[英]Spring Security 3 Active Directory Authentication, Database Authorization
我正在嘗試通過AD身份驗證來訪問我的應用程序,並從數據庫中獲取授權角色。
這是我的配置
<beans:bean id="activeDirectoryAuthenticationProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="mydomain" />
<beans:constructor-arg value="ldap://my URL :389" />
<beans:property name="convertSubErrorCodesToExceptions" value="true"/>
</beans:bean>
我試圖添加
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.populator.UserDetailsServiceLdapAuthoritiesPopulator">
<beans:constructor-arg ref="myUserDetailsService"/>
</beans:bean>
</beans:constructor-arg>
但這沒用。 有什么幫助嗎?
非常感謝!!
ActiveDirectoryLdapAuthenticationProvider不使用LdapAuthoritiesPopulator
(檢查API的構造函數)。
您可以使用委派模型,在該模型中,您包裝提供程序並分別加載權限,然后返回包含它們的新令牌:
public class MyAuthoritySupplementingProvider implements AuthenticationProvider {
private AuthenticationProvider delegate;
public MyAuthoritySupplementingProvider(AuthenticationProvider delegate) {
this.delegate = delegate;
}
public Authentication authenticate(Authentication authentication) {
final Authentication a = delegate.authenticate(authentication);
// Load additional authorities and create an Authentication object
final List<GrantedAuthority> authorities = loadRolesFromDatabaseHere(a.getName());
return new AbstractAuthenticationToken(authorities) {
public Object getCredentials() {
throw new UnsupportedOperationException();
}
public Object getPrincipal() {
return a.getPrincipal();
}
};
}
@Override
public boolean supports(Class<?> authentication) {
return delegate.supports(authentication);
}
}
該課程是最終的,主要是由於我對Active Directory的基本知識以及人們希望使用它的不同方式。
讓我們分成兩部分。 第一個是您的Spring Security xml配置,第二個部分將覆蓋Spring Security提供的UserContextMapper。
您的安全xml配置為
<bean id="adAuthenticationProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="my.domain.com" />
<constructor-arg value="ldap://<adhostserver>:<port>/" />
<property name="convertSubErrorCodesToExceptions" value="true" />
<property name="userDetailsContextMapper" ref="myUserDetailsContextMapper" />
</bean>
<bean id="myUserDetailsContextMapper" class="com.mycompany.sme.workflow.controller.MyDbAuthorizationFetcher">
<property name="dataSource" ref="dataSource" />
MyDbAuthorizationFetcher是您將在其中實現UserContextMapper類以從數據庫獲取授權的類。
public class MyDbAuthorizationFetcher implements UserDetailsContextMapper {
private JdbcTemplate jdbcTemplate;
@Autowired
private DataSource dataSource;
public JdbcTemplate getJdbcTemplate() {
return jdbcTemplate;
}
public void setJdbcTemplate(JdbcTemplate jdbcTemplate) {
this.jdbcTemplate = jdbcTemplate;
}
public DataSource getDataSource() {
return dataSource;
}
public void setDataSource(DataSource dataSource) {
this.dataSource = dataSource;
}
// populating roles assigned to the user from AUTHORITIES table in DB
private List<SimpleGrantedAuthority> loadRolesFromDatabase(String username) {
DbRole role = new DbRole();
String sql = "select * from user where user_id = ?";
jdbcTemplate = new JdbcTemplate(getDataSource());
role = jdbcTemplate.queryForObject(sql, new Object[] { username }, new DbRoleMapper());
try {
dataSource.getConnection().setAutoCommit(true);
} catch (SQLException e) {
}
List<SimpleGrantedAuthority> authoritiess = new ArrayList<SimpleGrantedAuthority>();
SimpleGrantedAuthority auth = new SimpleGrantedAuthority(String.valueOf(role.getRoleId()));
authoritiess.add(auth);
return authoritiess;
}
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx,
String username, Collection<? extends GrantedAuthority> authorities) {
List<SimpleGrantedAuthority> allAuthorities = new ArrayList<SimpleGrantedAuthority>();
for (GrantedAuthority auth : authorities) {
if (auth != null && !auth.getAuthority().isEmpty()) {
allAuthorities.add((SimpleGrantedAuthority) auth);
}
}
// add additional roles from the database table
allAuthorities.addAll(loadRolesFromDatabase(username));
return new User(username, "", true, true, true, true, allAuthorities);
}
@Override
public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
// TODO Auto-generated method stub
}
}
需要在AbstractAuthenticationToken中將authenticated標志設置為true,除非未將其視為成功
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.