问题描述
我正在从Acive Directory
获取我的网络应用程序的用户.因此,我创建了custom UserDetailsContextMapper
来将用户的一些数据保存到Web应用程序的MySql数据库中.
I'm getting the users of my web-app from the Acive Directory
.So I created a custom UserDetailsContextMapper
to save some data of the user to the web-app's MySql Database.
这是我关于Ldap的安全配置:
And this is my security configuration about Ldap:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth
.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Bean
public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("myDomain.local", "ldap://LDAP_IP:389/");
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
provider.setUserDetailsContextMapper(userDetailsContextMapper());
return provider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Bean
public UserDetailsContextMapper userDetailsContextMapper() {
return new LdapUserDetailsContextMapper();
}
我想知道AD
上的数据何时以及是否从上次登录更改.例如,如果今天凌晨10:00我是AD
内的 A 组的成员,而现在我是 A 和 B ,我想更新MySql上的权限.
I would like to know when and if the data on the AD
are changed from last login.For example if today at 10:00AM I was member of group A inside the AD
and now I'm member of group A and B, I would like to update the authorities on MySql.
AD
内是否有一个字段或东西可以知道这一点?
Is there a field or something inside AD
to know that?
我想检查特定用户在登录阶段是否有所更改,这样我就可以更新MySql上的信息.
I would like to check if something change for a particulare user during the login phase, in this way I can update the information on MySql.
推荐答案
要查找上次修改用户的时间,可以使用"whenchanged"属性.
To find when a user was last modified, you can use the "whenchanged" attribute.
如果扩展LdapUserDetailsMapper并覆盖mapUserFromContext,它可能看起来像这样:
if you extend LdapUserDetailsMapper, and override the mapUserFromContext, it might look like this:
package example.active.directory.authentication;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
import java.time.LocalDateTime;
import java.time.OffsetDateTime;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.Collection;
public class CustomUserMapper extends LdapUserDetailsMapper{
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities){
UserDetails details = super.mapUserFromContext(ctx, username, authorities);
String[] changedValues = ctx.getStringAttributes("whenchanged");
if(changedValues != null && changedValues.length > 0){
LocalDateTime lastChangedTime = Arrays.stream(changedValues)
.map(input ->
OffsetDateTime.parse(
input,
DateTimeFormatter.ofPattern("uuuuMMddHHmmss[,S][.S]X")
).toLocalDateTime()
)
.sorted((a, b) -> a.compareTo(b) * -1)
.findFirst()
.orElse(null);
System.out.println(lastChangedTime);
//Do something with value?
}
return details;
}
}
这篇关于使用Spring登录LDAP AD期间更新用户信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!