如何使用 LDAP 和基于角色的数据库授予权限实现 Spring Security? [英] How to implement Spring Security with LDAP and Role based granted authorities from database?

问题描述

我在 Spring MVC Thymeleaf 项目中工作，其中具有数据库和基于角色的授予权限的 LDAP 安全性是最终用户的必备要求.

我需要什么

• 主要身份验证应由 LDAP 执行
• 必须在数据库中配置用户角色和授予的权限以及 LDAP 用户名

<块引用>

示例:LDAP 用户:nahid@test.com角色:管理员授予管理员"角色的权限:permission_x、permission_y 等

将在网页中用作hasAuthority("permission_x")"

• LDAP 认证后，系统会检查用户是否作为白名单用户存在于数据库中
• 白名单检查后，将为用户加载角色和权限，并对加载的权限(非角色)进行授权

我在这里发现了什么:

• 具有 LDAP 和数据库角色的 Spring Security，这有点过时了

• https://spring.io/guides/gs/authenticating-ldap/ 此处仅显示 LDAP 身份验证.

• https://www.baeldung.com/role-and-privilege-for-spring-security-registration 授予权限示例

现在我的问题是:

1. 是否需要使用 LDAP 用户名存储 LDAP 密码?如果是，安全吗?
2. 是否有适用于上述场景的示例?
3. 细粒度的授予权限是否适用于 LDAP 用户?

LDAP 身份验证和基于 jdbc 的授权将如何协同工作?有人可以帮忙吗?

提前致谢

解决方案

既然我找到了解决方案，我在这里分享我自己的答案.希望它会帮助其他人:

我的回答是:

1. 无需将密码存储在数据库中.
2. 不完全是
3. 是的，细粒度的授予权限非常适合 LDAP 用户

我是如何解决问题的:

第 1 步:

诀窍是使用 UserDetailsContextMapper 和由常规 UserDetailsS​​ervice 提供的 UserDetails.

示例:

 @Override公共无效配置(AuthenticationManagerBuilder auth)抛出异常{授权.ldapAuthentication().userDetailsContextMapper(userDetailsContextMapper()).userDnPatterns("uid={0},ou=people").groupSearchBase("ou=groups").contextSource().url("ldap://localhost:8389/dc=springframework,dc=org").and().passwordCompare().passwordEncoder(new BCryptPasswordEncoder()).passwordAttribute("用户密码");}@豆公共 UserDetailsContextMapper userDetailsContextMapper() {返回新的 LdapUserDetailsMapper() {@覆盖public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection authority) {UserDetails details= userDetailsS​​ervice.loadUserByUsername(username+"@test.com");退货详情；}};}

LDAP 身份验证成功后，它将尝试将有效的注册用户加载到具有所有授予权限的上下文中.

第 2 步

hasAuthority 对我不起作用.我用过类似下面的东西:

<div class="alert alert-success" role="alert">这是秘密 DIV

为了快速检查，您可以使用以下内容:

我希望有一天它会帮助某人.

快乐编码！

用于 LDAP over SSL 和 Spring Boot

I am working in a Spring MVC Thymeleaf project where LDAP security with Database and Role-based granted authorities is a must-have requirement from the end-user.

What I need

• Primary authentication should be performed by LDAP
• User Role and granted authorities must be configured in the database along with LDAP user name

example: 
LDAP user: nahid@test.com
Role: Admin
Granted Authorities for "Admin" role: permission_x,permission_y etc

Which will be used in web page as "hasAuthority("permission_x")"

• After LDAP Authentication, System will check if User Exist in the database as a white list user
• After the white list check, roles and privileges will be loaded for the user and authorization will be imposed for loaded permissions(not role)

What I found is here:

• Spring Security with LDAP and Database roles, which is a bit outdated

• https://spring.io/guides/gs/authenticating-ldap/ where only LDAP authentication is shown.

• https://www.baeldung.com/role-and-privilege-for-spring-security-registration Granted Authority example

Now my questions are:

1. Do I need to store LDAP Password with LDAP user Name? If yes, is it safe?
2. Is there any example that exists for the above scenario?
3. Will fine-grained granted authorities work for LDAP users?

How LDAP authentication and jdbc based authorization will work together? Can anybody help?

Thanks in advance

解决方案

Since I have found a solution, I am sharing my own answer here. Hope it will help others:

My Answers are:

1. No Password needs to be stored in the database.
2. Not exactly
3. Yes, fine-grained granted authority works perfectly for LDAP users

How I solved my problem:

Step 1:

The trick is using a UserDetailsContextMapper with UserDetails provided by regular UserDetailsService.

example:

 @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .ldapAuthentication()
                .userDetailsContextMapper(userDetailsContextMapper())
                .userDnPatterns("uid={0},ou=people")
                .groupSearchBase("ou=groups")
                .contextSource()
                .url("ldap://localhost:8389/dc=springframework,dc=org")
                .and()
                .passwordCompare()
                .passwordEncoder(new BCryptPasswordEncoder())
                .passwordAttribute("userPassword");
    }


 @Bean
    public UserDetailsContextMapper userDetailsContextMapper() {
        return new LdapUserDetailsMapper() {
            @Override
            public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
                UserDetails details= userDetailsService.loadUserByUsername(username+"@test.com");
                return  details;
            }
        };
    }

After successful LDAP authentication, it will try to load valid registered user to the context with all granted authorities.

Step 2

hasAuthority didn't work for me. I have used something like below:

<div sec:authorize="hasRole('SOME_PRIVILEGE')">
            <div class="alert alert-success" role="alert">
                This is secret DIV
            </div>
        </div>

For a quick check, you can use below:

<span sec:authentication="principal.authorities"></span>

I hope it will help somebody someday.

Happy Coding!

Edit: For LDAP over SSL and Spring Boot

这篇关于如何使用 LDAP 和基于角色的数据库授予权限实现 Spring Security?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！