如果我们想从 ActiveDirectory 获取用户详细信息,我们是否需要编写 CustomActiveDirectoryLdapAuthenticationProvider [英] Do we need to write CustomActiveDirectoryLdapAuthenticationProvider if we want to get user details from ActiveDirectory
问题描述
如果我们需要从 ActiveDirectory 获取用户属性,如 name、sn 等,我们不能使用专用 LDAP 身份验证提供程序进行配置,该提供程序使用 Active Directory 配置约定,例如springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider"
If we need to get User attributes from ActiveDirectory like name, sn etc. can't we configure using Specialized LDAP authentication provider which uses Active Directory configuration conventions like "springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider"
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests().antMatchers("/", "logout").permitAll().and().httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
}
@Bean
public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider adProvider = new ActiveDirectoryLdapAuthenticationProvider(domain, url);
adProvider.setConvertSubErrorCodesToExceptions(true);
adProvider.setUseAuthenticationRequestCredentials(true);
return adProvider;
}
然后使用 AuthenticationManager 如下所示.
and then use AuthenticationManager like shown below.
Authentication auth = new UsernamePasswordAuthenticationToken(userName, password);
Authentication a = authenticationManager.authenticate(auth);
但是,对于正确的用户名和密码,我将 a.isAuthenticated() 设为 true,我还将 a.getName() 作为我的用户名.但是,如何检索 sn、dispalyname、name 和其他属性.我们是否需要像这里提到的那样编写 CustomActiveDirectoryLdapAuthenticationProviderhttp://code-accident.pl/active-directory-spring-security/
But, I get a.isAuthenticated() as true for correct username and password, I also get a.getName() as my username. But, how to retrieve sn, dispalyname, name and other attributes. Do we need to write a CustomActiveDirectoryLdapAuthenticationProvider as mentioned here http://code-addict.pl/active-directory-spring-security/
推荐答案
你没有.Spring Security 带有一个 UserDetailsContextMapper 接口
You do not. Spring Security comes with an UserDetailsContextMapper interface
/**
* Creates a fully populated UserDetails object for use by the security framework.
*
* @param ctx the context object which contains the user information.
* @param username the user's supplied login name.
* @param authorities
* @return the user object.
*/
UserDetails mapUserFromContext(DirContextOperations ctx, String username,
Collection<? extends GrantedAuthority> authorities);
目前只映射搜索返回的组.
Currently only maps the groups returned by the search.
// Map the roles
for (int i = 0; (this.roleAttributes != null)
&& (i < this.roleAttributes.length); i++) {
String[] rolesForAttribute = ctx.getStringAttributes(this.roleAttributes[i]);
if (rolesForAttribute == null) {
this.logger.debug("Couldn't read role attribute '"
+ this.roleAttributes[i] + "' for user " + dn);
continue;
}
for (String role : rolesForAttribute) {
GrantedAuthority authority = createAuthority(role);
if (authority != null) {
essence.addAuthority(authority);
}
}
}
但是,实现您自己的UserDetailsMapper,您可以检索从 LDAP 返回的任何和所有记录.
However, implementing your own UserDetailsMapper you can retrieve any and all records that come back from LDAP.
您只需决定要获取的属性
You just decide what attribute you wish to fetch
Object attribute = ctx.getObjectAttribute("some-ldap-attribute");
这是您在身份验证事件期间获取自定义值的方式.
This is how you would fetch custom values during an authentication event.
如果您只想从 LDAP 目录中查询和搜索并获取数据,您可以利用 SpringSecurityLdapTemplate
If you want to just query and search and fetch data from the LDAP directory you can leverage the SpringSecurityLdapTemplate
它旨在模仿 RestTemplate 对 HTTP 但对 LDAP 的作用.
It aims to mimic what RestTemplate does for HTTP but for LDAP.
这篇关于如果我们想从 ActiveDirectory 获取用户详细信息,我们是否需要编写 CustomActiveDirectoryLdapAuthenticationProvider的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
