Java Spring security 自定义 LDAP 身份验证提供程序
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2671295/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring security custom ldap authentication provider
提问by wuntee
I currently have my ldap authentication context set up like this:
我目前的 ldap 身份验证上下文设置如下:
<ldap-server url="ldap://host/dn"
manager-dn="cn=someuser"
manager-password="somepass" />
<authentication-manager>
<ldap-authentication-provider user-search-filter="(samaccountname={0})"/>
</authentication-manager>
Now, I need to be able to set up a custom authorities mapper (it uses a different ldap server) - so I am assuming I need to set up my ldap-server similar to (http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ldap.html):
现在,我需要能够设置自定义权限映射器(它使用不同的 ldap 服务器) - 所以我假设我需要设置类似于(http://static.springsource.org/spring -security/site/docs/2.0.x/reference/ldap.html):
<bean id="ldapAuthProvider"
class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userDnPatterns">
<list><value>uid={0},ou=people</value></list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="ou=groups"/>
<property name="groupRoleAttribute" value="ou"/>
</bean>
</constructor-arg>
</bean>
But, how do I reference that 'ldapAuthProvider' to the ldap-server in the security context?
但是,如何在安全上下文中将该“ldapAuthProvider”引用到 ldap-server?
I am also using spring-security 3, so '' does not exist...
我也在使用 spring-security 3,所以 '' 不存在......
回答by Carlos
What I have done to make it work was simply to add this into the security context:
我所做的使其工作只是将其添加到安全上下文中:
<authentication-manager>
<authentication-provider ref='ldapAuthProvider'/>
</authentication-manager>
And then, configuring the 'ldapAuthProvider' bean like this:
然后,像这样配置“ldapAuthProvider”bean:
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldaps://url/dc=mock,dc=com" />
<property name="userDn" value="cn=username,ou=People,dc=mock,dc=com" />
<property name="password" value="password" />
</bean>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userDnPatterns">
<list>
<value>uid={0},ou=People</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="com.mock.MyCustomAuthoritiesPopulator">
</bean>
</constructor-arg>
</bean>
With the implementation of MyCustomAuthoritiesPopulator as follows:
随着 MyCustomAuthoritiesPopulator 的实现如下:
public class MyCustomAuthoritiesPopulator implements LdapAuthoritiesPopulator {
public Collection<GrantedAuthority> getGrantedAuthorities(
DirContextOperations arg0, String arg1) {
ArrayList<GrantedAuthority> list = new ArrayList<GrantedAuthority>();
list.add((new SimpleGrantedAuthority("ROLE_USER"));
return list;
}
}
回答by Tomasz
For the record spring configuration is simpler if you use a custom LdapUserDetailsMapperas there's a dedicated parameter user-context-mapper-refexposed on <ldap-authentication-provider/>which allows you to use the short config style:
如果您使用自定义LdapUserDetailsMapper,则记录 spring 配置会更简单,因为有一个专用参数user-context-mapper-ref公开<ldap-authentication-provider/>,允许您使用短配置样式:
<authentication-manager>
<ldap-authentication-provider
user-search-filter="sAMAccountName={0}"
user-search-base="OU=Users"
group-search-filter="(&(objectclass=group)(member={0}))"
group-search-base="OU=Groups"
user-context-mapper-ref="customUserContextMapper" />
</authentication-manager>
<ldap-server url="ldap://url:389/DC=mock,DC=com"
manager-dn="manager"
manager-password="pass" />
来源:http: //forum.springsource.org/showthread.php?118845-How-to-modify-Authority-after-loading-it-from-LDAP
On a side note, going the LdapAuthoritiesPopulatorroute you can also extend DeafultLdapAuthoritiesPopulatorand override getAdditionalRoles()rather than implementing the interface directly.
附带说明一下,LdapAuthoritiesPopulator您还可以扩展DeafultLdapAuthoritiesPopulator和覆盖路由,getAdditionalRoles()而不是直接实现接口。
public class MyCustomAuthoritiesPopulator extends
DefaultLdapAuthoritiesPopulator {
@Override
protected Set<GrantedAuthority> getAdditionalRoles(
DirContextOperations user, String username) {
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
authorities.add((new SimpleGrantedAuthority("ROLE_USER"));
return authorities;
}
回答by alexfdz
If you want to avoid ugly bean definitions (DefaultSpringSecurityContextSource, LdapAuthenticationProvider, BindAuthenticator,...+100) and use "cool" xml definitions like
如果你想避免丑陋的 bean 定义(DefaultSpringSecurityContextSource、LdapAuthenticationProvider、BindAuthenticator,...+100)并使用“酷”的 xml 定义,如
<authentication-manager>
<ldap-authentication-provider... />
</authentication-manager>
You can use a BeanPostProcessor. The following example is a costumization of the GrantedAuthoritiesMapper in the AuthenticationProvider:
您可以使用BeanPostProcessor。以下示例是 AuthenticationProvider 中 GrantedAuthoritiesMapper 的服装化:
[context.xml]
[上下文.xml]
<ldap-server id="ldapServer" url="${ldap.url}" manager-dn="${ldap.manager.dn}" manager-password="${ldap.manager.password}"/>
<authentication-manager>
<ldap-authentication-provider user-search-filter="${ldap.userSearch.filter}" user-search-base="${ldap.searchBase}"
group-search-base="${ldap.groupSearchBase}"/>
</authentication-manager>
[UserGrantedAuthoritiesMapper.java]
[UserGrantedAuthoritiesMapper.java]
package com.example.access.ldap;
import java.util.Collection;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.stereotype.Component;
@Component
public class UserGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper{
public Collection<? extends GrantedAuthority> mapAuthorities(final Collection<? extends GrantedAuthority> authorities) {
...
return roles;
}
}
[AuthenticationProviderPostProcessor.java]
[AuthenticationProviderPostProcessor.java]
package com.example.access.ldap;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.stereotype.Component;
@Component
public class AuthenticationProviderPostProcessor implements BeanPostProcessor{
@Autowired
private GrantedAuthoritiesMapper grantedAuthoritiesMapper;
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName)
throws BeansException {
return bean;
}
@Override
public Object postProcessAfterInitialization(Object bean, String beanName)
throws BeansException {
if(bean != null && bean instanceof AbstractLdapAuthenticationProvider){
setProviderAuthoritiesMapper((AbstractLdapAuthenticationProvider)bean);
}
return bean;
}
protected void setProviderAuthoritiesMapper(AbstractLdapAuthenticationProvider authenticationProvider){
if(authenticationProvider != null){
authenticationProvider.setAuthoritiesMapper(grantedAuthoritiesMapper);
}
}
}
