1. 首頁
  2. 問答
  3. 對Spring和Active Directory使用bindAuthentication是不可能的?

對Spring和Active Directory使用bindAuthentication是不可能的?

2010-03-16 70 views
0

我想驗證我的web應用程序對我們的內部活動目錄useres。 我已經ApplicationContext的安全設置如下:對Spring和Active Directory使用bindAuthentication是不可能的?

<beans:beans xmlns="http://www.springframework.org/schema/security" 
     xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

     <!-- HTTP security configurations --> 
     <http auto-config="true" use-expressions="true"> 
       <form-login login-processing-url="/static/j_spring_security_check" 
         login-page="/login" authentication-failure-url="/login?login_error=t" /> 
       <logout logout-url="/static/j_spring_security_logout" /> 


       <!-- Configure these elements to secure URIs in your application --> 
       <!-- 
         <intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/> 
       --> 
       <!-- 
         <intercept-url pattern="/member/**" access="isAuthenticated()" /> 
       --> 
       <intercept-url pattern="/resources/**" access="permitAll" /> 
       <intercept-url pattern="/static/**" access="permitAll" /> 
       <intercept-url pattern="/login" access="permitAll" /> 
       <intercept-url pattern="/**" access="isAuthenticated()" /> 
     </http> 

     <!-- Configure Authentication mechanism --> 
     <authentication-manager alias="authenticationManager"> 
       <!-- 
         SHA-256 values can be produced using 'echo -n your_desired_password | 
         sha256sum' (using normal *nix environments) 
       --> 
       <authentication-provider> 
         <password-encoder hash="sha-256" /> 
         <user-service> 
           <user name="admin" 
             password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" 
             authorities="ROLE_ADMIN" /> 
           <user name="user" 
             password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" 
             authorities="ROLE_USER" /> 
         </user-service> 
       </authentication-provider> 

       <ldap-authentication-provider user-dn-pattern="{0}@company.domain"/> 
       <!-- <ldap-authentication-provider user-search-filter="(sAMAccountName={0})" user-search-base="OU=UNIT,OU=CE,OU=company,OU=Accounts"/>--> 


     </authentication-manager> 

     <!-- LDAP Security Configuration --> 
     <ldap-server url="ldap://10.9.1.1:389/DC=company,DC=domain"/>

我的問題是:我不知道如何建立正確的DN使用綁定認證?

上面的值({0] @ company.domain)可用於Windows(AD的特殊'特性'),但spring-security不會接受它,因爲它不符合DN的正確語法。

來源

2010-03-16 er4z0r

+0

沒有任何事情是不可能的,但你可能需要編寫自己的UserDetailsS​​ervice。 – Gandalf 2010-03-17 13:34:58

+0

O.K.這是我想避免的。我想知道爲什麼沒有一個班級做AD登錄。 AD並不罕見,我猜;-) – er4z0r 2010-03-17 15:52:06

回答

2

O.K.我沒有寫我自己的用戶詳細信息服務。相反,我使用低權限的accouont(只讀訪問權限)來執行ldap搜索,並使用匹配的憑據搜索用戶。

這很醜陋,因爲我仍然需要考慮我在Active Directory中的應用程序。但到目前爲止它的工作。我也無法弄清楚如何使用新的spring-security命名空間來相互設置ldapAuthenticationProvider。因此,我通過將必要的豆類連接在一起來「配置舊的」配置。

這是我的例子。

它使用兩個身份驗證提供程序:一個簡單的用戶名和密碼存儲在配置文件和一個ldapAuthenticationProvider。

希望它能幫助:

<?xml version="1.0" encoding="UTF-8"?> 

<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

    <!-- HTTP security configurations --> 
    <http auto-config="true" use-expressions="true"> 
     <form-login login-processing-url="/static/j_spring_security_check" 
      login-page="/login" authentication-failure-url="/login?login_error=t" /> 
     <logout logout-url="/static/j_spring_security_logout" /> 


     <!-- Configure these elements to secure URIs in your application --> 
     <!-- 
      <intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/> 
     --> 
     <!-- 
      <intercept-url pattern="/member/**" access="isAuthenticated()" /> 
     --> 
     <intercept-url pattern="/resources/**" access="permitAll" /> 
     <intercept-url pattern="/static/**" access="permitAll" /> 
     <intercept-url pattern="/login" access="permitAll" /> 
     <intercept-url pattern="/**" access="isAuthenticated()" /> 
    </http> 

    <!-- Configure Authentication mechanism --> 
    <authentication-manager alias="authenticationManager"> 
     <!-- 
      SHA-256 values can be produced using 'echo -n your_desired_password | 
      sha256sum' (using normal *nix environments) 
     --> 
     <authentication-provider> 
      <password-encoder hash="sha-256" /> 
      <user-service> 
       <user name="admin" 
        password="8c6976e5b5410415mydepartmente908mydepartment4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" 
        authorities="ROLE_ADMIN" /> 
       <user name="user" 
        password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" 
        authorities="ROLE_USER" /> 
      </user-service> 
     </authentication-provider> 

     <authentication-provider ref="ldapAuthProvider"> 

     </authentication-provider> 

    </authentication-manager> 

    <beans:bean id="contextSource" 
     class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
     <beans:constructor-arg value="ldap://10.9.1.1:389/DC=mydomain,DC=com" /> 
     <beans:property name="userDn" 
      value="CN=ReadOnly,OU=Services,DC=mydomain,DC=com" /> 
     <beans:property name="password" value="thesecret" /> 
    </beans:bean> 

    <beans:bean id="ldapAuthProvider" 
     class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
     <beans:constructor-arg> 
      <beans:bean 
       class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
       <beans:constructor-arg ref="contextSource" /> 
       <beans:property name="userSearch"> 
        <beans:bean id="userSearch" 
         class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> 
         <beans:constructor-arg index="0" value="" /> 
         <beans:constructor-arg index="1" 
          value="(&amp;(sAMAccountName={0})(objectclass=user))" /> 
         <beans:constructor-arg index="2" ref="contextSource" /> 
        </beans:bean> 
       </beans:property> 

      </beans:bean> 
     </beans:constructor-arg> 
     <beans:constructor-arg> 
      <beans:bean 
       class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> 
       <beans:constructor-arg ref="contextSource" /> 
       <beans:constructor-arg value="ou=groups" /> 
       <beans:property name="groupRoleAttribute" value="ou" /> 
      </beans:bean> 
     </beans:constructor-arg> 
    </beans:bean> 

</beans:beans>

來源

2010-03-24 16:18:11 er4z0r

相關問題

 相關問題