问题描述
我正在尝试使用 Spring Security 3.1 对 Active Directory 进行身份验证.我通过了身份验证,一切都很好.
I'm trying to use a authenticate with an Active directory using Spring Security 3.1.I get authenticated and all is well.
<sec:ldap-server id="ldapServer" url="ldap://ldap/dc=sub,dc=domain,dc=com" port="389" />
<sec:authentication-manager erase-credentials="true" >
<sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager>
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://server:389/"/>
</bean>
现在问题来了.我如何处理用户的角色以便我可以设置过滤器?
Now to the question. How do I handle roles for the user so that I can setup my filters?
例如
<sec:intercept-url pattern="/**" access="ROLE_USER"/>
解决方案
我通过使用 UserDetailContextMapper 了解了如何做到这一点,并将我的 AD 组映射到 ROLE_USER、ROLE_ADMIN 等.
Solution
I found out how to do this by using the UserDetailContextMapper and map my AD groups to ROLE_USER,ROLE_ADMIN etc.
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain" />
<constructor-arg value="ldap://host:389/"/>
<property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper"/>
<property name="useAuthenticationRequestCredentials" value="true"/>
</bean>
<bean id="tdrUserDetailsContextMapper" class="com.bla.bla.UserDetailsContextMapperImpl"/>
映射器类:
public class UserDetailsContextMapperImpl implements UserDetailsContextMapper, Serializable{
private static final long serialVersionUID = 3962976258168853954L;
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority) {
List<GrantedAuthority> mappedAuthorities = new ArrayList<GrantedAuthority>();
for (GrantedAuthority granted : authority) {
if (granted.getAuthority().equalsIgnoreCase("MY USER GROUP")) {
mappedAuthorities.add(new GrantedAuthority(){
private static final long serialVersionUID = 4356967414267942910L;
@Override
public String getAuthority() {
return "ROLE_USER";
}
});
} else if(granted.getAuthority().equalsIgnoreCase("MY ADMIN GROUP")) {
mappedAuthorities.add(new GrantedAuthority() {
private static final long serialVersionUID = -5167156646226168080L;
@Override
public String getAuthority() {
return "ROLE_ADMIN";
}
});
}
}
return new User(username, "", true, true, true, true, mappedAuthorities);
}
@Override
public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
}
}
推荐答案
beans.xml 中的角色必须与 memberOf 值属性的 CN(通用名称)完全匹配.您应该阅读有关目录基础知识的教程.
The roles in the beans.xml must be an exact match of the CN (common name) of the memberOf value attribute. You should read a tutorial about directory basics.
说有这个用户:CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net
在他的上下文中存在这个 memberOf 值 CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net
Say have this user:CN=Michael-O,OU=Users,OU=department,DC=sub,DC=company,DC=net
In his context exists this memberOf value CN=Group Name,OU=Permissions,OU=Groups,OU=department,DC=sub,DC=company,DC=net
Bean 将定位这个 memberOf 值并提取 Group Name
.您 beans.xml 必须具有该值.
The Bean will locate this memberOf value and extract Group Name
. You beans.xml has to have exactly this value.
这篇关于使用 spring security 3.1 对活动目录进行身份验证时处理角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!