mgi*_*rco 2 java authentication active-directory shiro
我和骆驼一起使用shiro.我可以使用activedirectory(ldap)对用户进行身份验证,但我无法将角色中的用户组映射到用户权限.骆驼需要绝对的权限才能工作.
这是我的config.ini:
[main]
authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.systemUsername=cn=padl,cn=Users,dc=comune,dc=prato,dc=local
activeDirectoryRealm.systemPassword=xxxxxxxxxxxxxxxxxxxxxxx
activeDirectoryRealm.url = ldap://172.16.1.98:389
activeDirectoryRealm.groupRolesMap = "CN=menu_ufficiomobile_ania,OU=Menu,OU=Gruppi,OU=ComuneDiPrato,DC=comune,DC=prato,DC=local":"menu_ufficiomobile_ania"
securityManager.realms = $activeDirectoryRealm
[users]
test = test,menu_ufficiomobile_passicarrabili, menu_ufficiomobile_rubati,menu_ufficiomobile_ordinanze, menu_ufficiomobile_ztl, menu_ufficiomobile_cciaa, menu_ufficiomobile_ania, menu_ufficiomobile_anagrafe, menu_ufficiomobile_mctc, menu_ufficiomobile_pra
[roles]
menu_ufficiomobile_anagrafe = prato:anagrafe
menu_ufficiomobile_mctc = prato:mctc
menu_ufficiomobile_pra = prato:pra
menu_ufficiomobile_ania = prato:ania
menu_ufficiomobile_cciaa = prato:cacomm
menu_ufficiomobile_ztl = prato:ztl
menu_ufficiomobile_ordinanze = prato:ordinanze
menu_ufficiomobile_rubati = prato:rubati
menu_ufficiomobile_passicarrabili = prato:permessi
我的安全注入代码:
ShiroSecurityToken shiroSecurityToken = new ShiroSecurityToken(qr.getUserName(),qr.getPassword());
ShiroSecurityTokenInjector shiroSecurityTokenInjector = new ShiroSecurityTokenInjector(shiroSecurityToken, passPhrase);
arg0.getIn().setHeader("SHIRO_SECURITY_TOKEN", shiroSecurityTokenInjector.encrypt());
以及使用权限的路由代码:
from("seda:interrogaANIA").threads(1)
.setHeader("db", constant(Database.ANIA)).policy(aniaS)
.to("bean:interrogaANIA?method=interrogaBancaDati")
.to("seda:prefilter");
谢谢,马里奥
所以,shiro的一个领域提供了3件事:
它没有做的是提供任意角色 - >权限映射.为此,您需要在Active Directory域上设置RolePermissionResolver.查看IniRealm(由ini文件中的[users]和[roles]部分创建的内容),似乎没有一种简单的方法可以将它用作RolePermissionResolver.我能够把一个应该合理运行的适配器类放在一起.
package org.apache.shiro.samples.web;
import java.util.Collection;
import java.util.Collections;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleRole;
import org.apache.shiro.authz.permission.RolePermissionResolver;
import org.apache.shiro.config.Ini;
import org.apache.shiro.realm.text.IniRealm;
public class IniRealmRolePermissionResolver implements RolePermissionResolver {
private LocalIniRealm realm;
public Collection<Permission> resolvePermissionsInRole(final String roleString) {
final SimpleRole role = this.realm.getRole(roleString);
return role == null ? Collections.<Permission>emptySet() : role.getPermissions();
}
public void setIni(final IniRealm ini) {
this.realm = new LocalIniRealm();
this.realm.setIni(ini.getIni());
this.realm.init();
}
private static class LocalIniRealm extends IniRealm {
@Override
protected SimpleRole getRole(final String rolename) {
return super
.getRole(rolename);
}
}
}
这可以用于你的ini文件的这个添加:
rolePermissionResolver = org.apache.shiro.samples.web.IniRealmRolePermissionResolver
rolePermissionResolver.ini = $iniRealm
activeDirectoryRealm.rolePermissionResolver = $rolePermissionResolver
如果你真的不需要ini映射,你可以使用相同的概念,但大大简化了一些事情.
package org.apache.shiro.samples.web;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.permission.*;
import java.util.Collection;
import java.util.Collections;
public class SimpleRolePermissionResolver implements RolePermissionResolver, PermissionResolverAware {
private PermissionResolver permissionResolver = new WildcardPermissionResolver();
public void setPermissionResolver(PermissionResolver permissionResolver) {
this.permissionResolver = permissionResolver;
}
public Collection<Permission> resolvePermissionsInRole(String roleString) {
return Collections.<Permission>singleton(permissionResolver.resolvePermission(roleString));
}
}
然后你的ini配置也有所改变:
rolePermissionResolver = org.apache.shiro.samples.web.SimpleRolePermissionResolver
activeDirectoryRealm.rolePermissionResolver = $rolePermissionResolver
| 归档时间: |
|
| 查看次数: |
2793 次 |
| 最近记录: |