我正在尝试使用Spring Security 3.1对Active Directory进行身份验证.我得到了认证,一切都很好.
<sec:ldap-server id="ldapServer" url="ldap://ldap/dc=sub,dc=domain,dc=com" port="389" />
<sec:authentication-manager erase-credentials="true" >
<sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager>
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://server:389/"/>
</bean>
现在回答这个问题.如何处理用户角色以便我可以设置过滤器?
例如.
<sec:intercept-url pattern="/**" access="ROLE_USER"/>
我通过使用UserDetailContextMapper并将我的AD组映射到ROLE_USER,ROLE_ADMIN等,找到了如何执行此操作的方法.
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://host:389/"/>
<property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
<property name="useAuthenticationRequestCredentials" value="true"/>
</bean>
<bean id="tdrUserDetailsContextMapper" class="com.bla.bla.UserDetailsContextMapperImpl"/>
Mapper类:
public class UserDetailsContextMapperImpl implements UserDetailsContextMapper, Serializable{
private static final long serialVersionUID = 3962976258168853954L;
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {
List<GrantedAuthority> mappedAuthorities = new …我的问题是带有弹簧安全性的自定义注释的副本,但它没有得到答复,我相信应该有一个简单的问题解决方案.
基本上不是做:
@PreAuthorize("hasPermission(T(fully.qualified.Someclass).WHATEVER, T(fully.qualified.Permission).READ")
我想要做:
@PreAuthorize(Someclass.WHATEVER, Permission.READ)
或者可能是一些自定义注释,可以很容易地与弹簧安全连接
这对我来说似乎更清洁,如果可以,我希望能够做到这一点.
java spring authorization spring-security spring-annotations