在春季使用ldap進行身份驗證

Question

目前，我使用數據源和spring進行身份驗證，

這是我在security-app-context.xml中的配置

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security 
                    http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/administration/**" access="hasRole('ADMIN')" />
        <intercept-url pattern="/citizen/**" access="hasRole('USER')" />
        <form-login login-page="/index.htm" authentication-success-handler-ref="authenticationSuccessRedirecthandler"
          default-target-url = "/citizen/test.htm"
            authentication-failure-url="/index.htm?error=1"/>
        <logout logout-success-url="/index.htm" />
    </http>

    <beans:bean class="com.test.redirect.CustomAuthenticationHandler" id="authenticationSuccessRedirecthandler"></beans:bean>

    <authentication-manager>
        <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username, password, enabled from users where username=?" authorities-by-username-query="select u.username, ur.authority from users u, user_roles ur where u.user_id = ur.user_id and u.username =?  " />
        </authentication-provider>
    </authentication-manager>
</beans:beans>

這是CustomAuthenticationHandler.java

import java.io.IOException;
import java.util.Set;

import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;

public class CustomAuthenticationHandler extends SimpleUrlAuthenticationSuccessHandler {

 @Override
 public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {

     String targetUrl = "/test/page.htm";

      Set<String> roles = AuthorityUtils.authorityListToSet(authentication.getAuthorities());


      if (roles.contains("ADMIN")) {

         getRedirectStrategy().sendRedirect(request, response, targetUrl);
      }  else {
         super.onAuthenticationSuccess(request, response, authentication);
         return;
      }
   }
}

我想知道更正配置，以便不使用數據源而是通過ldap進行身份驗證

這是我的ldap中的相同參數：

Base Provider URL
ldap://192.168.0.88:389

Base DN

DC=MINISTER,DC=FR

Principal

CN=LDAP Requester,OU=Users,OU=Technical Accounts,OU=P9 Accounts,DC=MINISTER,DC=FR

Credentials

minister$9999

Users

Authentication Search Filter

(&(objectClass=person)(mail=@email_address@))

Users DN DC=MINISTER,DC=FR

Groups DN DC=MINISTER,DC=FR

更新 ：

我嘗試使用以下代碼：

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security 
                    http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/administration/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/citizen/**" access="hasRole('USER')" />
        <intercept-url pattern="/menu/menu.htm"  access="hasAnyRole('ROLE_ADMIN','USER')" />   


         <form-login login-page="/index.htm"
          default-target-url = "/citizen/test.htm"
            authentication-failure-url="/index.htm?error=1"/>
        <logout logout-success-url="/index.htm" />


    </http>



         <beans:bean id="grantedAuthoritiesMapper" class="com.test.ActiveDirectoryGrantedAuthoritiesMapper"/>

    <authentication-manager>
    <authentication-provider ref="ldapActiveDirectoryAuthProvider" />

    </authentication-manager> 
    <beans:bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
        <beans:constructor-arg value="DC=MINISTER,DC=TN" />
        <beans:constructor-arg value="ldap://192.168.0.88:389" />
        <beans:property name="authoritiesMapper" ref="grantedAuthoritiesMapper" />
        <beans:property name="useAuthenticationRequestCredentials" value="true" />
        <beans:property name="convertSubErrorCodesToExceptions" value="true" />
    </beans:bean>

</beans:beans>

這是一個Java類：

import java.io.IOException;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Set;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;

/**
 * Maps the groups defined in LDAP nomenclature to roles for a specific user.
 */
public class ActiveDirectoryGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper {

    // Constants for group defined in LDAP
    private static final String ROLE_ADMIN = "ADMIN";


    public ActiveDirectoryGrantedAuthoritiesMapper() {
    }

    public Collection<? extends GrantedAuthority> mapAuthorities(
            final Collection<? extends GrantedAuthority> authorities) {

        Set<SecurityContextAuthority> roles = EnumSet.noneOf(SecurityContextAuthority.class);

        for (GrantedAuthority authority : authorities) {
            // authority.getAuthority() returns the role in LDAP nomenclature
            if (ROLE_ADMIN.equals(authority.getAuthority())) {
                roles.add(SecurityContextAuthority.ROLE_ADMIN);

            }
        }
        return roles;
    }

}

這是SecurityContextAuthority.java類

import org.springframework.security.core.GrantedAuthority;

/**
 * Maps the groups defined in LDAP to roles for a specific user.
 */
public enum SecurityContextAuthority implements GrantedAuthority {

    // These roles are specified in the security context (security.xml) and are
    // mapped to LDAP roles by the ActiveDirectoryGrantedAuthoritiesMapper
    ROLE_ADMIN;

    public String getAuthority() {
        return name();
    }
}

但是當我測試我有這個錯誤：

[org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider] (http-localhost-127.0.0.1-8080-3) Active Directory authentication failed: Supplied password was invalid

Answer 1

我正在做同樣的事情，我的代碼正在工作。 查看您的代碼，我發現我的代碼只有一個區別。 在安全性配置文件中的ldapActiveDirectoryAuthProvider bean中，兩個構造函數args為：

<beans:constructor-arg value="DC=MINISTER,DC=TN" />
<beans:constructor-arg value="ldap://192.168.0.88:389" />

我的遵循不同的構想； 使用您的值，就像這樣：

<beans:constructor-arg value="192.168.0.88" />
<beans:constructor-arg value="ldap://192.168.0.88" />

您可能也需要傳遞域組件，但是我想知道您的配置是否需要同時傳遞域和URL。此外，我注意到它似乎添加了默認端口，因此我將其保留我的網址。