Spring Security LDAP身份验证用户必须是AD组的成员 [英] Spring Security LDAP authentication user must be a member of an AD group

问题描述

我已经按照以下步骤配置了Spring Boot Security: https://spring.io/guides/gs/securing-web/

我能够完美地使用我的凭据登录.但是，我需要添加一个检查，以确保AD用户也必须属于特定的AD组(即 AD-这是一个特定的组 ).登录时，如果用户不属于特定的AD组，则应返回登录错误.

我已经搜索了几个小时，似乎无法在 WebSecurityConfigurerAdapter 中找到明确的方法，我是否正确使用了 auth.groupSearchFilter ?/p>

这是我的代码:

  @Configuration@EnableWebSecurity公共类WebSecurityConfig扩展了WebSecurityConfigurerAdapter {@Autowired环境环境公共LdapContextSource contextSource(){LdapContextSource contextSource =新的LdapContextSource();contextSource.setUrl(env.getRequiredProperty("ldap.url"));contextSource.setBase(env.getRequiredProperty("ldap.baseDn"));contextSource.setUserDn(env.getRequiredProperty("ldap.bindDn"));;contextSource.setPassword(env.getRequiredProperty("ldap.batchPassword"));contextSource.afterPropertiesSet();返回contextSource;}@Override受保护的无效configure(AuthenticationManagerBuilder auth)引发异常{auth.ldapAuthentication().userSearchFilter((cn = {0})").groupSearchBase("OU =帐户组，OU = ITS安全").groupSearchFilter((cn = AD-这是一个特定的组)").contextSource(contextSource());}@Override受保护的void configure(HttpSecurity http)抛出异常{http.authorizeRequests().anyRequest().fullyAuthenticated().和().formLogin();} 

解决方案

不确定这是否是实现此目的的最佳方法(就Spring Security的生命周期而言， )，但是基本上我提供了自己的方法 DefaultLdapAuthoritiesPopulator ，在这里我仅覆盖 getGroupMembershipRoles .

不过第一件事，我上面的 auth.groupSearchFilter 错误，应该是:

  .groupSearchFilter(((member = {0})")) 

第二，我用重写的方法创建了一个匿名类(该类将调用super并检查角色列表中的成员身份):

  auth.ldapAuthentication().ldapAuthoritiesPopulator(新的DefaultLdapAuthoritiesPopulator(contextSource，"OU =帐户组，OU = ITS安全"){@Override公共Set< GrantedAuthority>getGroupMembershipRoles(字符串userDn，字符串用户名){设置< GrantedAuthority>groupMembershipRoles = super.getGroupMembershipRoles(userDn，用户名);boolean isMemberOfSpecificAdGroup = false;对于(GrantedAuthority grantAuthority:groupMembershipRoles){如果("ROLE_AD，这是一个特定的组" .equals(grantedAuthority.toString())){isMemberOfSpecificAdGroup = true;休息;}}如果(！isMemberOfSpecificAdGroup){抛出新的BadCredentialsException(用户必须是" +"AD-this-is-a-specific-group"的成员)；}返回groupMembershipRoles;}}).userSearchFilter((cn = {0})").groupSearchBase("OU =帐户组，OU = ITS安全").groupSearchFilter((member = {0})").contextSource(contextSource); 

I've configured the Spring Boot Security as per: https://spring.io/guides/gs/securing-web/

I am able to login using my credentials perfectly. However, I need to add a checking that the AD user must also belong to a specific AD group (ie. AD-this-is-a-specific-group). On login, if the user does not belong to the specific AD group, then it should return a login error.

I've been searching for hours now and cannot seem to find a clear way to do this in the WebSecurityConfigurerAdapter , am I using the auth.groupSearchFilter correctly?

Here is my code:

@Configuration 
@EnableWebSecurity    
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
Environment env;

public LdapContextSource contextSource () {
    LdapContextSource contextSource= new LdapContextSource();

    contextSource.setUrl(env.getRequiredProperty("ldap.url"));
    contextSource.setBase(env.getRequiredProperty("ldap.baseDn"));
    contextSource.setUserDn(env.getRequiredProperty("ldap.bindDn"));
    contextSource.setPassword(env.getRequiredProperty("ldap.batchPassword"));
    contextSource.afterPropertiesSet();
    return contextSource;
}

@Override
protected void configure(AuthenticationManagerBuilder auth)
        throws Exception {
     auth.ldapAuthentication()
        .userSearchFilter("(cn={0})")           
        .groupSearchBase("OU=Account Groups,OU=ITS Security")
        .groupSearchFilter("(cn=AD-this-is-a-specific-group)") 
        .contextSource(contextSource()); 
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().anyRequest().fullyAuthenticated()
        .and()
        .formLogin();
}

解决方案

Not sure if this is the best way to do this (in terms of Spring Security's lifecycle), but basically I provided my own DefaultLdapAuthoritiesPopulator, where I only override the getGroupMembershipRoles.

First thing though, I have wrong auth.groupSearchFilter above, it should be:

    .groupSearchFilter("(member={0})") 

Second, I've created an anonymous class with overridden method (that calls the super and checks for a the membership in the list of roles):

auth
        .ldapAuthentication()
        .ldapAuthoritiesPopulator(new DefaultLdapAuthoritiesPopulator(contextSource, "OU=Account Groups,OU=ITS Security") {

            @Override
            public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) {
                Set<GrantedAuthority> groupMembershipRoles = super.getGroupMembershipRoles(userDn, username);

                boolean isMemberOfSpecificAdGroup = false;
                for (GrantedAuthority grantedAuthority : groupMembershipRoles) {

                    if ("ROLE_AD-this-is-a-specific-group".equals(grantedAuthority.toString())) {                                                       
                        isMemberOfSpecificAdGroup = true;
                        break;
                    }
                }

                if (!isMemberOfSpecificAdGroup ) {

                    throw new BadCredentialsException("User must be a member of " + "AD-this-is-a-specific-group");
                }
                return groupMembershipRoles;
            }
        })
        .userSearchFilter("(cn={0})")           
        .groupSearchBase("OU=Account Groups,OU=ITS Security")
        .groupSearchFilter("(member={0})") 
        .contextSource(contextSource); 

这篇关于Spring Security LDAP身份验证用户必须是AD组的成员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！