java 如何将 AD 组映射到用户角色 Spring Security LDAP
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27798607/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to Map AD Groups to User Role Spring Security LDAP
提问by Simon Nicholls
I have a web application built using Java Spring MVC.
我有一个使用 Java Spring MVC 构建的 Web 应用程序。
I'm just setting up spring security connecting to an LDAP server for authentication.
我只是设置连接到 LDAP 服务器进行身份验证的 spring 安全性。
I've successfully set it up so that I am able to login to my application but I can't find anything to help me in mapping an AD group to a user role within Java as I can only get a 403 forbidden page i.e. I've been authenticated but don't have permissions yet.
我已经成功设置了它,以便我能够登录到我的应用程序,但我找不到任何东西来帮助我将 AD 组映射到 Java 中的用户角色,因为我只能获得 403 禁止页面,即我已通过身份验证,但还没有权限。
I currently have:
我目前有:
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_USER" />
</http>
<ldap-server id="ldapServer" url="LDAPURL" manager-dn="USER" manager-password="PASSWORD" />
<authentication-manager >
<ldap-authentication-provider
group-search-base="OU=GROUPS"
group-search-filter="sAMAccountName={0}"
user-search-base="OU=USERS"
user-search-filter="sAMAccountName={0}"
/>
</authentication-manager>
Say that user was a part of the AD group g-group-UK-user I then want to be able to map that AD group to ROLE_USER so that user can then see the whole web app.
假设该用户是 AD 组 g-group-UK-user 的一部分,然后我希望能够将该 AD 组映射到 ROLE_USER,以便用户可以看到整个 Web 应用程序。
I can only seem to find very simple examples where the groups are either ADMIN or USER in which case the prefix ROLE is just added to the group or the other method seems to be using UserDetailContextMapper but I can't find a clear use of this.
我似乎只能找到非常简单的示例,其中组是 ADMIN 或 USER,在这种情况下,前缀 ROLE 只是添加到组中,或者其他方法似乎正在使用 UserDetailContextMapper,但我找不到明确的用法。
回答by Simon Nicholls
To do this I used the following within authentication manager:
为此,我在身份验证管理器中使用了以下内容:
user-context-mapper-ref="customUserContextMapper"
I then used the following class to check if that user belongs to a certain AD group and then assign the ROLE_USER role to their authorities:
然后我使用以下类来检查该用户是否属于某个 AD 组,然后将 ROLE_USER 角色分配给他们的权限:
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities)
{
Attributes attributes = ctx.getAttributes();
Object[] groups = new Object[100];
groups = ctx.getObjectAttributes("memberOf");
LOGGER.debug("Attributes: {}", attributes);
Set<GrantedAuthority> authority = new HashSet<GrantedAuthority>();
for(Object group: groups)
{
if (group.toString().toLowerCase().contains("AD_GROUP_NAME".toLowerCase()) == true)
{
authority.add(new SimpleGrantedAuthority("ROLE_USER"));
break;
}
}
User userDetails = new User(username, "", false, false, false, false, authority);
return userDetails;
}
Please note that the class is a little more complicated than usual because of the LDAP server I was connecting which has a different structure than usual in that the groups a user has access to are stored in an attribute under the user and not the other way round in which a group would have as an attribute all the users that belong to it.
请注意,该类比平时稍微复杂一些,因为我连接的 LDAP 服务器具有与平常不同的结构,因为用户有权访问的组存储在用户下的属性中,而不是相反其中一个组将所有属于它的用户作为一个属性。
