[英]Spring Boot LDAP authentication over Tomcat (Pre-Authentication)
I'm creating a Spring Boot application, which should be accessible only to users in LDAP.我正在创建一个 Spring Boot 应用程序,它应该只能由 LDAP 中的用户访问。 This application should be deployed to a Tomcat server (not an embedded server).
此应用程序应部署到 Tomcat 服务器(而不是嵌入式服务器)。 The configuration for the LDAP is done in Tomcat itself:
LDAP 的配置在 Tomcat 本身中完成:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://someldapserver:389"
userPattern="uid={0},dc=example,dc=com"
roleBase="dc=example,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"/>
</Realm>
If I try to access the Tomcat Manager, I can authenticate with LDAP credentials, so the connection basically works.如果我尝试访问 Tomcat 管理器,我可以使用 LDAP 凭据进行身份验证,因此连接基本上可以正常工作。
This is my configuration:这是我的配置:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/test").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().permitAll()
.and()
.logout().permitAll()
.and()
.csrf().disable();
}
}
I know I could configure the LDAP connection directly in the application ( authenticationManagerBuilder.ldapAuthentication()...
), but this is not what I want.我知道我可以直接在应用程序中配置 LDAP 连接(
authenticationManagerBuilder.ldapAuthentication()...
),但这不是我想要的。
How can I tell Spring Boot to use the LDAP authentication from Tomcat for the application?如何告诉 Spring Boot 将来自 Tomcat 的 LDAP 身份验证用于应用程序?
UPDATE更新
It looks like I have to enable Pre-Authentication .看起来我必须启用Pre-Authentication 。 This can be done with
.and().jee().mappableRoles("ROLE_ADMIN")
.这可以通过
.and().jee().mappableRoles("ROLE_ADMIN")
。 This seems to work, but I still can't authenticate: No pre-authenticated principal found in request
.这似乎有效,但我仍然无法进行身份验证:
No pre-authenticated principal found in request
。
Do I have to add something to Tomcats configuration?我是否必须在 Tomcats 配置中添加一些内容?
I couldn't find any suitable solution for this, so I removed Spring Security entirely and added the constraints to a web.xml
.我找不到任何合适的解决方案,所以我完全删除了 Spring Security 并将约束添加到
web.xml
。 With the context.xml
it is possible to set the authentication method (eg if you wish to switch to tomcat-users.xml authentication, see example below).使用
context.xml
可以设置身份验证方法(例如,如果您希望切换到 tomcat-users.xml 身份验证,请参见下面的示例)。 Then the authentication over Tomcat works.然后通过 Tomcat 的身份验证工作。
web.xml:网页.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication</web-resource-name>
<url-pattern>/test/test</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>
</web-app>
context.xml:上下文.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Context>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.