• Spring Security初体验使用LDAP认证


    1配置认证方式为LDAP

    <beans:bean id="ldapAuthProvider"

    class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">

    <beans:constructor-arg>

    <beans:bean

    class="org.springframework.security.ldap.authentication.BindAuthenticator">

    <beans:constructor-arg ref="contextSource" />

    <beans:property name="userDnPatterns">

    <beans:list>

    <beans:value>CN={0},CN=Users</beans:value>

    </beans:list>

    </beans:property>

    </beans:bean>

    </beans:constructor-arg>

    <beans:constructor-arg>

    <beans:bean

    class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">

    <beans:constructor-arg ref="contextSource" />

    <beans:constructor-arg value="cn=users" />

    <beans:property name="groupRoleAttribute" value="cn" />

    </beans:bean>

    </beans:constructor-arg>

    </beans:bean>

    ¤认证方式:使用LdapAuthenticationProvider.查看SpringSecurity javadoc对于LdapAuthenticationProvider的描述如下:

    An AuthenticationProvider implementation that authenticates against an LDAP server.

    There are many ways in which an LDAP directory can be configured so this class delegates most of its responsibilities to two separate strategy interfaces, LdapAuthenticator and LdapAuthoritiesPopulator.

    LdapAuthenticator用户信息Demo使用BindAuthenticator

    This interface is responsible for performing the user authentication and retrieving the user's information from the directory. 

    LdapAuthoritiesPopulator:用户权限信息Demo使用DefaultLdapAuthoritiesPopulator(

    The default strategy for obtaining user role information from the directory.

    It obtains roles by performing a search for "groups" the user is a member of.

    )

    Once the user has been authenticated, this interface is called to obtain the set of granted authorities for the user.

     

    ¤DN模式:设置为CN={0}(用户名),CN=Users...DN对应为DistingudeNameLDAP中必须唯一标识用户,Spring Security会自动帮你讲baseDN添加到UserDN后面,根据实际情况进行配置

    ¤groupRoleAttribute分组对应到角色信息

    2配置认证方式

    <authentication-manager>

    <authentication-provider ref="ldapAuthProvider">

    </authentication-provider>

    </authentication-manager>

    3配置认证服务器信息

    <beans:bean id="contextSource"

    class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">

    <beans:constructor-arg value="ldap://xxxxxx:389/DC=xxx,DC=xxx" />

    <beans:property name="userDn"

    value="cn=administrator,cn=users,DC=xxx,DC=com" />

    <beans:property name="password" value="xxxxx!" />

    </beans:bean>

    DefaultSpringSecurityContextSource主要包括:

    ¤providerUrl LDAP认证服务器地址

    ¤userDnLDAP服务器登录用户DN

    ¤password:LDAP服务器用户登录密码

    然后再配置上登录页面以及受限制页面的信息即可:

    <http use-expressions="true" access-denied-page="/AccessDenied.jsp">

    <intercept-url pattern="/login.jsp" access="permitAll" />

    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

    <form-login login-page="/login.jsp"

    authentication-failure-url="/login.jsp?error=true"

    default-target-url="/" />

    <logout logout-success-url="/login.jsp" />

    </http>

     

    如此即可实现登录:

    登录之后的信息如下:

     

    获取登录用户信息:

    添加Spring Security标签:

    <%@ taglib prefix="sec"

    uri="http://www.springframework.org/security/tags"%>

    <div>

    username :

    <sec:authentication property="name" />

    </div>

    获取权限列表可以使用如下代码:

    List<GrantedAuthority> auths = (List<GrantedAuthority>) SecurityContextHolder.getContext()

    .getAuthentication().getAuthorities();

    如此运行认证即可使用ldap认证

    另外如果需要获取一些用户的属性信息需要在xxxContext.xml中配置的provider节点中配置

    <beans:bean id="ldapAuthProvider">

     <beans:property name="userAttributes">

      <beans:list>

       <beans:value>CN</beans:value>

       <beans:value>entryDN</beans:value>

       <beans:value>entryUUID</beans:value>

       <beans:value>mail</beans:value>

       <beans:value>giveName</beans:value>

      </beans:list>

     </beans:property>

    </beans:bean>

    如果是使用ad身份认证,获取的objectGUID为字符串信息,那么需要添加

    <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">

    ...

    <beans:property name="baseEnvironmentProperties">

    <beans:map>

    <beans:entry key="java.naming.ldap.attributes.binary" value="objectGUID" />

    </beans:map>

    </beans:property>

    ...

    </bean>

    如此才能获取相应的GUID二进制编码信息

    如果使用ldap进行身份认证?那么需要在attribute中配置entryUUID属性,但是获取到的是字符串,直接转换为uuid即可.


  • 相关阅读:
    Vue整合nginx:(1)开发环境npm run dev下,通过nginx解决前后端分离造成的跨域问题
    SpringBoot 整合 ActiveMq
    SpringBoot 整合 slf4j 日志打印
    Java 抽象类的简单使用
    MongoDB基本使用
    node.js修改全局安装文件路径
    Vue + iview框架,搭建项目遇到的相关问题记录
    ThinkPHP重写路由,掩藏public/index.php
    thinkPhP + Apache + PHPstorm整合框架
    Ionic3,装饰器(@Input、@ViewChild)以及使用 Events 实现数据回调中的相关用法(五)
  • 原文地址:https://www.cnblogs.com/SkyMouse/p/2340742.html
Copyright © 2020-2023  润新知