当使用Spring Security 3.1身份验证到Active Directory处理角色 [英] Handling roles when authenticated to active directory with spring security 3.1
问题描述
我试图使用身份验证使用的Spring Security 3.1的Active Directory。 我得到验证,一切都很好。
<秒:LDAP服务器ID =ldapServerURL =LDAP:// LDAP / DC =子,DC =域,DC = COM口=389 />
<秒:认证经理擦除凭据=真正的>
<秒:身份验证提供参考=ldapActiveDirectoryAuthProvider/>
< /秒:认证经理>
<豆ID =ldapActiveDirectoryAuthProvider
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<构造带参数的值=域/>
<构造带参数的值=LDAP://服务器:389 //>
< /豆>
现在的问题。如何处理用户的角色,这样我就可以设置我的过滤器?
如:
<秒:拦截-URL模式=/ **访问=ROLE_USER/>
解决方案
我发现了如何使用UserDetailContextMapper做到这一点,我的映射AD组到ROLE_USER,ROLE_ADMIN等。
<豆ID =ldapActiveDirectoryAuthProvider
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<构造带参数的值=域/>
<构造带参数的值=LDAP://主机:389 //>
<属性名=的UserDetailsContextMapperREF =tdrUserDetailsContextMapper/>
<属性名=useAuthenticationRequestCredentials值=真/>
< /豆>
<豆ID =tdrUserDetailsContextMapper级=com.bla.bla.UserDetailsContextMapperImpl/>
映射器类:
公共类UserDetailsContextMapperImpl实现的UserDetailsContextMapper,序列化{
私有静态最后长的serialVersionUID = 3962976258168853954L;
@覆盖
公众的UserDetails mapUserFromContext(DirContextOperations CTX,字符串username,收集和LT ;?延伸的GrantedAuthority>授权){
名单<的GrantedAuthority> mappedAuthorities =新的ArrayList<的GrantedAuthority>();
对于(的GrantedAuthority理所当然:授权){
如果(granted.getAuthority()。equalsIgnoreCase(我的用户组)){
mappedAuthorities.add(新的GrantedAuthority(){
私有静态最后长的serialVersionUID = 4356967414267942910L;
@覆盖
公共字符串getAuthority(){
返回ROLE_USER;
}
});
}否则,如果(granted.getAuthority()。equalsIgnoreCase(我的管理集团)){
mappedAuthorities.add(新的GrantedAuthority(){
私有静态最后长的serialVersionUID = -5167156646226168080L;
@覆盖
公共字符串getAuthority(){
返回ROLE_ADMIN;
}
});
}
}
返回新用户(用户名,真的,真的,真的,真的,mappedAuthorities);
}
@覆盖
公共无效mapUserToContext(的UserDetails为arg0,DirContextAdapter ARG1){
}
}
在beans.xml中的角色必须是CN(通用名)的memberOf值属性的精确匹配。你应该阅读教程有关目录的基础知识。
说有这样的用户:
CN =迈克尔-O,OU =用户,OU =部门,DC =子,DC =公司,DC =净
在他的背景下存在这种的memberOf值 CN =组名,OU =权限,OU =组,OU =部门,DC =子,DC =公司,DC =净
bean将查找此的memberOf值,并提取组名称
。您beans.xml文件必须具有的正是这个值。
I'm trying to use a authenticate with an Active directory using Spring Security 3.1. I get authenticated and all is well.
<sec:ldap-server id="ldapServer" url="ldap://ldap/dc=sub,dc=domain,dc=com" port="389" />
<sec:authentication-manager erase-credentials="true" >
<sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager>
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://server:389/"/>
</bean>
Now to the question. How do I handle roles for the user so that I can setup my filters?
eg.
<sec:intercept-url pattern="/**" access="ROLE_USER"/>
Solution
I found out how to do this by using the UserDetailContextMapper and map my AD groups to ROLE_USER,ROLE_ADMIN etc.
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://host:389/"/>
<property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
<property name="useAuthenticationRequestCredentials" value="true"/>
</bean>
<bean id="tdrUserDetailsContextMapper" class="com.bla.bla.UserDetailsContextMapperImpl"/>
Mapper class:
public class UserDetailsContextMapperImpl implements UserDetailsContextMapper, Serializable{
private static final long serialVersionUID = 3962976258168853954L;
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {
List<GrantedAuthority> mappedAuthorities = new ArrayList<GrantedAuthority>();
for (GrantedAuthority granted : authority) {
if (granted.getAuthority().equalsIgnoreCase("MY USER GROUP")) {
mappedAuthorities.add(new GrantedAuthority(){
private static final long serialVersionUID = 4356967414267942910L;
@Override
public String getAuthority() {
return "ROLE_USER";
}
});
} else if(granted.getAuthority().equalsIgnoreCase("MY ADMIN GROUP")) {
mappedAuthorities.add(new GrantedAuthority() {
private static final long serialVersionUID = -5167156646226168080L;
@Override
public String getAuthority() {
return "ROLE_ADMIN";
}
});
}
}
return new User(username, "", true, true, true, true, mappedAuthorities);
}
@Override
public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
}
}
The roles in the beans.xml must be an exact match of the CN (common name) of the memberOf value attribute. You should read a tutorial about directory basics.
Say have this user:
CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net
In his context exists this memberOf value CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net
The Bean will locate this memberOf value and extract Group Name
. You beans.xml has to have exactly this value.
这篇关于当使用Spring Security 3.1身份验证到Active Directory处理角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!