳細描述](http://stackoverflow.com/questions/34658534/spring-security-switch-to-ldap-authentication-and-database-authorities) 。你可以改變文本到權威populator嗎? :) – Dr4gon 2017-02-12 12:53:19

回答

5

我做了什麼,使其工作是簡單地添加到安全範圍內這樣的:

<authentication-manager> 
    <authentication-provider ref='ldapAuthProvider'/> 
</authentication-manager>

,然後配置 'ldapAuthProvider' 豆這樣的:

<bean id="contextSource" 
    class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
    <constructor-arg value="ldaps://url/dc=mock,dc=com" /> 
    <property name="userDn" value="cn=username,ou=People,dc=mock,dc=com" /> 
    <property name="password" value="password" /> 
</bean> 

<bean id="ldapAuthProvider" 
    class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
    <constructor-arg> 
     <bean 
      class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
      <constructor-arg ref="contextSource" /> 
      <property name="userDnPatterns"> 
       <list> 
        <value>uid={0},ou=People</value> 
       </list> 
      </property> 
     </bean> 
    </constructor-arg> 
    <constructor-arg> 
     <bean 
      class="com.mock.MyCustomAuthoritiesPopulator"> 
     </bean> 
    </constructor-arg> 
</bean>

隨着MyCustomAuthoritiesPopulator的執行情況如下:

public class MyCustomAuthoritiesPopulator implements LdapAuthoritiesPopulator { 
    public Collection<GrantedAuthority> getGrantedAuthorities(
      DirContextOperations arg0, String arg1) {  
      ArrayList<GrantedAuthority> list = new ArrayList<GrantedAuthority>(); 
      list.add((new SimpleGrantedAuthority("ROLE_USER")); 
     return list;   
    } 
}

來源

2010-06-07 08:46:42 Carlos

5

爲了記錄Spring的配置比較簡單,如果你使用自定義LdapUserDetailsMapper因爲有暴露在<ldap-authentication-provider/>專用參數user-context-mapper-ref它允許您使用短配置風格:

<authentication-manager> 
     <ldap-authentication-provider 
     user-search-filter="sAMAccountName={0}" 
     user-search-base="OU=Users" 
     group-search-filter="(&amp;(objectclass=group)(member={0}))" 
     group-search-base="OU=Groups" 
     user-context-mapper-ref="customUserContextMapper" /> 
    </authentication-manager> 

    <ldap-server url="ldap://url:389/DC=mock,DC=com" 
     manager-dn="manager" 
     manager-password="pass" />

來源:http://forum.springsource.org/showthread.php?118845-How-to-modify-Authority-after-loading-it-from-LDAP

請注意,通過LdapAuthoritiesPopulator路由,您還可以擴展DeafultLdapAuthoritiesPopulator並覆蓋getAdditionalRoles(),而不是直接實現接口。

public class MyCustomAuthoritiesPopulator extends 
     DefaultLdapAuthoritiesPopulator { 

    @Override 
    protected Set<GrantedAuthority> getAdditionalRoles(
      DirContextOperations user, String username) { 
     Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>(); 
       authorities.add((new SimpleGrantedAuthority("ROLE_USER")); 
     return authorities; 
    }

來源

2012-05-11 22:12:33 Tomasz

+0

感謝您的提示重寫getAdditionalRoles。我能夠從AD LDAP檢索嵌套組。 Spring LDAP顯然不支持這一點。 [示例CustomLdapAuthoritiesPopulator](https://github.com/spring-projects/spring-security/issues/2053) – 2018-02-08 19:21:36

0

如果你想避免醜陋的bean定義(DefaultSpringSecurityContextSource,LdapAuthenticationProvider可疑,認證者,... + 100),並用 「酷」 的XML定義一樣

<authentication-manager> 
    <ldap-authentication-provider... /> 
</authentication-manager>

您可以使用的BeanPostProcessor 。下面的例子是GrantedAuthoritiesMapper在一個的AuthenticationProvider costumization:

[context.xml中]

<ldap-server id="ldapServer" url="${ldap.url}" manager-dn="${ldap.manager.dn}" manager-password="${ldap.manager.password}"/> 

<authentication-manager> 
    <ldap-authentication-provider user-search-filter="${ldap.userSearch.filter}" user-search-base="${ldap.searchBase}" 
     group-search-base="${ldap.groupSearchBase}"/> 
</authentication-manager>

[UserGrantedAuthoritiesMapper.java]

package com.example.access.ldap; 

import java.util.Collection; 

import org.springframework.security.core.GrantedAuthority; 
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; 
import org.springframework.stereotype.Component; 

@Component 
public class UserGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper{ 

    public Collection<? extends GrantedAuthority> mapAuthorities(final Collection<? extends GrantedAuthority> authorities) { 
     ... 
     return roles; 
    } 
}

[AuthenticationProviderPostProcessor.java ]

package com.example.access.ldap; 

import org.springframework.beans.BeansException; 
import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.beans.factory.config.BeanPostProcessor; 
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; 
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider; 
import org.springframework.stereotype.Component; 

@Component 
public class AuthenticationProviderPostProcessor implements BeanPostProcessor{ 

    @Autowired 
    private GrantedAuthoritiesMapper grantedAuthoritiesMapper; 

    @Override 
    public Object postProcessBeforeInitialization(Object bean, String beanName) 
     throws BeansException { 
     return bean; 
    } 

    @Override 
    public Object postProcessAfterInitialization(Object bean, String beanName) 
     throws BeansException { 
     if(bean != null && bean instanceof AbstractLdapAuthenticationProvider){ 
      setProviderAuthoritiesMapper((AbstractLdapAuthenticationProvider)bean); 
     } 
     return bean; 
    } 

    protected void setProviderAuthoritiesMapper(AbstractLdapAuthenticationProvider authenticationProvider){ 
     if(authenticationProvider != null){ 
      authenticationProvider.setAuthoritiesMapper(grantedAuthoritiesMapper); 
     } 
    } 
}

來源

2013-05-17 12:33:40 alexfdz

相關問題

 相關問題