具有 LDAP 和数据库角色的 Spring Security [英] Spring Security with LDAP and Database roles
问题描述
在我们的新保险项目中,我正在尝试实施 spring-security with Ldap 活动目录.
In our new insurance project, I am trying to implement spring-security with Ldap active-directory.
一旦在 AD 中找到用户,我想只检查用户名/密码是否与 AD 相符.我想从具有数据库访问级别的用户表(应用程序授权用户)授权他.有人可以提供样本/指点我以获得好的资源.
I want to just check username/password against AD, once user found in AD. I want to authorize him from user table(app authorized users) with access levels in database. Could someone give sample/point me for a good resource.
推荐答案
现在最简单的方法(Spring Security 3.2.5.RELEASE)是通过实现一个自定义的 LdapAuthoritiesPopulator 使用自定义JdbcDaoImpl 从数据库中获取权限.
The easiest way to achieve this now (Spring Security 3.2.5.RELEASE) is by implementing a custom LdapAuthoritiesPopulator which uses a custom JdbcDaoImpl to obtain the authorities from the database.
假设您使用的是 默认数据库schema,并且您在 LDAP 中使用相同的用户名进行身份验证并作为 authorities 表中的外键,您只需要:
Assuming you are using the default database schema, and that you are using the same username for authentication in LDAP and as the foreign key in the authorities table, you only need this:
package demo;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Collection;
import java.util.List;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
/*
* You need to extend JdbcDaoImpl to expose the protected method loadUserAuthorities.
*/
public class CustomJdbcUserDetailsService extends JdbcDaoImpl {
@Override
public List<GrantedAuthority> loadUserAuthorities(String username) {
return super.loadUserAuthorities(username);
}
}
/*
* Then, the only thing your populator needs to do is use the custom UserDetailsService above.
*/
public class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
private static final Logger LOGGER = LoggerFactory.getLogger(CustomLdapAuthoritiesPopulator.class);
private CustomJdbcUserDetailsService service;
public CustomLdapAuthoritiesPopulator(CustomJdbcUserDetailsService service) {
this.service = service;
}
public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations user, String username) {
return service.loadUserAuthorities(username);
}
}
现在唯一剩下的就是配置 LDAP 身份验证提供程序以使用 CustomLdapAuthoritiesPopulator.
The only thing left now is configure the LDAP authentication provider to use CustomLdapAuthoritiesPopulator.
在GlobalMethodSecurityConfiguration 或WebSecurityConfigurerAdapter 的@Configuration 注释子类中(取决于您的情况),添加以下内容:
In a @Configuration annotated subclass of GlobalMethodSecurityConfiguration or WebSecurityConfigurerAdapter (depending on your case), add the following:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
/* other authentication configurations you might have */
/*
* This assumes that the dataSource configuring
* the connection to the database has been Autowired
* into this bean.
*
* Adapt according to your specific case.
*/
CustomJdbcUserDetailsService customJdbcUserDetailsService = new CustomJdbcUserDetailsService();
customJdbcUserDetailsService.setDataSource(dataSource);
CustomLdapAuthoritiesPopulator customLdapAuthoritiesPopulator = new CustomLdapAuthoritiesPopulator(customJdbcUserDetailsService);
auth.ldapAuthentication().ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)/* other LDAP configurations you might have */;
/* yet more authentication configurations you might have */
}
参考https://github.com/pfac/howto-spring-security 一个工作示例.
免责声明:我一直只使用 Java 配置,所以请谨慎行事,可能会有一些错误.
Disclaimer: I've been working solely with Java configuration, so tread cautiously, there might be some errors.
与使用 LDAP 进行身份验证的其他配置不同,似乎没有漂亮的 XML 标记来自定义 LdapAuthoritiesPopulator.因此,必须手动完成.假设已经定义了用于配置到 LDAP 服务器的连接的 bean contextSource,请将以下内容添加到您的 Spring XML 配置中:
Unlike other configurations for authenticating with LDAP, there seems to be no pretty XML tags to customize the LdapAuthoritiesPopulator. So, it has to be done manually. Assuming a bean contextSource configuring the connection to the LDAP server has been defined, add the following to your Spring XML configuration:
<beans:bean id="customJdbcUserDetailsService" class="demo.CustomJdbcUserDetailsService" />
<beans:bean id="customLdapAuthoritiesPopulator" class="demo.CustomLdapAuthoritiesPopulator">
<beans:constructor-arg ref="customJdbcUserDetailsService" />
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<!--
other configurations you might need
-->
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg ref="customLdapAuthoritiesPopulator" />
</beans:bean>
<security:authentication-manager>
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
这篇关于具有 LDAP 和数据库角色的 Spring Security的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
