如何使用 LDAP 和基于角色的数据库授予权限实现 Spring Security? [英] How to implement Spring Security with LDAP and Role based granted authorities from database?
问题描述
我在 Spring MVC Thymeleaf 项目中工作,其中具有数据库和基于角色的授予权限的 LDAP 安全性是最终用户的必备要求.
我需要什么
- 主要身份验证应由 LDAP 执行
- 必须在数据库中配置用户角色和授予的权限以及 LDAP 用户名
示例:LDAP 用户:nahid@test.com角色:管理员授予管理员"角色的权限:permission_x、permission_y 等
将在网页中用作hasAuthority("permission_x")"
- LDAP 认证后,系统会检查用户是否作为白名单用户存在于数据库中
- 白名单检查后,将为用户加载角色和权限,并对加载的权限(非角色)进行授权
我在这里发现了什么:
https://spring.io/guides/gs/authenticating-ldap/ 此处仅显示 LDAP 身份验证.
- https://www.baeldung.com/role-and-privilege-for-spring-security-registration 授予权限示例
现在我的问题是:
- 是否需要使用 LDAP 用户名存储 LDAP 密码?如果是,安全吗?
- 是否有适用于上述场景的示例?
- 细粒度的授予权限是否适用于 LDAP 用户?
LDAP 身份验证和基于 jdbc 的授权将如何协同工作?有人可以帮忙吗?
提前致谢
既然我找到了解决方案,我在这里分享我自己的答案.希望它会帮助其他人:
我的回答是:
- 无需将密码存储在数据库中.
- 不完全是
- 是的,细粒度的授予权限非常适合 LDAP 用户
我是如何解决问题的:
第 1 步:
诀窍是使用 UserDetailsContextMapper 和由常规 UserDetailsService 提供的 UserDetails.
示例:
@Override公共无效配置(AuthenticationManagerBuilder auth)抛出异常{授权.ldapAuthentication().userDetailsContextMapper(userDetailsContextMapper()).userDnPatterns("uid={0},ou=people").groupSearchBase("ou=groups").contextSource().url("ldap://localhost:8389/dc=springframework,dc=org").and().passwordCompare().passwordEncoder(new BCryptPasswordEncoder()).passwordAttribute("用户密码");}@豆公共 UserDetailsContextMapper userDetailsContextMapper() {返回新的 LdapUserDetailsMapper() {@覆盖public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection extends GrantedAuthority> authority) {UserDetails details= userDetailsService.loadUserByUsername(username+"@test.com");退货详情;}};}
LDAP 身份验证成功后,它将尝试将有效的注册用户加载到具有所有授予权限的上下文中.
第 2 步
hasAuthority 对我不起作用.我用过类似下面的东西:
<div class="alert alert-success" role="alert">这是秘密 DIV
为了快速检查,您可以使用以下内容:
我希望有一天它会帮助某人.
快乐编码!
用于 LDAP over SSL 和 Spring Boot
I am working in a Spring MVC Thymeleaf project where LDAP security with Database and Role-based granted authorities is a must-have requirement from the end-user.
What I need
- Primary authentication should be performed by LDAP
- User Role and granted authorities must be configured in the database along with LDAP user name
example: LDAP user: nahid@test.com Role: Admin Granted Authorities for "Admin" role: permission_x,permission_y etc
Which will be used in web page as "hasAuthority("permission_x")"
- After LDAP Authentication, System will check if User Exist in the database as a white list user
- After the white list check, roles and privileges will be loaded for the user and authorization will be imposed for loaded permissions(not role)
What I found is here:
Spring Security with LDAP and Database roles, which is a bit outdated
https://spring.io/guides/gs/authenticating-ldap/ where only LDAP authentication is shown.
- https://www.baeldung.com/role-and-privilege-for-spring-security-registration Granted Authority example
Now my questions are:
- Do I need to store LDAP Password with LDAP user Name? If yes, is it safe?
- Is there any example that exists for the above scenario?
- Will fine-grained granted authorities work for LDAP users?
How LDAP authentication and jdbc based authorization will work together? Can anybody help?
Thanks in advance
Since I have found a solution, I am sharing my own answer here. Hope it will help others:
My Answers are:
- No Password needs to be stored in the database.
- Not exactly
- Yes, fine-grained granted authority works perfectly for LDAP users
How I solved my problem:
Step 1:
The trick is using a UserDetailsContextMapper with UserDetails provided by regular UserDetailsService.
example:
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDetailsContextMapper(userDetailsContextMapper())
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource()
.url("ldap://localhost:8389/dc=springframework,dc=org")
.and()
.passwordCompare()
.passwordEncoder(new BCryptPasswordEncoder())
.passwordAttribute("userPassword");
}
@Bean
public UserDetailsContextMapper userDetailsContextMapper() {
return new LdapUserDetailsMapper() {
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
UserDetails details= userDetailsService.loadUserByUsername(username+"@test.com");
return details;
}
};
}
After successful LDAP authentication, it will try to load valid registered user to the context with all granted authorities.
Step 2
hasAuthority didn't work for me. I have used something like below:
<div sec:authorize="hasRole('SOME_PRIVILEGE')">
<div class="alert alert-success" role="alert">
This is secret DIV
</div>
</div>
For a quick check, you can use below:
<span sec:authentication="principal.authorities"></span>
I hope it will help somebody someday.
Happy Coding!
Edit: For LDAP over SSL and Spring Boot
这篇关于如何使用 LDAP 和基于角色的数据库授予权限实现 Spring Security?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!