如何将 Ldap 组映射到 Tomcat 角色 (Java) [英] How to map Ldap groups to Tomcat Roles (Java)

问题描述

我正在使用 Servlets/JSP 等编写一个 Web 项目.目前该程序使用基本身份验证来确保安全性.但我的工作希望从我们的活动目录中获取安全角色.

I am writing a web project using Servlets/JSP etc.. At the moment the program uses basic authentication for security.. but my work want the security roles picked up from our active directory.

我修改了 apache 的 server.xml 如下:

I have modified apache's server.xml with the following:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
       connectionURL="ldap://adclds001.mycompgroup.local:389"
       connectionName="************.local:389"
       connectionPassword="********"
       userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       roleName="cn"
       roleSearch="member={0}"
     />

身份验证工作正常，但我不知道如何映射 ldap 组到 Tomcat 角色.

The authentication works fine, but I do not know how to map ldap groups to Tomcat roles.

我尝试将组名之类的内容添加到部署描述符的条目，但无济于事.

I have tried adding things like group-name to the entries to the deployment descriptor but to no avail.

我还听说扩展 JNDIRealm 类并覆盖getRoles 方法可能会给我我想要的东西..但我找不到完整的可能需要的详细信息.

I have also heard that extending the JNDIRealm class and overriding the getRoles method might give me what I want..But I cant find full details on what might be required.

那么将 ldap 组映射到 tomcat 角色的最佳方法是什么?

So what is the best way to map ldap groups to tomcat roles?

应用程序仍然没有扮演角色.

The application is still not picking up the roles.

我的领域详情目前是:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
       connectionURL="ldap://adclds001.mycomp.local:389"
       connectionName="trainee1@mycomp.local:389"
       connectionPassword="****"
       userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       userRoleName="Domain Users"
       roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       roleName="cn"
       roleSearch="member={0}"
     />

我的部署描述符中有一个安全约束:

I have a security constaint in my deployment descriptor:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Domain Users</role-name>
            <role-name>admin_user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>   

web.xml 中的安全角色:

security roles in web.xml:

    <security-role>
        <role-name>basic_user</role-name>
    </security-role>
    <security-role>
        <role-name>admin_user</role-name>
    </security-role>

    <security-role>
        <role-name>Domain Users</role-name>
    </security-role>

我也有:

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

还有

我的 IT 部门告诉我，每个人都属于以下组:CN=域用户,CN=Users,DC=mycompgroup,DC=local

My IT dept are telling me that everybody is in the following group: CN=Domain Users,CN=Users,DC=mycompgroup,DC=local

谁能建议我为什么不能使用域用户角色?

Can anybody suggest why I am not able to use the Domain Users role?

推荐答案

可以使用LDAPAdminExe浏览ldap结构.并找到哪个组"?你找到了吗?

You can use LDAPAdminExe to browse the ldap structure. And find which "group" are you locate.

例如，您的组是 CN=Domain Users,CN=Users,DC=mycompgroup,DC=local.

步骤 1.您应该在角色库中检查该组(使用 LDAPAdminExe 进行检查):

Step1. You should check is this group in the role base (Use LDAPAdminExe to check):

OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local

如果不是，您应该更改此 roleBase 设置.我认为它可能可以将此配置设置为

If not you should changed this roleBase setting. I think it's may can set this config to

DC=mycompgroup,DC=local

所以你将在 server.xml 中设置配置:

So you will set the config in server.xml:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
       connectionURL="ldap://adclds001.mycomp.local:389"
       connectionName="trainee1@mycomp.local:389"
       connectionPassword="****"
       userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       userRoleName="Domain Users"
       roleBase="DC=mycompgroup,DC=local"
       roleName="cn"
       roleSearch="member={0}"
     />

第 2 步.您应该在 web.xml 中添加组名称:

Step 2. You should add the groups name in your web.xml:

<security-constraint>
....
    <auth-constraint>
        <role-name>Domain Users</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

<security-role>
    <role-name>Domain Users</role-name>
</security-role>

步骤 3. 重启这个 tomcat 服务器

Step 3. Restart this tomcat server

好好享受吧！！！

这篇关于如何将 Ldap 组映射到 Tomcat 角色 (Java)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！