简体繁体 English

Spring 3和NTLM身份验证

[英]Spring 3 and NTLM authentication

原文 2013-03-20 19:44:37 6 3 java/ spring/ spring-security/ ntlm

I am using a spring 3 web application, as Spring 3 doesn't support NTLM authentication, what are the other alternatives that can be used along with Spring security? 我使用的是Spring 3 Web应用程序，因为Spring 3不支持NTLM身份验证，还有哪些可以与Spring安全性一起使用的替代方案？ So that users are authenticated to application when they log into Active Directory? 这样用户在登录Active Directory时会对应用程序进行身份验证吗？

Kerberos solution is not an option at the moment, NTLM is the only option. 目前，Kerberos解决方案不是一种选择，NTLM是唯一的选择。

Any help is highly appreciable. 任何帮助都非常值得赞赏。

Thanks 谢谢

3 个解决方案

The simplest way to solve your problem is the following: 解决问题的最简单方法如下：

1) Install Apache Web Server and configure to use NTLM authentication using modntlm 1）安装Apache Web Server并配置为使用modntlm使用NTLM身份验证

http://modntlm.sourceforge.net/ (Similar you can use Kerberos authentication using mod_auth_kerb using http://modauthkerb.sourceforge.net/ ) http://modntlm.sourceforge.net/ （类似的你可以使用mod_auth_kerb使用http://modauthkerb.sourceforge.net/进行 Kerberos身份验证）

2) Configure mod_jk to your Selvlet container (JBoss or Tomcat) http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html After the successful authentication Apache sends the REMOTE_USER header to the servlet container. 2）将mod_jk配置到Selvlet容器（JBoss或Tomcat） http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html成功验证后，Apache将REMOTE_USER标头发送到servlet容器。 The header (according the name) contains a user name of the authenticated user Ensure you configure tomcatAuthentication="false" to allow Apache to allow apache to send the REMOTE_USER header 标头（根据名称）包含经过身份验证的用户的用户名确保配置tomcatAuthentication =“false”以允许Apache允许apache发送REMOTE_USER标头

3) Implement and configure in Spring Security your own PreAuthenticatedProcessingFilter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167 It should be very similar to the Request-Header Authentication filter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295 In addition, you should omit a domain name from the user name. 3）在Spring Security中实现和配置你自己的PreAuthenticatedProcessingFilter： http ：//static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167它应该非常类似于请求标头身份验证过滤器： http ： //static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295此外，您应该从用户名中省略域名。 The user name is sent in the REMOTE_USER header after NTLM or Kerberos authentication. 在NTLM或Kerberos身份验证之后，用户名将在REMOTE_USER标头中发送。

Waffle is drop in solution that can be used with springsecurity to achieve this: https://github.com/dblock/waffle Waffle是可以与springsecurity一起使用的解决方案，以实现这一目标： https ： //github.com/dblock/waffle

I've used it myself with for example hybris. 我自己也用过它，例如hybris。 They have some examples. 他们有一些例子。 Beware of version 1.5 that uses jna3.5 which can cause problems at high load Also beware that you may need to extend negotiatesecurityfilter if our application needs to do authorization(I had to do that, may be fixed in 1.6. 请注意使用jna3.5的版本1.5，这可能会导致高负载问题还要注意，如果我们的应用程序需要进行授权，您可能需要扩展negotiatesecurityfilter（我必须这样做，可能会在1.6中修复）。

I have done it one time. 我做过一次。 Grab it here . 抓住这里。 It will required to do some small setup at AD level. 它需要在AD级别进行一些小的设置。 Feel free to ask questions here or on github. 您可以在这里或在github上提问。