如何在java中检查用户是否属于某个AD组 [英] How to check if user belongs to certain AD group in java

问题描述

我知道这一定是一个非常简单的问题，但我是 Java 新手，发现很难获得我需要的确切代码.我需要做的是从 Windows 获取当前登录的用户名，并检查该用户是否属于需要在某些配置文件中定义的特定 AD 用户组.在 C# 中很容易做到，但我不知道如何在 JAVA 中做到.示例代码会很棒.在 c# 中，我会将安全组放入 App.Config 到应用程序设置中，然后我可以获取当前登录用户的 Windows 身份，然后遍历用户所属的所有组并匹配所需的组.我需要在java中做同样的事情

I know it must be a very easy question, but I am new to java and find it hard to get exact code that I need. What I need to be able to do is to get currently logged in username from Windows and check whether this user belongs to the specific AD user group which needs to be defined in some config file. It is very easy to do in C#, but I have no idea how to do it in JAVA. Sample code would be great. In c# I would put security group into App.Config into app settings then I can grab Windows Identity of the currently logged in user and then iterate through all the groups user belongs to and match with desired. I need to do exactly the same in java

推荐答案

如果您只关心当前登录的 Windows 用户(即您的 Java 程序将在 Windows 上运行)并且不介意使用 JNA，可以使用platform.jar中提供的函数，Advapi32Util#getCurrentUserGroups() 获取用户所属的组.

If you only care about the currently logged on Windows user (i.e., your Java program will be running on Windows) and don't mind using JNA, you can use the function supplied in platform.jar, Advapi32Util#getCurrentUserGroups() to get the groups that a user is a member of.

例如:

import com.sun.jna.platform.win32.Advapi32Util;

for (Advapi32Util.Account account : Advapi32Util.getCurrentUserGroups()) {
    System.out.println(account.fqn);
}

这也利用了这样一个事实，即当用户登录时，Windows 会缓存所有组(包括包含用户所属的其他组的组)中的用户成员身份.

This also takes advantage of the fact that Windows caches the users membership in all groups (including groups containing other groups the user is a member of) when the user logs on.

这里的要求似乎有点不具体，这开始转向可能不太适合 SO 的领域，但无论如何我都会试一试.

The requirements here seem kind of non-specific and this is starting to veer into areas that are probably not a great fit for SO, but I'll give it a go anyway.

最终，您的系统将在哪里运行决定了设置的难度.如果您要在连接到您进行身份验证的同一域的基于 Windows 的服务器上运行，那么您应该查看 Waffle，它提供了一个 servlet、一个 Spring Security 过滤器、一个 JAAS 插件和一些其他方法，您可以实现 Windows 集成身份验证，它使用本机 Windows 方法加载 Windows 身份和关联的 Active Directory 组.这将为您提供与在 .NET 框架应用程序中使用 IIS 和 WIA 最相似的体验.这样做的缺点是服务器需要在 Windows 系统上运行.

Ultimately, where your system is going to be run determines how difficult the setup is going to be. If you are going to be running on a Windows-based server connected to the same domain you are authenticating with, then you should look at Waffle, which provides a servlet, a Spring Security filter, a JAAS plugin and a few other ways that you can implement Windows Integrated Authentication which uses native Windows methods to load the Windows identity and associated Active Directory groups. This will provide you with the experience most similar to using IIS and WIA with a .NET framework application. The down-side to this is that the server needs to be run on a Windows system.

不幸的是，在非 Windows 环境中运行将需要更多的设置和配置.集成度最高的解决方案可能是 Spring Security，它具有 一个 Kerberos 扩展 能够提供 SPNEGO(Windows 集成身份验证).上面的链接包含有关启动和运行 Kerberos 过滤器所需的详细信息(我相信它们仍然是最新的).要访问组信息，您需要更改示例 security.xml 文件中的 userDetailsS​​ervice 值.在这里做的最简单的事情是提供一个适当配置的 LdapUserDetailsS​​ervice 作为这里的对象.我对 Spring 并不是很熟悉，但看起来配置类似于(缺少 contextSource).

Unfortunately, running in a non-Windows environment is going to require more setup and configuration. The most integrated solution is likely Spring Security which has a Kerberos extension capable of providing SPNEGO (Windows Integrated Authentication). The link above has the details (I believe they are still current) on what is necessary to get the Kerberos filter up and running. To access the group information, you would need to change the userDetailsService value in the example security.xml file. The easiest thing to do here would be to provide an appropriately configured LdapUserDetailsService as the object here. I'm not all that experienced with Spring, but it looks like the configuration would be something like (this is missing the contextSource).

<bean id="adUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <constructor-arg value="dc=domain,dc=com"/>
    <constructor-arg value="(sAMAccountName={0})"/>
    <constructor-arg ref="contextSource" />
</bean>

<bean id="adAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
    <constructor-arg ref="contextSource"/>
    <constructor-arg value="dc=domain,dc=com" />
    <property name="groupSearchFilter" value="(member={0})"/>
    <property name="rolePrefix" value="ROLE_"/>
    <property name="searchSubtree" value="true"/>
    <property name="convertToUpperCase" value="true"/>
</bean>

<bean id="userDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
    <constructor-arg ref="adUserSearch"/>
    <constructor-arg ref="adAuthoritiesPopulator"/>
</bean>

这应该会为您提供一个 Kerberos 身份验证用户及其关联的组.

This should get you a Kerberos authenticated user with their associated groups.

如果 Spring Security 不可接受，您可以尝试使用 Shiro 和 纯 Java SPNEGO 过滤器，但展示一个示例基本上需要编写一个程序.

If Spring Security isn't acceptable, you could try rolling your own version of this using perhaps Shiro and the pure-Java SPNEGO filter, but showing an example of that would require basically writing a program.

我希望这会有所帮助.一旦你决定了一种方法，将更具体的问题作为 SO 类型的问题来解决可能是合适的.

I hope this helps. Once you've decided on an approach, it's probably appropriate to address more specific questions as SO-type questions.

这篇关于如何在java中检查用户是否属于某个AD组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！