[英]Spring Security with LDAP and Database roles
在我們的新保險項目中,我正在嘗試使用Ldap active-directory實現spring-security 。
一旦用戶在AD中找到,我想在AD上檢查用戶名/密碼。 我想從用戶表(app授權用戶)授權他在數據庫中具有訪問級別。 有人可以提供樣品/指出我的資源。
現在實現這一目標的最簡單方法(Spring Security 3.2.5.RELEASE)是通過實現自定義LdapAuthoritiesPopulator
,它使用自定義JdbcDaoImpl
從數據庫中獲取權限。
假設您使用的是默認數據庫模式 ,並且您在LDAP中使用相同的用戶名進行身份驗證,並且在authorities
表中使用外鍵,則只需要:
package demo;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Collection;
import java.util.List;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
/*
* You need to extend JdbcDaoImpl to expose the protected method loadUserAuthorities.
*/
public class CustomJdbcUserDetailsService extends JdbcDaoImpl {
@Override
public List<GrantedAuthority> loadUserAuthorities(String username) {
return super.loadUserAuthorities(username);
}
}
/*
* Then, the only thing your populator needs to do is use the custom UserDetailsService above.
*/
public class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
private static final Logger LOGGER = LoggerFactory.getLogger(CustomLdapAuthoritiesPopulator.class);
private CustomJdbcUserDetailsService service;
public CustomLdapAuthoritiesPopulator(CustomJdbcUserDetailsService service) {
this.service = service;
}
public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations user, String username) {
return service.loadUserAuthorities(username);
}
}
現在唯一剩下的就是配置LDAP身份驗證提供程序以使用CustomLdapAuthoritiesPopulator
。
在@Configuration
的注釋子GlobalMethodSecurityConfiguration
或WebSecurityConfigurerAdapter
(根據您的情況),添加以下內容:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
/* other authentication configurations you might have */
/*
* This assumes that the dataSource configuring
* the connection to the database has been Autowired
* into this bean.
*
* Adapt according to your specific case.
*/
CustomJdbcUserDetailsService customJdbcUserDetailsService = new CustomJdbcUserDetailsService();
customJdbcUserDetailsService.setDataSource(dataSource);
CustomLdapAuthoritiesPopulator customLdapAuthoritiesPopulator = new CustomLdapAuthoritiesPopulator(customJdbcUserDetailsService);
auth.ldapAuthentication().ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)/* other LDAP configurations you might have */;
/* yet more authentication configurations you might have */
}
有關工作示例,請參閱https://github.com/pfac/howto-spring-security 。
免責聲明 :我一直專注於Java配置,所以謹慎行事,可能會有一些錯誤。
與使用LDAP進行身份驗證的其他配置不同,似乎沒有漂亮的XML標記來自定義LdapAuthoritiesPopulator
。 所以,它必須手動完成。 假設已定義bean contextSource
配置與LDAP服務器的連接,請將以下內容添加到Spring XML配置中:
<beans:bean id="customJdbcUserDetailsService" class="demo.CustomJdbcUserDetailsService" />
<beans:bean id="customLdapAuthoritiesPopulator" class="demo.CustomLdapAuthoritiesPopulator">
<beans:constructor-arg ref="customJdbcUserDetailsService" />
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<!--
other configurations you might need
-->
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg ref="customLdapAuthoritiesPopulator" />
</beans:bean>
<security:authentication-manager>
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
資料來源: http : //spapas.github.io/2013/10/14/spring-ldap-custom-authorities/#spring-security-ldap-with-custom-authorities
您很可能必須執行自定義UserDetailsServer ,因為您通過LDAP進行身份驗證,但通過數據庫查詢獲取角色。 UserDetailsService是一個接口。 您將實現該接口,然后將您的自定義實現添加到Spring Security配置中,執行以下操作:
<beans:bean id="userDetailsService" class="com.app.MyUserDetailsServiceImpl" />
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
在loadUserByUsername()中,您將創建UserDetails ,設置用戶名,密碼和“權限”,即角色。
這篇博文有一個關於如何使用數據庫的例子,你應該能夠適應你的要求。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.