为什么Spring Security的BindAuthenticator需要用户的读取权限? [英] Why does Spring Security's BindAuthenticator require read permissions for users?
问题描述
我目前正在使用Spring Security 3.0实现/配置Java Web应用程序的LDAP认证.我使用Microsoft AD LDS作为LDAP服务器,并选择了Spring的BindAuthenticator. 我发现只有通过身份验证的用户是分区的读者"角色的成员时,身份验证才有效. BindAuthenticator尝试在身份验证后读取用户的属性,在从目录服务中检索权限的情况下,这似乎是合理的.
I'm currently implementing/configuring the LDAP authentication of a Java web application using Spring Security 3.0. I'm using Microsoft AD LDS as LDAP server and chose the Spring's BindAuthenticator. I found out that the authentication only works if the authenticated user is a member of the partition's Readers role. The BindAuthenticator tries to read the user's attributes after the authentication, which seems reasonable in scenarios where authorities are retrieved from the directory service.
作为LDAP和AD的新手,当应用程序集成到现有AD结构中时,这是否可以接受? 可以微调一个,使用户dns仅对其自己的属性具有读取权限,而不是将其添加到Reader组吗?
Being new to LDAP and AD, is this an acceptable practise when the application is integrated in an existing AD structure? Can fine-tune an give the user dns only read permissions for their own attributes rather than adding them to the Reader group?
谢谢 托马斯
编辑3/8/2010: 这就是我最终要做的事情: 我复制了Spring的BindAuthenticator(整个类),并如下更改方法bindWithDn().差异用 DIFF 标记.
Edit 3/8/2010: Here's what I ended up doing: I copied Spring's BindAuthenticator (the whole class) and changed the method bindWithDn() as below. Differences are marked with DIFF.
private DirContextOperations bindWithDn(String userDn, String username, String password) {
BaseLdapPathContextSource ctxSource = (BaseLdapPathContextSource) getContextSource();
DistinguishedName fullDn = new DistinguishedName(userDn);
fullDn.prepend(ctxSource.getBaseLdapPath());
logger.debug("Attempting to bind as " + fullDn);
DirContext ctx = null;
try {
ctx = getContextSource().getContext(fullDn.toString(), password);
// Check for password policy control
PasswordPolicyControl ppolicy = PasswordPolicyControlExtractor.extractControl(ctx);
// *DIFF* Attributes attrs = ctx.getAttributes(userDn, getUserAttributes());
DirContextAdapter result = new DirContextAdapter(null, new DistinguishedName(userDn), // *DIFF*
ctxSource.getBaseLdapPath());
if (ppolicy != null) {
result.setAttributeValue(ppolicy.getID(), ppolicy);
}
return result;
} catch (NamingException e) {
// This will be thrown if an invalid user name is used and the method may
// be called multiple times to try different names, so we trap the exception
// unless a subclass wishes to implement more specialized behaviour.
if ((e instanceof org.springframework.ldap.AuthenticationException)
|| (e instanceof org.springframework.ldap.OperationNotSupportedException)) {
handleBindException(userDn, username, e);
} else {
throw e;
}
// *DIFF* } catch (javax.naming.NamingException e) {
// *DIFF* throw LdapUtils.convertLdapException(e);
} finally {
LdapUtils.closeContext(ctx);
}
return null;
}
推荐答案
对我来说很有意义,它意味着BindAuthenticator执行作为"身份验证用户的LDAP绑定,并使用LDAP填充用户详细信息对象.我猜想LDAP服务器要求用户具有使他们有权读取自己的属性的角色.
It makes sense to me, it sense the BindAuthenticator performs a LDAP bind "as" the authenticated user, and uses the LDAP to populate the user details object. I'm guessing that the LDAP server requires the user to have a role entitling them to read their own attributes.
您尝试将属性集(通过setUserAttributes)限制为仅几个属性.我认为在AD中,您可以将RBAC放在各个属性上,因此您可能正在读取一个具有读取器"角色保护的属性,而另一些则不受保护.
Did you try restricting the set of attributes (via setUserAttributes) to only a few attributes. I think in AD you can put RBAC on individual attributes, so you may be reading one attribute which has the 'Reader' role protection and some others that are unprotected.
您的其他选择是:
- 按照您的建议在LDAP服务器上更改RBAC,但是我没有处方.
- 使用另一种身份验证方法,该方法执行作为通用服务器主体的绑定并读取属性.您可能仍需要以用户身份绑定才能检查其密码.
这篇关于为什么Spring Security的BindAuthenticator需要用户的读取权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
