如何将Ldap组映射到Tomcat角色(Java) [英] How to map Ldap groups to Tomcat Roles (Java)
问题描述
我正在使用Servlets/JSP等编写一个Web项目.目前该程序使用基本身份验证来确保安全性..但是我的工作是希望从活动目录中获取安全角色.
I am writing a web project using Servlets/JSP etc.. At the moment the program uses basic authentication for security.. but my work want the security roles picked up from our active directory.
我使用以下命令修改了Apache的server.xml:
I have modified apache's server.xml with the following:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://adclds001.mycompgroup.local:389"
connectionName="************.local:389"
connectionPassword="********"
userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
roleName="cn"
roleSearch="member={0}"
/>
身份验证工作正常,但我不知道如何映射ldap组 Tomcat角色.
The authentication works fine, but I do not know how to map ldap groups to Tomcat roles.
我尝试将诸如group-name之类的内容添加到 项进入部署描述符,但无济于事.
I have tried adding things like group-name to the entries to the deployment descriptor but to no avail.
我还听说过扩展JNDIRealm类并覆盖 getRoles方法可能会给我我想要的东西.但是我找不到完整的 有关可能需要的内容的详细信息.
I have also heard that extending the JNDIRealm class and overriding the getRoles method might give me what I want..But I cant find full details on what might be required.
那么将ldap组映射到tomcat角色的最佳方法是什么?
So what is the best way to map ldap groups to tomcat roles?
应用程序仍然没有担当角色.
The application is still not picking up the roles.
我的领域详细信息当前为:
My realm details are currently:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://adclds001.mycomp.local:389"
connectionName="trainee1@mycomp.local:389"
connectionPassword="****"
userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
userRoleName="Domain Users"
roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
roleName="cn"
roleSearch="member={0}"
/>
我的部署描述符中存在安全隐患:
I have a security constaint in my deployment descriptor:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Domain Users</role-name>
<role-name>admin_user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
web.xml中的安全角色:
security roles in web.xml:
<security-role>
<role-name>basic_user</role-name>
</security-role>
<security-role>
<role-name>admin_user</role-name>
</security-role>
<security-role>
<role-name>Domain Users</role-name>
</security-role>
我也有:
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
也
我的IT部门告诉我,每个人都属于以下人群: CN =域用户,CN =用户,DC = mycompgroup,DC =本地
My IT dept are telling me that everybody is in the following group: CN=Domain Users,CN=Users,DC=mycompgroup,DC=local
有人可以建议为什么我不能使用域用户"角色吗?
Can anybody suggest why I am not able to use the Domain Users role?
推荐答案
Here is a description of subclassing JNDIRealm for these purposes. He suggests using a properties file.
我做了类似的事情,但是,我允许通过Realm元素中的属性添加条目.为此,请在您的子类中创建JavaBean属性,例如rolesForServer.给定应用程序角色"event_requester","approver","manager",setRolesForServer然后可以解析字符串,例如rolesForServer='HR=approver,manager;all=event_requester'.
I did something similar, however, I allowed adding entries by an attribute in the Realm element. To do that, create a JavaBean property in your subclass, e.g. rolesForServer. Given application roles of "event_requester", "approver", "manager", the setRolesForServer can then parse the string, e.g. rolesForServer='HR=approver,manager;all=event_requester'.
这篇关于如何将Ldap组映射到Tomcat角色(Java)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
