在Active Directory身份验证如何Spring Security的LDAP保护密码？ [英] How does Spring Security LDAP protect password during Active Directory authentication?

问题描述

参照类<$c$c>org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider,用于执行在我们所有的Web应用程序Active Directory身份验证，我一直在问以下问题由我们的客户，这对我的疑问：

什么是身份验证过程中使用的安全协议 - LDAP SSL / NTLM / KERBEROS？ 如果你只是使用LDAP，而不是LDAPS（安全LDAP），那么这将是一个问题，因为我们将被发射在Web服务器和Active Directory之间的明文凭证。

配置示例：

 ＆LT; B：豆的id =adAuthenticationProvider
        class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
        ＆LT; B：构造带参数的值=$ {ldap.domain}/＆GT;
        ＆LT; B：构造带参数的值=$ {与ldap.URL}/＆GT;
        ＆LT; B：属性名=的UserDetailsContextMapperREF =adUserDetailsContextMapper/＆GT;
        ＆LT; B：属性名=convertSubError codesToExceptions值=FALSE/＆GT;
    ＆LT; / B：豆＆GT;
 

现在，我想，在我的开发团队没有人永远关心的AD密码的安全性（我们的大多数客户甚至不实施SSL）。

我找不到Spring文档的参考。 Spring Security的LDAP版本是3.2.5

是否有人知道如果和如何春季LDAP对Active Directory进行身份验证时保护密码？

解决方案

Wireshark的说，密码发送< STRONG>明文与设置

With reference to class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider, used to perform Active Directory authentication in all of our web applications, I have been asked the following question by our customer, which poses me a doubt:

What is the security protocol used during authentication – LDAP SSL / NTLM / KERBEROS ? If you are just using LDAP and not LDAPS (secure LDAP) then it would be a concern as we would then be transmitting credentials in clear text between the web server and Active Directory.

Example configuration:

    <b:bean id="adAuthenticationProvider"
        class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
        <b:constructor-arg value="${ldap.domain}" />
        <b:constructor-arg value="${ldap.url}" />
        <b:property name="userDetailsContextMapper" ref="adUserDetailsContextMapper" />
        <b:property name="convertSubErrorCodesToExceptions" value="false" />
    </b:bean>

Now that I think about it, none of us in my development team ever cared about the security of the AD password (most of our customers don't even enforce SSL).

I can't find reference on Spring documentation. Spring Security LDAP version is 3.2.5

Does somebody know if and how Spring LDAP protects password when authenticating against Active Directory?

解决方案

Wireshark said the password is sent plaintext with those settings

这篇关于在Active Directory身份验证如何Spring Security的LDAP保护密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！