如何检查用户是否属于java中的某个AD组 [英] How to check if user belongs to certain AD group in java
问题描述
我知道这一定是一个非常容易的问题,但我是java的新手,并且很难找到我需要的确切代码。我需要做的是从Windows获取当前登录的用户名,并检查该用户是否属于需要在某个配置文件中定义的特定AD用户组。在C#中很容易做到,但我不知道如何在JAVA中做到这一点。示例代码会很棒。在c#中,我将安全组放入App.Config进入应用程序设置然后我可以获取当前登录用户的Windows标识,然后遍历用户所属的所有组并与所需的匹配。我需要在java中完全相同
I know it must be a very easy question, but I am new to java and find it hard to get exact code that I need. What I need to be able to do is to get currently logged in username from Windows and check whether this user belongs to the specific AD user group which needs to be defined in some config file. It is very easy to do in C#, but I have no idea how to do it in JAVA. Sample code would be great. In c# I would put security group into App.Config into app settings then I can grab Windows Identity of the currently logged in user and then iterate through all the groups user belongs to and match with desired. I need to do exactly the same in java
推荐答案
如果您只关心当前登录的Windows用户(即您的Java)程序将在Windows上运行)并且不介意使用 JNA ,您可以使用提供的功能 platform.jar , Advapi32Util#getCurrentUserGroups() 获取用户所属的组。
If you only care about the currently logged on Windows user (i.e., your Java program will be running on Windows) and don't mind using JNA, you can use the function supplied in platform.jar, Advapi32Util#getCurrentUserGroups() to get the groups that a user is a member of.
例如:
import com.sun.jna.platform.win32.Advapi32Util;
for (Advapi32Util.Account account : Advapi32Util.getCurrentUserGroups()) {
System.out.println(account.fqn);
}
这也利用了Windows在所有组中缓存用户成员资格的事实用户登录时(包括用户所属的其他组的组)。
This also takes advantage of the fact that Windows caches the users membership in all groups (including groups containing other groups the user is a member of) when the user logs on.
这里的要求似乎很友好非特定的,这开始转向可能不太适合SO的领域,但无论如何我都会试一试。
The requirements here seem kind of non-specific and this is starting to veer into areas that are probably not a great fit for SO, but I'll give it a go anyway.
最终,在哪里您的系统将要运行,确定设置的难度。如果您要在连接到您正在进行身份验证的同一域的基于Windows的服务器上运行,那么您应该查看 Waffle ,它提供了一个servlet,一个Spring Security过滤器,一个JAAS插件以及一些其他可以实现Windows集成身份验证的方法,它使用本机Windows方法加载Windows身份和关联的Active Directory组。这将为您提供与使用IIS和WIA以及.NET框架应用程序最相似的体验。这方面的缺点是服务器需要在Windows系统上运行。
Ultimately, where your system is going to be run determines how difficult the setup is going to be. If you are going to be running on a Windows-based server connected to the same domain you are authenticating with, then you should look at Waffle, which provides a servlet, a Spring Security filter, a JAAS plugin and a few other ways that you can implement Windows Integrated Authentication which uses native Windows methods to load the Windows identity and associated Active Directory groups. This will provide you with the experience most similar to using IIS and WIA with a .NET framework application. The down-side to this is that the server needs to be run on a Windows system.
不幸的是,在非Windows环境中运行需要更多的设置和配置。最集成的解决方案可能是Spring Security,它具有 Kerberos扩展能够提供SPNEGO(Windows集成身份验证)。上面的链接有关于启动和运行Kerberos过滤器所需的详细信息(我相信它们仍然是最新的)。要访问组信息,您需要更改示例 security.xml 文件中的 userDetailsService 值。这里最简单的方法是提供一个适当配置的 LdapUserDetailsService 作为此处的对象。我不是所有使用Spring的人,但看起来配置会像(缺少 contextSource )。
Unfortunately, running in a non-Windows environment is going to require more setup and configuration. The most integrated solution is likely Spring Security which has a Kerberos extension capable of providing SPNEGO (Windows Integrated Authentication). The link above has the details (I believe they are still current) on what is necessary to get the Kerberos filter up and running. To access the group information, you would need to change the userDetailsService value in the example security.xml file. The easiest thing to do here would be to provide an appropriately configured LdapUserDetailsService as the object here. I'm not all that experienced with Spring, but it looks like the configuration would be something like (this is missing the contextSource).
<bean id="adUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg value="dc=domain,dc=com"/>
<constructor-arg value="(sAMAccountName={0})"/>
<constructor-arg ref="contextSource" />
</bean>
<bean id="adAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="dc=domain,dc=com" />
<property name="groupSearchFilter" value="(member={0})"/>
<property name="rolePrefix" value="ROLE_"/>
<property name="searchSubtree" value="true"/>
<property name="convertToUpperCase" value="true"/>
</bean>
<bean id="userDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="adUserSearch"/>
<constructor-arg ref="adAuthoritiesPopulator"/>
</bean>
这可以让您获得经过Kerberos身份验证的用户及其关联组。
This should get you a Kerberos authenticated user with their associated groups.
如果Spring Security不被接受,你可以尝试使用 Shiro 和纯Java SPNEGO过滤器,但显示一个例子就需要基本上写一个程序。
If Spring Security isn't acceptable, you could try rolling your own version of this using perhaps Shiro and the pure-Java SPNEGO filter, but showing an example of that would require basically writing a program.
我希望这会有所帮助。一旦你决定采用某种方法,就可以将更具体的问题作为SO类问题来解决。
I hope this helps. Once you've decided on an approach, it's probably appropriate to address more specific questions as SO-type questions.
这篇关于如何检查用户是否属于java中的某个AD组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
