春季安全:如何映射的Active Directory用户到应用程序的用户? [英] Spring Security: how to map Active Directory users to application users?
问题描述
我在现有的Spring Web应用程序整合Active Directory身份验证。
I'm integrating Active Directory authentication in an existing Spring web app.
目前用户的详细信息存储在一个数据库表,我实现了一个自定义的的UserDetailsService 来验证用户身份。
At the moment user details are stored in a DB table and I implemented a custom UserDetailsService to authenticate users.
以下几个教程我通过<一个实现Active Directory支持href="http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ldap-active-directory"相对=nofollow> ActiveDirectoryLdapAuthenticationProvider 在我的应用程序,它基本上的作品,但我需要更具体的东西。
Following several tutorials I implemented Active Directory support via ActiveDirectoryLdapAuthenticationProvider in my application, and it basically works, but I need something more specific.
到应用程序角色,我需要AD用户现有用户映射在我的web应用程序。换句话说,我希望能在我的用户表只为用户AD认证。
用户可以通过AD凭据的仅在已经在应用程序数据库中注册。
Instead of mapping AD groups to application roles, I need to map AD users to existing users in my web app. In other words I want to enable AD authentication only for users in my Users table.
A user can access via AD credentials ONLY IF is already registered in application DB.
为每个用户授权信息都存储在数据库中。这样一来,每个用户既可以通过DB用户+密码或通过AD进行验证。
Authorization info for each user are stored in DB. This way, each user can be authenticated both via DB user+password or via AD.
是否有可能在Spring Security实现这一目标?如何?
Is it possible to achieve this with Spring Security? and how?
注意我使用Spring v 3.2.9和Spring安全v 3.2.3
NOTE I'm using Spring v 3.2.9 and Spring Security v 3.2.3
推荐答案
作为一种解决办法我implementend一个自定义的的AuthenticationProvider 和一个自定义的UserDetailsContextMapper 。
As a workaround I implementend a custom AuthenticationProvider and a custom UserDetailsContextMapper.
Becouse ActiveDirectoryLdapAuthenticationProvider 是最后类,我实现了 ADCustomAuthenticationProvider 通过成分,这种方式:
Becouse ActiveDirectoryLdapAuthenticationProvider is a final class I implemented the ADCustomAuthenticationProvider via composition, this way:
public class ADCustomAuthenticationProvider implements AuthenticationProvider {
@Autowired
private ActiveDirectoryLdapAuthenticationProvider adAuthProvider;
@Autowired
private UserDao uDao;
@Override
@Transactional(propagation = Propagation.REQUIRES_NEW)
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String principal = authentication.getPrincipal().toString();
String username = principal.split("@")[0];
User utente = uDao.findByUsername(username);
if (utente == null) {
throw new ADUnregisteredUserAuthenticationException("user ["
+ principal + "] is not registered");
}
return adAuthProvider.authenticate(authentication);
}
@Override
public boolean supports(Class<?> authentication) {
return adAuthProvider.supports(authentication);
}
}
在我延长 LdapUserDetailsMapper 仅实施 mapUserFromContext 方法。
public class ADCustomUserDetailsContextMapper extends LdapUserDetailsMapper {
@Autowired
private UserDetailsService userDetailsService; // ... the service used for DB authentication
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx,
String username, Collection<? extends GrantedAuthority> authorities) {
return userDetailsService.loadUserByUsername(username);
}
}
(我可能需要实施 mapUserToContext 方法怎么一回事,因为我使用的是自定义的的UserDetails 的实施不是扩展LdapUserDetails,所以相反的皈依过程中可能会抛出异常...)
(I'll probably need to implement mapUserToContext method beacuse I'm using a custom UserDetails implementation that not extends LdapUserDetails, so the reverse convertion process could throw an exception...)
注意这样,我不停地重复相同的查询(以用户表)两次......我想找到一个方法,使一个单一的查询和共享之间的AuthenticationProvider的结果,的UserDetailsContextMapper 之间的AuthenticationProvider .E结果和的UserDetailsContextMapper 。
NOTE This way I'm repeating the same query (to Users table) two times... I'd like to find a way to make a single query and share the result among AuthenticationProvider and UserDetailsContextMapper.e result among AuthenticationProvider and UserDetailsContextMapper.
这篇关于春季安全:如何映射的Active Directory用户到应用程序的用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
