spring-security:使用用户证书对LDAP进行身份验证 [英] spring-security : Using user's certificate to authenticate against LDAP
问题描述
我设法使用证书中找到的用户名对Ldap进行身份验证。我想要获得的是直接使用Ldap上的证书来验证用户。
我找不到如何将证书传递给Ldap。
I managed to authentify the user against the Ldap using the username found in the certificate. What I would like to obtain is to authentify the user using directly the certificate on the Ldap. I cannot found how to pass the certificate to the Ldap.
这里是当前的配置(使用证书的用户名):
here is the current config (using the certificate's username) :
<security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>
<bean name="userService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="ldapUserSearch"/>
<constructor-arg ref="ldapAuthoritiesPopulator"/>
</bean>
<bean name="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg value=""/>
<constructor-arg value="sAMAccountName={0}"/>
<constructor-arg ref="contextSource" />
</bean>
<bean name="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource" />
<constructor-arg value="" />
<property name="groupSearchFilter" value="member={0}" />
<property name="searchSubtree" value="true" />
</bean>
推荐答案
我还没有找到一个认证栈,X509->帐户解析权利。我得到了一个事实,Spring Security的UserDetailsService接口坚持一个字符串uid查找,但在许多情况下,是不可能从X509证书的主题中包含的信息中导出这样的UID(例如有许多cn =约翰·史密斯在世界上,或甚至在单个组织内,在证书DN中也不需要电子邮件)。证书的唯一性在于发行者+序列号组合,而不是主题。
I was looking in to this issue myself. I have yet to find an authentication stack that does X509->account resolution "right". I got hung up on the fact that Spring Security's UserDetailsService interface insists on a string uid for lookup, but in many cases it is impossible to derive such a UID from the information contained in an X509 certificate's subject (e.g. there are many cn=John Smith in the world, or even within a single organization, nor is email required in a certificate DN). The uniqueness of a certificate lies in the Issuer + Serial Number combination, not the Subject.
查看API后,有几种方法可以解决这个问题。任何一种方式都可能排除使用命名空间和自己设置过滤器链和bean:
After looking through the API there are a couple ways to go about this. Either way probably precludes using the namespace and setting up the filter chain and beans yourself:
1)实现自己的AuthenticationUserDetailsService并将其绑定到PreAuthenticatedAuthenticationProvider。默认情况下,我相信,命名空间使用传入的user-service-ref设置UserDetailsByNameServiceWrapper。走这条路线意味着你必须做一切设置UserDetails,包括授予权限解决。当然,你可以委托所有这些,但它的更多的工作。
1) Implement your own AuthenticationUserDetailsService and bind this to the PreAuthenticatedAuthenticationProvider. By default, I believe, the namespace sets up a UserDetailsByNameServiceWrapper using the passed-in user-service-ref. Going this route means you have to do everything to set up the UserDetails, including granted authorities resolution. Of course you can delegate all this, but its more work.
2)如果你的LDAP存储由一些UID键入,这是我倾向的路由,实现您自己的X509PrincipalExtractor并将其绑定到X509AuthenticationFilter,并返回您的LDAPUserDetailsService配置为期望的字符串uid。在提取器中实现逻辑来搜索您的LDAP存储库中存储的证书。我不知道任何将在LDAP服务器上工作的策略,最简单的方法是,如果您的LDAP支持RFC4523 certificateMatch或certificateExactMatch,并且您可以配置一个搜索过滤器,返回一个唯一的帐户,然后您可以返回属性需要(例如sAMAccountName)。如果没有,如果您的证书包含可以过滤的值(例如,证书cn = LDAP cn),您可以使用它来检索LDAP结果的候选集,将其证书提取到X509Certificate,并对所传递的.equals()在证书中找到匹配并返回其uid的帐户。
2) If your LDAP store is keyed by some UID, and this is the route I am leaning towards, implement your own X509PrincipalExtractor and bind it to the X509AuthenticationFilter and return the string uid that your LDAPUserDetailsService is configured to expect. Within the extractor implement the logic to search your LDAP store for the stored certificate. I do not know of any strategies that will work across LDAP servers, the easiest way would be if your LDAP supports RFC4523 certificateMatch or certificateExactMatch and you can configure a search filter that will return you a unique account from which you can then return the attribute you need (e.g. sAMAccountName). If not, if your certificates contain a value that you can filter on (e.g. certificate cn = LDAP cn) that you can use to retrieve a candidate set of LDAP results for, extract their certificates to X509Certificate and do .equals() against the passed in certificate to find the account that matches and return its uid.
这篇关于spring-security:使用用户证书对LDAP进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
