Jon*_*ith 6 spring spring-security spring-ldap
在我们的新保险项目中,我正在尝试使用Ldap 活动目录实现spring-security.
一旦用户在AD中找到,我想在AD上检查用户名/密码.我想从用户表(app授权用户)授权他在数据库中具有访问级别.有人可以提供样品/指出我的资源.
现在实现这一点的最简单方法(Spring Security 3.2.5.RELEASE)是通过实现一个自定义LdapAuthoritiesPopulator来使用自定义JdbcDaoImpl从数据库中获取权限。
假设您使用的是默认数据库架构,并且您在 LDAP 中使用相同的用户名进行身份验证并作为authorities表中的外键,您只需要:
package demo;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Collection;
import java.util.List;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
/*
* You need to extend JdbcDaoImpl to expose the protected method loadUserAuthorities.
*/
public class CustomJdbcUserDetailsService extends JdbcDaoImpl {
@Override
public List<GrantedAuthority> loadUserAuthorities(String username) {
return super.loadUserAuthorities(username);
}
}
/*
* Then, the only thing your populator needs to do is use the custom UserDetailsService above.
*/
public class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
private static final Logger LOGGER = LoggerFactory.getLogger(CustomLdapAuthoritiesPopulator.class);
private CustomJdbcUserDetailsService service;
public CustomLdapAuthoritiesPopulator(CustomJdbcUserDetailsService service) {
this.service = service;
}
public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations user, String username) {
return service.loadUserAuthorities(username);
}
}
现在唯一剩下的就是配置要使用的 LDAP 身份验证提供程序CustomLdapAuthoritiesPopulator。
在或的带@Configuration注释的子类中(取决于您的情况),添加以下内容:GlobalMethodSecurityConfigurationWebSecurityConfigurerAdapter
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
/* other authentication configurations you might have */
/*
* This assumes that the dataSource configuring
* the connection to the database has been Autowired
* into this bean.
*
* Adapt according to your specific case.
*/
CustomJdbcUserDetailsService customJdbcUserDetailsService = new CustomJdbcUserDetailsService();
customJdbcUserDetailsService.setDataSource(dataSource);
CustomLdapAuthoritiesPopulator customLdapAuthoritiesPopulator = new CustomLdapAuthoritiesPopulator(customJdbcUserDetailsService);
auth.ldapAuthentication().ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)/* other LDAP configurations you might have */;
/* yet more authentication configurations you might have */
}
有关工作示例,请参阅https://github.com/pfac/howto-spring-security。
免责声明:我一直只使用 Java 配置,所以请谨慎行事,可能会有一些错误。
与使用 LDAP 进行身份验证的其他配置不同,似乎没有漂亮的 XML 标记来自定义LdapAuthoritiesPopulator. 因此,必须手动完成。假设contextSource已经定义了配置到 LDAP 服务器的连接的 bean ,请将以下内容添加到您的 Spring XML 配置中:
<beans:bean id="customJdbcUserDetailsService" class="demo.CustomJdbcUserDetailsService" />
<beans:bean id="customLdapAuthoritiesPopulator" class="demo.CustomLdapAuthoritiesPopulator">
<beans:constructor-arg ref="customJdbcUserDetailsService" />
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<!--
other configurations you might need
-->
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg ref="customLdapAuthoritiesPopulator" />
</beans:bean>
<security:authentication-manager>
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
来源:http : //spapas.github.io/2013/10/14/spring-ldap-custom-authorities/#spring-security-ldap-with-custom-authorities
您很可能必须执行自定义UserDetailsServer,因为您通过 LDAP 进行身份验证,但通过数据库查询获取角色。UserDetailsService 是一个接口。您将实现该接口,然后将自定义实现添加到 Spring Security 配置中,执行以下操作:
<beans:bean id="userDetailsService" class="com.app.MyUserDetailsServiceImpl" />
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
在 loadUserByUsername() 中,您将创建一个UserDetails,设置用户名、密码和“权限”(即角色)。
这篇博客文章有一个关于如何使用数据库来完成此操作的示例,您应该能够适应您的要求。
| 归档时间: |
|
| 查看次数: |
7468 次 |
| 最近记录: |