[英]How to use LDAP Authentication in a corporate environment
I'd like users to log into my Spring-Boot application with their corporate username/password-combination (so I can use AD authentication and (maybe also) use that AD to query active users). 我希望用户使用他们的公司用户名/密码组合登录我的Spring-Boot应用程序(因此我可以使用AD身份验证并且(也可能)使用该AD来查询活动用户)。
So I did nslookup -type=srv _ldap._tcp.MY.DOMAIN
which resulted in the outcome: 所以我做了
nslookup -type=srv _ldap._tcp.MY.DOMAIN
,结果是:
Server: Servername.MY.DOMAIN
Address: 1.1.1.1
_ldap._tcp.MY.DOMAIN SRV service location
priority = 0
weight = 50
port = 389
svr hostname = a_host.MY.DOMAIN
//... a few more of these
a_host.MY.DOMAIN internet address = 5.5.5.5
Then I used this VBS: 然后我用这个VBS:
set objSysInfo = CreateObject("ADSystemInfo")
set objUser = GetObject("LDAP://" & objSysInfo.UserName)
wscript.echo "DN: " & objUser.distinguishedName
that returned: 返回:
DN: CN=Lastname\, Firstname,OU=OU1,OU=OU2,OU=OU3,DC=MY,DC=DOMAIN
and now I tried (as suggested in the first answer) to configure my Spring Boot application using this class for that login refering to this post : 现在我尝试(如第一个答案中所建议的)使用此类为此登录配置我的Spring Boot应用程序,参考此帖子 :
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/secure")
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
}
@Bean
public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("MY.COMPANY", "ldap://a_host.MY.DOMAIN:389");
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
return provider;
}
}
Sadly when I start the application and insert my company credentials into my Spring-Boot-Security-Login-UI, I can not login to the application. 遗憾的是,当我启动应用程序并将我的公司凭证插入我的Spring-Boot-Security-Login-UI时,我无法登录该应用程序。 Also, the path
/secure
is not accessible via http://localhost:8080/secure
(results in 404). 此外,无法通过
http://localhost:8080/secure
访问路径/secure
http://localhost:8080/secure
(结果为404)。 Now when I enable debugging for Spring-Boot-Security I get the following output on inserting my credentials: 现在当我启用Spring-Boot-Security的调试时,我在插入我的凭据时得到以下输出:
2018-12-17 11:47:12.793 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-12-17 11:47:16.510 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-12-17 11:47:27.462 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@28db75a9. A new one will be created.
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@28db75a9. A new one will be created.
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/login'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/login'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] w.a.UsernamePasswordAuthenticationFilter : Request is to process authentication
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] w.a.UsernamePasswordAuthenticationFilter : Request is to process authentication
2018-12-17 11:47:27.470 DEBUG 13232 --- [io-8080-exec-10] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2018-12-17 11:47:27.470 DEBUG 13232 --- [nio-8080-exec-9] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2018-12-17 11:47:27.534 DEBUG 13232 --- [io-8080-exec-10] o.s.s.a.dao.DaoAuthenticationProvider : User '%my_user%' not found
2018-12-17 11:47:27.534 DEBUG 13232 --- [nio-8080-exec-9] o.s.s.a.dao.DaoAuthenticationProvider : User '%my_user%' not found
2018-12-17 11:47:27.534 DEBUG 13232 --- [io-8080-exec-10] w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Ung³ltige Anmeldedaten
org.springframework.security.authentication.BadCredentialsException: Ung³ltige Anmeldedaten
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:151) ~[spring-security-core-5.1.2.RELEASE.jar!/:5.1.2.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-5.1.2.RELEASE.jar!/:5.1.2.RELEASE]
//...
2018-12-17 11:47:27.538 DEBUG 13232 --- [nio-8080-exec-9] w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Ung³ltige Anmeldedaten
org.springframework.security.authentication.BadCredentialsException: Ung³ltige Anmeldedaten
So as he is not finding my User (I also tried with Username@DOMAIN, DOMAIN\\username ...) it seems like I either missconfigured the url
or used the wrong form to insert my login-data (I used the startup page when launching the application with Spring-Boot-Security
). 因此,他没有找到我的用户(我也尝试使用用户名@ DOMAIN,DOMAIN \\用户名...),我似乎错过了配置
url
或使用了错误的表单来插入我的登录数据(我使用了启动页面时使用Spring-Boot-Security
启动应用程序。
UPDATE: 更新:
I ensured that the provided username %my_user% is equal to my UPN, so it seems to be a configuration problem, since spring boot security says that it cannot be found. 我确保提供的用户名%my_user%等于我的UPN,因此它似乎是一个配置问题,因为Spring启动安全性说它无法找到。
UPDATE2: UPDATE2:
I am going to update this post to the very final solution we came to thanks to @GabrielLuci . 由于@GabrielLuci,我将把这篇文章更新到我们来到的最终解决方案。 The problem is solved :)
问题已经解决了 :)
That documentation shows the configuration to use on a.... "normal" LDAP directory (like say OpenLDAP). 该文档显示了在......“普通”LDAP目录上使用的配置(比如说OpenLDAP)。 Active Directory has its own quirks, so it doesn't quite behave the same way as the rest of the LDAP world.
Active Directory有自己的怪癖,因此它的行为方式与LDAP世界的其他方式不同。
Spring does have an ActiveDirectoryLdapAuthenticationProvider class just for this purpose. Spring只是为了这个目的而拥有一个ActiveDirectoryLdapAuthenticationProvider类。 This answer has an example of how to make use of it in your
WebSecurityConfig
class: 这个答案有一个如何在
WebSecurityConfig
类中使用它的WebSecurityConfig
:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/secure")
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
}
@Bean
public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("adldap.company.com", "ldap://adldap.company.com");
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
return provider;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.