如何将AD组映射到用户角色Spring Security LDAP [英] How to Map AD Groups to User Role Spring Security LDAP

问题描述

我有一个使用Java Spring MVC构建的Web应用程序。

I have a web application built using Java Spring MVC.

我只是设置连接到LDAP服务器进行身份验证的spring security。

I'm just setting up spring security connecting to an LDAP server for authentication.

我已成功设置它，以便我能够登录到我的应用程序，但我找不到任何可以帮助我将AD组映射到Java中的用户角色只能获得403禁止页面，即我已经过身份验证但尚未拥有权限。

I've successfully set it up so that I am able to login to my application but I can't find anything to help me in mapping an AD group to a user role within Java as I can only get a 403 forbidden page i.e. I've been authenticated but don't have permissions yet.

我目前拥有：

<http auto-config="true">
    <intercept-url pattern="/**" access="ROLE_USER" />      
</http>

<ldap-server id="ldapServer" url="LDAPURL" manager-dn="USER" manager-password="PASSWORD"  />

<authentication-manager > 
    <ldap-authentication-provider           
        group-search-base="OU=GROUPS"
        group-search-filter="sAMAccountName={0}"

        user-search-base="OU=USERS"
        user-search-filter="sAMAccountName={0}" 

        />
</authentication-manager>

假设该用户是AD群组的一部分g-group-UK-user我想要能够将该AD组映射到ROLE_USER，以便用户可以看到整个Web应用程序。

Say that user was a part of the AD group g-group-UK-user I then want to be able to map that AD group to ROLE_USER so that user can then see the whole web app.

我似乎只能找到组中为ADMIN的非常简单的示例或USER在这种情况下，前缀ROLE只是添加到组或其他方法似乎使用UserDetailContextMapper但我找不到明确使用它。

I can only seem to find very simple examples where the groups are either ADMIN or USER in which case the prefix ROLE is just added to the group or the other method seems to be using UserDetailContextMapper but I can't find a clear use of this.

推荐答案

为此，我在身份验证管理器中使用了以下内容：

To do this I used the following within authentication manager:

user-context-mapper-ref="customUserContextMapper"

然后我使用以下类来检查该用户是否属于某个用户AD组然后将ROLE_USER角色分配给他们的权限：

I then used the following class to check if that user belongs to a certain AD group and then assign the ROLE_USER role to their authorities:

@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) 
{

    Attributes attributes = ctx.getAttributes();
    Object[] groups = new Object[100];
    groups = ctx.getObjectAttributes("memberOf");

    LOGGER.debug("Attributes: {}", attributes);

    Set<GrantedAuthority> authority = new HashSet<GrantedAuthority>();

    for(Object group: groups)
    {

        if (group.toString().toLowerCase().contains("AD_GROUP_NAME".toLowerCase()) == true)
        {
            authority.add(new SimpleGrantedAuthority("ROLE_USER"));
            break;          
        }
    }

    User userDetails = new User(username, "", false, false, false, false, authority);
    return userDetails;
}

请注意，由于LDAP，该类比平时稍微复杂一点我正在连接的服务器，它具有与平常不同的结构，因为用户可以访问的组存储在用户下的属性中，而不是相反的方式，其中组将具有作为属性的所有属于它的所有用户。

Please note that the class is a little more complicated than usual because of the LDAP server I was connecting which has a different structure than usual in that the groups a user has access to are stored in an attribute under the user and not the other way round in which a group would have as an attribute all the users that belong to it.

这篇关于如何将AD组映射到用户角色Spring Security LDAP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！