当使用Spring Security 3.1身份验证到Active Directory处理角色 [英] Handling roles when authenticated to active directory with spring security 3.1

问题描述

我试图使用身份验证使用的Spring Security 3.1的Active Directory。 我得到验证，一切都很好。

 ＆LT;秒：LDAP服务器ID =ldapServerURL =LDAP：// LDAP / DC =子，DC =域，DC = COM口=389 /＆GT;

＆LT;秒：认证经理擦除凭据=真正的＆GT;
    ＆LT;秒：身份验证提供参考=ldapActiveDirectoryAuthProvider/＆GT;
＆LT; /秒：认证经理＆gt;

＆LT;豆ID =ldapActiveDirectoryAuthProvider
        class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    ＆LT;构造带参数的值=域/＆GT;
    ＆LT;构造带参数的值=LDAP：//服务器：389 //＆GT;
＆LT; /豆＆GT;
 

现在的问题。如何处理用户的角色，这样我就可以设置我的过滤器？

如：

 ＆LT;秒：拦截-URL模式=/ **访问=ROLE_USER/＆GT;
 

解决方案

我发现了如何使用UserDetailContextMapper做到这一点，我的映射AD组到ROLE_USER，ROLE_ADMIN等。

 ＆LT;豆ID =ldapActiveDirectoryAuthProvider
        class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    ＆LT;构造带参数的值=域/＆GT;
    ＆LT;构造带参数的值=LDAP：//主机：389 //＆GT;
    ＆LT;属性名=的UserDetailsContextMapperREF =tdrUserDetailsContextMapper/＆GT;
    ＆LT;属性名=useAuthenticationRequestCredentials值=真/＆GT;
＆LT; /豆＆GT;

＆LT;豆ID =tdrUserDetailsContextMapper级=com.bla.bla.UserDetailsContextMapperImpl/＆GT;
 

映射器类：

 公共类UserDetailsContextMapperImpl实现的UserDetailsContextMapper，序列化{
    私有静态最后长的serialVersionUID = 3962976258168853954L;

    @覆盖
    公众的UserDetails mapUserFromContext（DirContextOperations CTX，字符串username，收集和LT ;?延伸的GrantedAuthority＆GT;授权）{

        名单＆LT;的GrantedAuthority＆GT; mappedAuthorities =新的ArrayList＆LT;的GrantedAuthority＆GT;（）;


        对于（的GrantedAuthority理所当然：授权）{

            如果（granted.getAuthority（）。equalsIgnoreCase（我的用户组））{
                mappedAuthorities.add（新的GrantedAuthority（）{
                    私有静态最后长的serialVersionUID = 4356967414267942910L;

                    @覆盖
                    公共字符串getAuthority（）{
                        返回ROLE_USER;
                    }

                }）;
            }否则，如果（granted.getAuthority（）。equalsIgnoreCase（我的管理集团））{
                mappedAuthorities.add（新的GrantedAuthority（）{
                    私有静态最后长的serialVersionUID = -5167156646226168080L;

                    @覆盖
                    公共字符串getAuthority（）{
                        返回ROLE_ADMIN;
                    }
                }）;
            }
        }
        返回新用户（用户名，真的，真的，真的，真的，mappedAuthorities）;
    }

    @覆盖
    公共无效mapUserToContext（的UserDetails为arg0，DirContextAdapter ARG1）{
    }
}
 

解决方案

在beans.xml中的角色必须是CN（通用名）的memberOf值属性的精确匹配。你应该阅读教程有关目录的基础知识。

说有这样的用户： CN =迈克尔-O，OU =用户，OU =部门，DC =子，DC =公司，DC =净 在他的背景下存在这种的memberOf值 CN =组名，OU =权限，OU =组，OU =部门，DC =子，DC =公司，DC =净

bean将查找此的memberOf值，并提取组名称。您beans.xml文件必须具有的正是这个值。

I'm trying to use a authenticate with an Active directory using Spring Security 3.1. I get authenticated and all is well.

<sec:ldap-server id="ldapServer" url="ldap://ldap/dc=sub,dc=domain,dc=com" port="389" />

<sec:authentication-manager erase-credentials="true"  >
    <sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager>

<bean id="ldapActiveDirectoryAuthProvider" 
        class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <constructor-arg value="domain" />
    <constructor-arg value="ldap://server:389/"/> 
</bean>

Now to the question. How do I handle roles for the user so that I can setup my filters?

eg.

<sec:intercept-url pattern="/**" access="ROLE_USER"/>

Solution

I found out how to do this by using the UserDetailContextMapper and map my AD groups to ROLE_USER,ROLE_ADMIN etc.

    <bean id="ldapActiveDirectoryAuthProvider" 
        class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <constructor-arg value="domain" />
    <constructor-arg value="ldap://host:389/"/> 
    <property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
    <property name="useAuthenticationRequestCredentials" value="true"/>
</bean>

<bean id="tdrUserDetailsContextMapper" class="com.bla.bla.UserDetailsContextMapperImpl"/>

Mapper class:

public class UserDetailsContextMapperImpl implements UserDetailsContextMapper, Serializable{
    private static final long serialVersionUID = 3962976258168853954L;

    @Override
    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {

        List<GrantedAuthority> mappedAuthorities = new ArrayList<GrantedAuthority>();


        for (GrantedAuthority granted : authority) {

            if (granted.getAuthority().equalsIgnoreCase("MY USER GROUP")) {
                mappedAuthorities.add(new GrantedAuthority(){
                    private static final long serialVersionUID = 4356967414267942910L;

                    @Override
                    public String getAuthority() {
                        return "ROLE_USER";
                    } 

                });
            } else if(granted.getAuthority().equalsIgnoreCase("MY ADMIN GROUP")) {
                mappedAuthorities.add(new GrantedAuthority() {
                    private static final long serialVersionUID = -5167156646226168080L;

                    @Override
                    public String getAuthority() {
                        return "ROLE_ADMIN";
                    }
                });
            }
        }
        return new User(username, "", true, true, true, true, mappedAuthorities);
    }

    @Override
    public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
    }
}

解决方案

The roles in the beans.xml must be an exact match of the CN (common name) of the memberOf value attribute. You should read a tutorial about directory basics.

Say have this user: CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net In his context exists this memberOf value CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net

The Bean will locate this memberOf value and extract Group Name. You beans.xml has to have exactly this value.

这篇关于当使用Spring Security 3.1身份验证到Active Directory处理角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！