java Spring 3 和 NTLM 身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15533226/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring 3 and NTLM authentication
提问by J?cob
I am using a spring 3 web application, as Spring 3 doesn't support NTLM authentication, what are the other alternatives that can be used along with Spring security? So that users are authenticated to application when they log into Active Directory?
我正在使用 spring 3 web 应用程序,因为 Spring 3 不支持 NTLM 身份验证,还有哪些其他替代方案可以与 Spring 安全一起使用?以便用户在登录 Active Directory 时对应用程序进行身份验证?
Kerberos solution is not an option at the moment, NTLM is the only option.
Kerberos 解决方案目前不是一种选择,NTLM 是唯一的选择。
Any help is highly appreciable.
任何帮助都是非常可观的。
Thanks
谢谢
采纳答案by Michail Nikolaev
回答by Michael
The simplest way to solve your problem is the following:
解决您的问题的最简单方法如下:
1) Install Apache Web Server and configure to use NTLM authentication using modntlm
1) 安装 Apache Web Server 并使用 modntlm 配置为使用 NTLM 身份验证
http://modntlm.sourceforge.net/(Similar you can use Kerberos authentication using mod_auth_kerb using http://modauthkerb.sourceforge.net/)
http://modntlm.sourceforge.net/(类似您可以使用 mod_auth_kerb 使用 Kerberos 身份验证,使用http://modauthkerb.sourceforge.net/)
2) Configure mod_jk to your Selvlet container (JBoss or Tomcat) http://tomcat.apache.org/connectors-doc/generic_howto/proxy.htmlAfter the successful authentication Apache sends the REMOTE_USER header to the servlet container. The header (according the name) contains a user name of the authenticated user Ensure you configure tomcatAuthentication="false" to allow Apache to allow apache to send the REMOTE_USER header
2) 将 mod_jk 配置到您的 Selvlet 容器(JBoss 或 Tomcat)http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html认证成功后 Apache 将 REMOTE_USER 标头发 送到 servlet 容器。标头(根据名称)包含经过身份验证的用户的用户名确保您配置 tomcatAuthentication="false" 以允许 Apache 允许 apache 发送 REMOTE_USER 标头
3) Implement and configure in Spring Security your own PreAuthenticatedProcessingFilter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167It should be very similar to the Request-Header Authentication filter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295In addition, you should omit a domain name from the user name. The user name is sent in the REMOTE_USER header after NTLM or Kerberos authentication.
3) 在 Spring Security 中实现和配置你自己的 PreAuthenticatedProcessingFilter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167它应该非常类似于Request-Header Authentication filter:http: //static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295另外,用户名中应该省略域名. 用户名在 NTLM 或 Kerberos 身份验证后在 REMOTE_USER 标头中发送。
回答by user2574522
Waffle is drop in solution that can be used with springsecurity to achieve this: https://github.com/dblock/waffle
Waffle 是可与 springsecurity 一起使用的解决方案,以实现此目的:https: //github.com/dblock/waffle
I've used it myself with for example hybris. They have some examples. Beware of version 1.5 that uses jna3.5 which can cause problems at high load Also beware that you may need to extend negotiatesecurityfilter if our application needs to do authorization(I had to do that, may be fixed in 1.6.
我自己用过它,例如 hybris。他们有一些例子。当心使用 jna3.5 的 1.5 版本可能会在高负载时导致问题另外要注意,如果我们的应用程序需要进行授权,您可能需要扩展协商安全过滤器(我必须这样做,可能在 1.6 中修复。
