如何使用Spring Security,Spring LDAP和Hibernate处理用户信息?
[英]How to handle user information with Spring Security, Spring LDAP, and Hibernate?
问题描述
I have an application built on Spring MVC that uses Hibernate for all of it's DB interaction needs. 
我有一个基于Spring MVC构建的应用程序,它使用Hibernate来满足所有数据库交互需求。 There is now a need to update the application to use our LDAP infrastructure to drive the user information, including basic user data, such as name and email, as well as authentication and authorization needs as well. 现在需要更新应用程序以使用我们的LDAP基础结构来驱动用户信息,包括基本用户数据,例如名称和电子邮件,以及身份验证和授权需求。
Since everything has been in one spot (the DB) up to now, the reports are all fairly straightforward, since Hibernate is managing retrieval of information as needed when starting with the required queries. 由于到目前为止所有内容都在一个地方(数据库),所以报告都非常简单,因为Hibernate在开始使用所需查询时根据需要管理信息检索。 Grabbing the users' name, etc. is very simple, since Hibernate loads the data lazily. 抓住用户的名字等非常简单,因为Hibernate懒得加载数据。
With the desire to drive the user information with LDAP, Hibernate will no longer be able to populate the user information on the fly, since it won't be managing the users' data. 由于希望使用LDAP驱动用户信息,Hibernate将无法再动态填充用户信息,因为它不会管理用户的数据。 How should we use LDAP to drive the user data and deal with authentication / authorization without causing to much pain when we need to grab user data like Name, etc.? 当我们需要获取名称等用户数据时,我们应该如何使用LDAP来驱动用户数据并处理身份验证/授权而不会造成太大的痛苦?
We have considered using a hybrid approach where LDAP is treated as the "source" for the data and the current system is left as-is. 我们已经考虑使用混合方法,其中LDAP被视为数据的“源”,并且当前系统保持原样。 This would require changes to the transaction processing code to update against LDAP so that the live transaction is using up-to-date information, and also a periodic sync against LDAP to keep the application DB up-to-date for reporting purposes. 这将需要更改事务处理代码以针对LDAP进行更新,以便实时事务使用最新信息,并且还针对LDAP定期同步以使应用程序DB保持最新以用于报告目的。
This solution seems a bit hacky, and seems to have a lot of moving parts, but I could not find much on this subject elsewhere on the web. 这个解决方案看起来有点笨拙,似乎有很多活动部分,但我在网上其他地方找不到这个主题。
How should user information be handled / how should the app be structured so that all of the user information is still easily accessible and can be easily tied to the rest of the system for reporting purposes? 如何处理用户信息/如何构建应用程序,以便所有用户信息仍然易于访问,并且可以轻松地与系统的其余部分绑定以进行报告? Is there a way to integrate Spring LDAP and Hibernate so that layers above the data layer don't have to know? 有没有办法集成Spring LDAP和Hibernate,以便数据层之上的层不必知道? Or is pulling the info from LDAP into the existing database the easiest way to go? 或者将信息从LDAP提取到现有数据库中是最简单的方法吗?
1 个解决方案
解决方案1
1 已采纳 2011-08-04 10:46:11
If you can not drop the user table at all, because it is used from other entities, then my suggestion is to separete the security stuff from the business stuff. 如果您根本无法删除用户表,因为它是从其他实体使用的,那么我的建议是从业务中分离出安全性内容。
This mean remove the only for security needed information from the user table (login, password, ...), so that only the stuff remains that is needed to implement the buiness cases. 这意味着从用户表(登录名,密码,...)中删除仅用于安全性所需的信息,以便仅保留实现buiness情况所需的东西。
Then rewrite the security stuff so that is is based on the LDAP. 然后重写安全性内容,使其基于LDAP。 I guess you find a way to get the user data base object for an given prinipal. 我猜你找到了一种获取给定prinipal的用户数据库对象的方法。
Only one thing will remain, how to create new user database entities if a new person get a new login. 如果新人获得新登录,如何创建新的用户数据库实体,将只剩下一件事。 You have 3 choices, what is the best one strongly depends on your application: 你有3个选择,最好的选择在很大程度上取决于你的应用:
- Create the database entity if the users first login 如果用户首次登录,则创建数据库实体
- Create the database entity if you first need it 如果您是第一次需要,请创建数据库实体
- Create the database entity when it is created in the LDAO (or some minites later) for example with an cron job, or some Spring Scheduling service. 在LDAO(或稍后的某些小型网站)中创建数据库实体时创建数据库实体,例如使用cron作业或某些Spring Scheduling服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.