当前位置:theitroad>使用 spring security 3.1 对活动目录进行身份验证时处理角色

使用 spring security 3.1 对活动目录进行身份验证时处理角色

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/8835818/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-09-08 04:52:16  来源:igfitidea点击:

Handling roles when authenticated to active directory with spring security 3.1

springactive-directoryspring-securityldap

提问by heldt

I'm trying to use a authenticate with an Active directory using Spring Security 3.1. I get authenticated and all is well.

我正在尝试使用 Spring Security 3.1 对 Active Directory 进行身份验证。我通过了身份验证,一切都很好。

<sec:ldap-server id="ldapServer" url="ldap://ldap/dc=sub,dc=domain,dc=com" port="389" />

<sec:authentication-manager erase-credentials="true"  >
    <sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager>

<bean id="ldapActiveDirectoryAuthProvider" 
        class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <constructor-arg value="domain" />
    <constructor-arg value="ldap://server:389/"/> 
</bean>

Now to the question. How do I handle roles for the user so that I can setup my filters?

现在来回答这个问题。我如何处理用户的角色以便我可以设置我的过滤器?

eg.

例如。

<sec:intercept-url pattern="/**" access="ROLE_USER"/>

Solution

解决方案

I found out how to do this by using the UserDetailContextMapper and map my AD groups to ROLE_USER,ROLE_ADMIN etc.

我发现了如何通过使用 UserDetailContextMapper 并将我的 AD 组映射到 ROLE_USER、ROLE_ADMIN 等来做到这一点。 

    <bean id="ldapActiveDirectoryAuthProvider" 
        class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <constructor-arg value="domain" />
    <constructor-arg value="ldap://host:389/"/> 
    <property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
    <property name="useAuthenticationRequestCredentials" value="true"/>
</bean>

<bean id="tdrUserDetailsContextMapper" class="com.bla.bla.UserDetailsContextMapperImpl"/>

Mapper class:

映射器类:

public class UserDetailsContextMapperImpl implements UserDetailsContextMapper, Serializable{
    private static final long serialVersionUID = 3962976258168853954L;

    @Override
    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {

        List<GrantedAuthority> mappedAuthorities = new ArrayList<GrantedAuthority>();


        for (GrantedAuthority granted : authority) {

            if (granted.getAuthority().equalsIgnoreCase("MY USER GROUP")) {
                mappedAuthorities.add(new GrantedAuthority(){
                    private static final long serialVersionUID = 4356967414267942910L;

                    @Override
                    public String getAuthority() {
                        return "ROLE_USER";
                    } 

                });
            } else if(granted.getAuthority().equalsIgnoreCase("MY ADMIN GROUP")) {
                mappedAuthorities.add(new GrantedAuthority() {
                    private static final long serialVersionUID = -5167156646226168080L;

                    @Override
                    public String getAuthority() {
                        return "ROLE_ADMIN";
                    }
                });
            }
        }
        return new User(username, "", true, true, true, true, mappedAuthorities);
    }

    @Override
    public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
    }
}

采纳答案by Michael-O

The roles in the beans.xml must be an exact match of the CN (common name) of the memberOf value attribute. You should read a tutorial about directory basics.

beans.xml 中的角色必须与 memberOf 值属性的 CN(通用名称)完全匹配。您应该阅读有关目录基础知识的教程。

Say have this user: CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=netIn his context exists this memberOf value CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net

说有这个用户: CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net在他的上下文中存在这个 memberOf 值CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net

The Bean will locate this memberOf value and extract Group Name. You beans.xml has to have exactly this value.

Bean 将定位这个 memberOf 值并提取Group Name。你 beans.xml 必须有这个值。

回答by Shaun the Sheep

You can also inject a GrantedAuthoritiesMapperwhich was introduced in 3.1 as a general strategy for modifying the authorites. Plus you might want to use SimpleGrantedAuthorityfor the GrantedAuthorityimplementation. Alternatively, you could use an enum since you have a fixed set of values:

您还可以注入GrantedAuthoritiesMapper3.1 中引入的 a 作为修改权限的一般策略。另外,您可能想SimpleGrantedAuthority用于GrantedAuthority实现。或者,您可以使用枚举,因为您有一组固定的值:

enum MyAuthority implements GrantedAuthority {
    ROLE_ADMIN,
    ROLE_USER;

    public String getAuthority() {
        return name();
    }
}


class MyAuthoritiesMapper implements GrantedAuthoritiesMapper {

    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
        Set<MyAuthority> roles = EnumSet.noneOf(MyAuthority.class);

        for (GrantedAuthority a: authorities) {
            if ("MY ADMIN GROUP".equals(a.getAuthority())) {
                roles.add(MyAuthority.ROLE_ADMIN);
            } else if ("MY USER GROUP".equals(a.getAuthority())) {
                roles.add(MyAuthority.ROLE_USER);
            }
        }

        return roles;
    }
}

相关推荐

Spring JUnit 测试错误

Spring JUnit 测试错误

spring Spring应用程序上下文外部属性?

spring Spring应用程序上下文外部属性?

spring JUnit 测试用例中的 Log4j

spring JUnit 测试用例中的 Log4j

JSP 视图中的 Spring 3.0.6 MVC @PathVariable 和 @RequestParam 空白/空

JSP 视图中的 Spring 3.0.6 MVC @PathVariable 和 @RequestParam 空白/空

相关推荐
最近更新
标签