问题描述

我正在从Acive Directory获取我的网络应用程序的用户.因此，我创建了custom UserDetailsContextMapper来将用户的一些数据保存到Web应用程序的MySql数据库中.

I'm getting the users of my web-app from the Acive Directory.So I created a custom UserDetailsContextMapper to save some data of the user to the web-app's MySql Database.

这是我关于Ldap的安全配置:

And this is my security configuration about Ldap:

   @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        auth
        .authenticationProvider(activeDirectoryLdapAuthenticationProvider());
    }

   @Bean
   public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
       ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("myDomain.local", "ldap://LDAP_IP:389/");
       provider.setConvertSubErrorCodesToExceptions(true);
       provider.setUseAuthenticationRequestCredentials(true);
       provider.setUserDetailsContextMapper(userDetailsContextMapper());
       return provider;
   }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
    }

    @Bean
    public UserDetailsContextMapper userDetailsContextMapper() {
        return new LdapUserDetailsContextMapper();
    }

我想知道AD上的数据何时以及是否从上次登录更改.例如，如果今天凌晨10:00我是AD内的 A 组的成员，而现在我是 A 和 B ，我想更新MySql上的权限.

I would like to know when and if the data on the AD are changed from last login.For example if today at 10:00AM I was member of group A inside the AD and now I'm member of group A and B, I would like to update the authorities on MySql.

AD内是否有一个字段或东西可以知道这一点?

Is there a field or something inside AD to know that?

我想检查特定用户在登录阶段是否有所更改，这样我就可以更新MySql上的信息.

I would like to check if something change for a particulare user during the login phase, in this way I can update the information on MySql.

推荐答案

要查找上次修改用户的时间，可以使用"whenchanged"属性.

To find when a user was last modified, you can use the "whenchanged" attribute.

如果扩展LdapUserDetailsMapper并覆盖mapUserFromContext，它可能看起来像这样:

if you extend LdapUserDetailsMapper, and override the mapUserFromContext, it might look like this:

package example.active.directory.authentication;

import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;

import java.time.LocalDateTime;
import java.time.OffsetDateTime;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.Collection;

public class CustomUserMapper extends LdapUserDetailsMapper{

    @Override
    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities){

        UserDetails details = super.mapUserFromContext(ctx, username, authorities);
        String[] changedValues = ctx.getStringAttributes("whenchanged");

        if(changedValues != null && changedValues.length > 0){
            LocalDateTime lastChangedTime = Arrays.stream(changedValues)
                .map(input ->
                    OffsetDateTime.parse(
                        input,
                        DateTimeFormatter.ofPattern("uuuuMMddHHmmss[,S][.S]X")
                    ).toLocalDateTime()
                )
                .sorted((a, b) -> a.compareTo(b) * -1)
                .findFirst()
                .orElse(null);
            System.out.println(lastChangedTime);
            //Do something with value?
        }
        return details;
    }
}