Tomcat 上的 Spring Boot LDAP 身份验证(预身份验证)
[英]Spring Boot LDAP authentication over Tomcat (Pre-Authentication)
问题描述
I'm creating a Spring Boot application, which should be accessible only to users in LDAP.
我正在创建一个 Spring Boot 应用程序,它应该只能由 LDAP 中的用户访问。 This application should be deployed to a Tomcat server (not an embedded server).此应用程序应部署到 Tomcat 服务器(而不是嵌入式服务器)。 The configuration for the LDAP is done in Tomcat itself: LDAP 的配置在 Tomcat 本身中完成:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://someldapserver:389"
userPattern="uid={0},dc=example,dc=com"
roleBase="dc=example,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"/>
</Realm>
If I try to access the Tomcat Manager, I can authenticate with LDAP credentials, so the connection basically works.如果我尝试访问 Tomcat 管理器,我可以使用 LDAP 凭据进行身份验证,因此连接基本上可以正常工作。
This is my configuration:这是我的配置:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/test").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().permitAll()
.and()
.logout().permitAll()
.and()
.csrf().disable();
}
}
I know I could configure the LDAP connection directly in the application ( authenticationManagerBuilder.ldapAuthentication()... ), but this is not what I want.我知道我可以直接在应用程序中配置 LDAP 连接( authenticationManagerBuilder.ldapAuthentication()... ),但这不是我想要的。
How can I tell Spring Boot to use the LDAP authentication from Tomcat for the application?如何告诉 Spring Boot 将来自 Tomcat 的 LDAP 身份验证用于应用程序?
UPDATE更新
It looks like I have to enable Pre-Authentication .看起来我必须启用Pre-Authentication 。 This can be done with .and().jee().mappableRoles("ROLE_ADMIN") .这可以通过.and().jee().mappableRoles("ROLE_ADMIN") 。 This seems to work, but I still can't authenticate: No pre-authenticated principal found in request .这似乎有效,但我仍然无法进行身份验证: No pre-authenticated principal found in request 。
Do I have to add something to Tomcats configuration?我是否必须在 Tomcats 配置中添加一些内容?
1 个解决方案
解决方案1
2 2017-05-30 06:50:00
I couldn't find any suitable solution for this, so I removed Spring Security entirely and added the constraints to a web.xml .我找不到任何合适的解决方案,所以我完全删除了 Spring Security 并将约束添加到web.xml 。 With the context.xml it is possible to set the authentication method (eg if you wish to switch to tomcat-users.xml authentication, see example below).使用context.xml可以设置身份验证方法(例如,如果您希望切换到 tomcat-users.xml 身份验证,请参见下面的示例)。 Then the authentication over Tomcat works.然后通过 Tomcat 的身份验证工作。
web.xml:网页.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication</web-resource-name>
<url-pattern>/test/test</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>
</web-app>
context.xml:上下文.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Context>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.