具有LDAP和数据库角色的Spring Security [英] Spring Security with LDAP and Database roles

问题描述

在我们新的保险项目中，我正在尝试实施 spring-security 活动目录.

In our new insurance project, I am trying to implement spring-security with Ldap active-directory.

一旦在AD中找到用户，我想仅对用户名/密码进行检查.我想通过数据库中的访问级别从用户表(应用程序授权的用户)授权他.有人可以给我样本/给我一个很好的资源.

I want to just check username/password against AD, once user found in AD. I want to authorize him from user table(app authorized users) with access levels in database. Could someone give sample/point me for a good resource.

推荐答案

现在(Spring Security 3.2.5.RELEASE)最简单的方法是实现一个自定义LdapAuthoritiesPopulator，该自定义LdapAuthoritiesPopulator使用自定义JdbcDaoImpl来获取数据库中的权限.

The easiest way to achieve this now (Spring Security 3.2.5.RELEASE) is by implementing a custom LdapAuthoritiesPopulator which uses a custom JdbcDaoImpl to obtain the authorities from the database.

假设您使用的是默认数据库模式，并且您在LDAP中使用相同的用户名进行身份验证，并且作为authorities表中的外键，则只需要以下条件:

Assuming you are using the default database schema, and that you are using the same username for authentication in LDAP and as the foreign key in the authorities table, you only need this:

package demo;

import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Collection;
import java.util.List;

import org.springframework.jdbc.core.RowMapper;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;

import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;

/*
 * You need to extend JdbcDaoImpl to expose the protected method loadUserAuthorities.
 */
public class CustomJdbcUserDetailsService extends JdbcDaoImpl {

    @Override
    public List<GrantedAuthority> loadUserAuthorities(String username) {
        return super.loadUserAuthorities(username);
    }
}


/*
 * Then, the only thing your populator needs to do is use the custom UserDetailsService above.
 */
public class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {

    private static final Logger LOGGER = LoggerFactory.getLogger(CustomLdapAuthoritiesPopulator.class);

    private CustomJdbcUserDetailsService service;

    public CustomLdapAuthoritiesPopulator(CustomJdbcUserDetailsService service) {
        this.service = service;
    }

    public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations user, String username) {
        return service.loadUserAuthorities(username);
    }

}

现在剩下的唯一事情就是将LDAP身份验证提供程序配置为使用CustomLdapAuthoritiesPopulator.

The only thing left now is configure the LDAP authentication provider to use CustomLdapAuthoritiesPopulator.

在GlobalMethodSecurityConfiguration或WebSecurityConfigurerAdapter的带@Configuration注释的子类中(取决于您的情况)，添加以下内容:

In a @Configuration annotated subclass of GlobalMethodSecurityConfiguration or WebSecurityConfigurerAdapter (depending on your case), add the following:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    /* other authentication configurations you might have */

    /*
     * This assumes that the dataSource configuring
     * the connection to the database has been Autowired
     * into this bean.
     *
     * Adapt according to your specific case.
     */
    CustomJdbcUserDetailsService customJdbcUserDetailsService = new CustomJdbcUserDetailsService();
    customJdbcUserDetailsService.setDataSource(dataSource);

    CustomLdapAuthoritiesPopulator customLdapAuthoritiesPopulator = new CustomLdapAuthoritiesPopulator(customJdbcUserDetailsService);

    auth.ldapAuthentication().ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)/* other LDAP configurations you might have */;

    /* yet more authentication configurations you might have */
}

请参阅 https://github.com/pfac/howto-spring-security作为工作示例.

免责声明:我一直只使用Java配置，因此请谨慎行事，可能会出现一些错误.

Disclaimer: I've been working solely with Java configuration, so tread cautiously, there might be some errors.

与其他用于LDAP身份验证的配置不同，似乎没有漂亮的XML标记可用于自定义LdapAuthoritiesPopulator.因此，必须手动完成.假设已经定义了用于配置与LDAP服务器的连接的bean contextSource，请将以下内容添加到您的Spring XML配置中:

Unlike other configurations for authenticating with LDAP, there seems to be no pretty XML tags to customize the LdapAuthoritiesPopulator. So, it has to be done manually. Assuming a bean contextSource configuring the connection to the LDAP server has been defined, add the following to your Spring XML configuration:

<beans:bean id="customJdbcUserDetailsService" class="demo.CustomJdbcUserDetailsService" />
<beans:bean id="customLdapAuthoritiesPopulator" class="demo.CustomLdapAuthoritiesPopulator">
    <beans:constructor-arg ref="customJdbcUserDetailsService" />
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <beans:constructor-arg>
        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
            <beans:constructor-arg ref="contextSource" />
            <!--
                other configurations you might need
            -->
        </beans:bean>
    </beans:constructor-arg>
    <beans:constructor-arg ref="customLdapAuthoritiesPopulator" />
</beans:bean>

<security:authentication-manager>
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>

来源: 查看全文