我正在尝试使用SpringSecurity3.1对Active Directory进行身份验证。
我得到认证,一切都很好。
<sec:ldap-server id="ldapServer" url="ldap://ldap/dc=sub,dc=domain,dc=com" port="389" />
<sec:authentication-manager erase-credentials="true" >
<sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager>
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://server:389/"/>
</bean>
现在讨论这个问题。如何为用户处理角色,以便设置筛选器?
如。
<sec:intercept-url pattern="/**" access="ROLE_USER"/>
解决方案
我通过使用userdetailContextMapper了解了如何做到这一点,并将我的广告组映射到role_user、role_admin等。
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://host:389/"/>
<property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
<property name="useAuthenticationRequestCredentials" value="true"/>
</bean>
<bean id="tdrUserDetailsContextMapper" class="com.bla.bla.UserDetailsContextMapperImpl"/>
映射器类:
public class UserDetailsContextMapperImpl implements UserDetailsContextMapper, Serializable{
private static final long serialVersionUID = 3962976258168853954L;
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {
List<GrantedAuthority> mappedAuthorities = new ArrayList<GrantedAuthority>();
for (GrantedAuthority granted : authority) {
if (granted.getAuthority().equalsIgnoreCase("MY USER GROUP")) {
mappedAuthorities.add(new GrantedAuthority(){
private static final long serialVersionUID = 4356967414267942910L;
@Override
public String getAuthority() {
return "ROLE_USER";
}
});
} else if(granted.getAuthority().equalsIgnoreCase("MY ADMIN GROUP")) {
mappedAuthorities.add(new GrantedAuthority() {
private static final long serialVersionUID = -5167156646226168080L;
@Override
public String getAuthority() {
return "ROLE_ADMIN";
}
});
}
}
return new User(username, "", true, true, true, true, mappedAuthorities);
}
@Override
public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
}
}
最佳答案
beans.xml中的角色必须与memberof value属性的cn(公用名)完全匹配。您应该阅读关于目录基础知识的教程。
假设拥有此用户:CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net
在他的背景下,这个成员的价值CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net
bean将定位此memberof值并提取Group Name。beans.xml必须正好有这个值。
关于spring - 使用spring security 3.1对使用事件目录进行身份验证时处理角色,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/8835818/