[英]Spring Security with Active Directory and Database roles
[英]Handling roles when authenticated to active directory with spring security 3.1
我正在嘗試使用Spring Security 3.1對Active Directory進行身份驗證。 我得到了認證,一切都很好。
<sec:ldap-server id="ldapServer" url="ldap://ldap/dc=sub,dc=domain,dc=com" port="389" />
<sec:authentication-manager erase-credentials="true" >
<sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager>
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://server:389/"/>
</bean>
現在回答這個問題。 如何處理用戶角色以便我可以設置過濾器?
例如。
<sec:intercept-url pattern="/**" access="ROLE_USER"/>
我通過使用UserDetailContextMapper並將我的AD組映射到ROLE_USER,ROLE_ADMIN等,找到了如何執行此操作的方法。
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://host:389/"/>
<property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
<property name="useAuthenticationRequestCredentials" value="true"/>
</bean>
<bean id="tdrUserDetailsContextMapper" class="com.bla.bla.UserDetailsContextMapperImpl"/>
Mapper類:
public class UserDetailsContextMapperImpl implements UserDetailsContextMapper, Serializable{
private static final long serialVersionUID = 3962976258168853954L;
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {
List<GrantedAuthority> mappedAuthorities = new ArrayList<GrantedAuthority>();
for (GrantedAuthority granted : authority) {
if (granted.getAuthority().equalsIgnoreCase("MY USER GROUP")) {
mappedAuthorities.add(new GrantedAuthority(){
private static final long serialVersionUID = 4356967414267942910L;
@Override
public String getAuthority() {
return "ROLE_USER";
}
});
} else if(granted.getAuthority().equalsIgnoreCase("MY ADMIN GROUP")) {
mappedAuthorities.add(new GrantedAuthority() {
private static final long serialVersionUID = -5167156646226168080L;
@Override
public String getAuthority() {
return "ROLE_ADMIN";
}
});
}
}
return new User(username, "", true, true, true, true, mappedAuthorities);
}
@Override
public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
}
}
您還可以注入3.1中引入的GrantedAuthoritiesMapper
作為修改作者的一般策略。 另外,您可能希望將SimpleGrantedAuthority
用於GrantedAuthority
實現。 或者,您可以使用枚舉,因為您有一組固定的值:
enum MyAuthority implements GrantedAuthority {
ROLE_ADMIN,
ROLE_USER;
public String getAuthority() {
return name();
}
}
class MyAuthoritiesMapper implements GrantedAuthoritiesMapper {
public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
Set<MyAuthority> roles = EnumSet.noneOf(MyAuthority.class);
for (GrantedAuthority a: authorities) {
if ("MY ADMIN GROUP".equals(a.getAuthority())) {
roles.add(MyAuthority.ROLE_ADMIN);
} else if ("MY USER GROUP".equals(a.getAuthority())) {
roles.add(MyAuthority.ROLE_USER);
}
}
return roles;
}
}
beans.xml中的角色必須與memberOf value屬性的CN(公用名)完全匹配。 您應該閱讀有關目錄基礎知識的教程。
假設有這樣的用戶: CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net
在他的上下文中存在此memberOf值CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net
Bean將找到此memberOf值並提取Group Name
。 你beans.xml必須具有這個值。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.