Spring Security LDAP身份验证用户必须是AD组的成员 [英] Spring Security LDAP authentication user must be a member of an AD group
问题描述
我已经按照以下步骤配置了Spring Boot Security: https://spring.io/guides/gs/securing-web/
我能够完美地使用我的凭据登录.但是,我需要添加一个检查,以确保AD用户也必须属于特定的AD组(即 AD-这是一个特定的组 ).登录时,如果用户不属于特定的AD组,则应返回登录错误.
我已经搜索了几个小时,似乎无法在 WebSecurityConfigurerAdapter
中找到明确的方法,我是否正确使用了 auth.groupSearchFilter
?/p>
这是我的代码:
@Configuration@EnableWebSecurity公共类WebSecurityConfig扩展了WebSecurityConfigurerAdapter {@Autowired环境环境公共LdapContextSource contextSource(){LdapContextSource contextSource =新的LdapContextSource();contextSource.setUrl(env.getRequiredProperty("ldap.url"));contextSource.setBase(env.getRequiredProperty("ldap.baseDn"));contextSource.setUserDn(env.getRequiredProperty("ldap.bindDn"));;contextSource.setPassword(env.getRequiredProperty("ldap.batchPassword"));contextSource.afterPropertiesSet();返回contextSource;}@Override受保护的无效configure(AuthenticationManagerBuilder auth)引发异常{auth.ldapAuthentication().userSearchFilter((cn = {0})").groupSearchBase("OU =帐户组,OU = ITS安全").groupSearchFilter((cn = AD-这是一个特定的组)").contextSource(contextSource());}@Override受保护的void configure(HttpSecurity http)抛出异常{http.authorizeRequests().anyRequest().fullyAuthenticated().和().formLogin();}
不确定这是否是实现此目的的最佳方法(就Spring Security的生命周期而言, ),但是基本上我提供了自己的方法 DefaultLdapAuthoritiesPopulator
,在这里我仅覆盖 getGroupMembershipRoles
.
不过第一件事,我上面的 auth.groupSearchFilter
错误,应该是:
.groupSearchFilter(((member = {0})"))
第二,我用重写的方法创建了一个匿名类(该类将调用super并检查角色列表中的成员身份):
auth.ldapAuthentication().ldapAuthoritiesPopulator(新的DefaultLdapAuthoritiesPopulator(contextSource,"OU =帐户组,OU = ITS安全"){@Override公共Set< GrantedAuthority>getGroupMembershipRoles(字符串userDn,字符串用户名){设置< GrantedAuthority>groupMembershipRoles = super.getGroupMembershipRoles(userDn,用户名);boolean isMemberOfSpecificAdGroup = false;对于(GrantedAuthority grantAuthority:groupMembershipRoles){如果("ROLE_AD,这是一个特定的组" .equals(grantedAuthority.toString())){isMemberOfSpecificAdGroup = true;休息;}}如果(!isMemberOfSpecificAdGroup){抛出新的BadCredentialsException(用户必须是" +"AD-this-is-a-specific-group"的成员);}返回groupMembershipRoles;}}).userSearchFilter((cn = {0})").groupSearchBase("OU =帐户组,OU = ITS安全").groupSearchFilter((member = {0})").contextSource(contextSource);
I've configured the Spring Boot Security as per: https://spring.io/guides/gs/securing-web/
I am able to login using my credentials perfectly. However, I need to add a checking that the AD user must also belong to a specific AD group (ie. AD-this-is-a-specific-group). On login, if the user does not belong to the specific AD group, then it should return a login error.
I've been searching for hours now and cannot seem to find a clear way to do this in the WebSecurityConfigurerAdapter
, am I using the auth.groupSearchFilter
correctly?
Here is my code:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
Environment env;
public LdapContextSource contextSource () {
LdapContextSource contextSource= new LdapContextSource();
contextSource.setUrl(env.getRequiredProperty("ldap.url"));
contextSource.setBase(env.getRequiredProperty("ldap.baseDn"));
contextSource.setUserDn(env.getRequiredProperty("ldap.bindDn"));
contextSource.setPassword(env.getRequiredProperty("ldap.batchPassword"));
contextSource.afterPropertiesSet();
return contextSource;
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.ldapAuthentication()
.userSearchFilter("(cn={0})")
.groupSearchBase("OU=Account Groups,OU=ITS Security")
.groupSearchFilter("(cn=AD-this-is-a-specific-group)")
.contextSource(contextSource());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().fullyAuthenticated()
.and()
.formLogin();
}
Not sure if this is the best way to do this (in terms of Spring Security's lifecycle), but basically I provided my own DefaultLdapAuthoritiesPopulator
, where I only override the getGroupMembershipRoles
.
First thing though, I have wrong auth.groupSearchFilter
above, it should be:
.groupSearchFilter("(member={0})")
Second, I've created an anonymous class with overridden method (that calls the super and checks for a the membership in the list of roles):
auth
.ldapAuthentication()
.ldapAuthoritiesPopulator(new DefaultLdapAuthoritiesPopulator(contextSource, "OU=Account Groups,OU=ITS Security") {
@Override
public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) {
Set<GrantedAuthority> groupMembershipRoles = super.getGroupMembershipRoles(userDn, username);
boolean isMemberOfSpecificAdGroup = false;
for (GrantedAuthority grantedAuthority : groupMembershipRoles) {
if ("ROLE_AD-this-is-a-specific-group".equals(grantedAuthority.toString())) {
isMemberOfSpecificAdGroup = true;
break;
}
}
if (!isMemberOfSpecificAdGroup ) {
throw new BadCredentialsException("User must be a member of " + "AD-this-is-a-specific-group");
}
return groupMembershipRoles;
}
})
.userSearchFilter("(cn={0})")
.groupSearchBase("OU=Account Groups,OU=ITS Security")
.groupSearchFilter("(member={0})")
.contextSource(contextSource);
这篇关于Spring Security LDAP身份验证用户必须是AD组的成员的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!