使用 spring security 3.1 对活动目录进行身份验证时处理角色 [英] Handling roles when authenticated to active directory with spring security 3.1
问题描述
我正在尝试使用 Spring Security 3.1 对 Active Directory 进行身份验证.我通过了身份验证,一切都很好.
I'm trying to use a authenticate with an Active directory using Spring Security 3.1. I get authenticated and all is well.
<sec:ldap-server id="ldapServer" url="ldap://ldap/dc=sub,dc=domain,dc=com" port="389" />
<sec:authentication-manager erase-credentials="true" >
<sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager>
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://server:389/"/>
</bean>
现在问题来了.我如何处理用户的角色以便我可以设置过滤器?
Now to the question. How do I handle roles for the user so that I can setup my filters?
例如
<sec:intercept-url pattern="/**" access="ROLE_USER"/>
解决方案
我通过使用 UserDetailContextMapper 了解了如何做到这一点,并将我的 AD 组映射到 ROLE_USER、ROLE_ADMIN 等.
Solution
I found out how to do this by using the UserDetailContextMapper and map my AD groups to ROLE_USER,ROLE_ADMIN etc.
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://host:389/"/>
<property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
<property name="useAuthenticationRequestCredentials" value="true"/>
</bean>
<bean id="tdrUserDetailsContextMapper" class="com.bla.bla.UserDetailsContextMapperImpl"/>
映射器类:
public class UserDetailsContextMapperImpl implements UserDetailsContextMapper, Serializable{
private static final long serialVersionUID = 3962976258168853954L;
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {
List<GrantedAuthority> mappedAuthorities = new ArrayList<GrantedAuthority>();
for (GrantedAuthority granted : authority) {
if (granted.getAuthority().equalsIgnoreCase("MY USER GROUP")) {
mappedAuthorities.add(new GrantedAuthority(){
private static final long serialVersionUID = 4356967414267942910L;
@Override
public String getAuthority() {
return "ROLE_USER";
}
});
} else if(granted.getAuthority().equalsIgnoreCase("MY ADMIN GROUP")) {
mappedAuthorities.add(new GrantedAuthority() {
private static final long serialVersionUID = -5167156646226168080L;
@Override
public String getAuthority() {
return "ROLE_ADMIN";
}
});
}
}
return new User(username, "", true, true, true, true, mappedAuthorities);
}
@Override
public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
}
}
推荐答案
beans.xml 中的角色必须与 memberOf 值属性的 CN(通用名称)完全匹配.您应该阅读有关目录基础知识的教程.
The roles in the beans.xml must be an exact match of the CN (common name) of the memberOf value attribute. You should read a tutorial about directory basics.
说有这个用户:CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net在他的上下文中存在这个 memberOf 值 CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net
Say have this user:
CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net
In his context exists this memberOf value CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net
Bean 将定位这个 memberOf 值并提取 Group Name.您 beans.xml 必须具有该值.
The Bean will locate this memberOf value and extract Group Name. You beans.xml has to have exactly this value.
这篇关于使用 spring security 3.1 对活动目录进行身份验证时处理角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
