使用 spring-ldap 1.3.1 禁用 Active Directory 服务器的 SSL 证书验证
[英]Disabling SSL Certificate Validation for Active Directory server using spring-ldap 1.3.1
问题描述
I'm able to authenticate to Active Directory if there is need to configure only one AD server.
如果只需要配置一台 AD 服务器,我可以对 Active Directory 进行身份验证。 The solution is given as Active Directory authentication through ssl as anonymous user by me.该解决方案是我通过 ssl 作为匿名用户提供的Active Directory 身份验证。
Now I'm stuck when there is multiple ADs running behind a Load Balancer.现在,当负载均衡器后面运行多个 AD 时,我被卡住了。
Since Load Balancer is in between, I will get the Host name only and the IP of AD will be replaced with the Host name behind the Load Balancer based on the availability.由于负载均衡器介于两者之间,我将仅获取主机名,AD 的 IP 将根据可用性替换为负载均衡器后面的主机名。 Therefore, I won't be able to know which Active Directory server will be used to process my request of authentication.因此,我将无法知道将使用哪个 Active Directory 服务器来处理我的身份验证请求。 So , I won't be able to generate the certificate in advance.所以,我将无法提前生成证书。 Also, I can't get the IPs of ADs my client is using for balancing the load(for security reasons).此外,我无法获得我的客户端用于平衡负载的 AD 的 IP(出于安全原因)。 so there is no point of generating jssecacert .所以没有必要生成jssecacert 。 All I need to do is to disable the certificate validation.我需要做的就是禁用证书验证。 I'm using LdapTemplate class(using spring-ldap 1.3.1) to authenticate the user.我正在使用LdapTemplate类(使用 spring-ldap 1.3.1)来验证用户。 My spring Config looks like this...我的弹簧配置看起来像这样......
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<property name="contextSource" ref="contextSource" />
<property name="ignorePartialResultException" value="yes" />
</bean>
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldaps://xxx.xxx.xxx.xxx:636" />
</bean>
The authenticate method:认证方法:
public boolean login(String username, String password) {
System.setProperty("javax.net.ssl.trustStore",
.../jssecacerts");
boolean authenticate=false;
AndFilter filter = new AndFilter();
filter.and(new EqualsFilter("xyz","xyz"));
filter.and(new EqualsFilter("xyz", xyz));
authenticate = this.ldapTemplate.authenticate(base, filter.encode(), password);
return authenticate;
}
Since we don't need to have certificate System.setProperty("javax.net.ssl.trustStore", .../jssecacerts"); will not be needed.由于我们不需要证书System.setProperty("javax.net.ssl.trustStore", .../jssecacerts");将不需要。
What changes I need to make to disable the certificate validation.我需要进行哪些更改才能禁用证书验证。
I'm pretty new in LDAP stuff.我在 LDAP 方面很新。 , Kindly help with appropriate answer. , 请帮助适当的答案。
1 个解决方案
解决方案1
13 已采纳 2013-06-20 04:57:31
Well, Thanks to Darren Hauge for providing a tricky solution that will not care about ssl certificate.好吧,感谢 Darren Hauge 提供了一个不关心 ssl 证书的棘手解决方案。 Rewriting the solution here :在这里重写解决方案:
public static void trustSelfSignedSSL() {
try {
SSLContext ctx = SSLContext.getInstance("TLS");
X509TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
ctx.init(null, new TrustManager[]{tm}, null);
SSLContext.setDefault(ctx);
} catch (Exception ex) {
ex.printStackTrace();
}
}
All we need to create a utility class and put this method inside that.我们只需要创建一个实用程序类并将这个方法放在里面。 Call this method wherever you need.在任何需要的地方调用此方法。
Any comment on this solution is welcome.欢迎对此解决方案提出任何意见。
Thanks.谢谢。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.