我有一个使用LDAP进行身份验证和授权的Spring 3项目。我们知道更改了使用CAS进行身份验证的项目,但仍然使用LDAP作为权限。有人可以看一下这个XML文件并告诉我如何让LDAP权限恢复工作
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security" xmlns:p="http://www.springframework.org/schema/p"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<http entry-point-ref="casEntryPoint" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/cas-logout.jsp" access="permitAll" />
<intercept-url pattern="/casfailed.jsp" access="permitAll" />
<intercept-url pattern="/secure/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/requests/**" access="hasRole('ROLE_MEMBER_INQUIRY')" />
<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
<custom-filter ref="casFilter" position="CAS_FILTER" />
<logout logout-success-url="/cas-logout.jsp" />
</http>
<authentication-manager alias="authManager">
<authentication-provider ref="casAuthProvider" />
</authentication-manager>
<user-service id="userService">
<user name="rod" password="rod" authorities="ROLE_SUPERVISOR,ROLE_USER" />
<user name="cpilling04@aol.com.dev" password="testing"
authorities="ROLE_MEMBER_INQUIRY" />
</user-service>
<!-- This filter handles a Single Logout Request from the CAS Server -->
<b:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />
<!-- This filter redirects to the CAS Server to signal Single Logout should
be performed -->
<b:bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter"
p:filterProcessesUrl="/j_spring_cas_security_logout">
<b:constructor-arg
value="https://${cas.server.host}/cas-server-webapp/logout" />
<b:constructor-arg>
<b:bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</b:constructor-arg>
</b:bean>
<b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"
p:service="https://${cas.service.host}/MemberInquiry/j_spring_cas_security_check"
p:authenticateAllArtifacts="true" />
<b:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
p:serviceProperties-ref="serviceProperties"
p:loginUrl="https://${cas.server.host}/cas-server-webapp/login" />
<b:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter"
p:authenticationManager-ref="authManager" p:serviceProperties-ref="serviceProperties"
p:proxyGrantingTicketStorage-ref="pgtStorage"
p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor">
<b:property name="authenticationDetailsSource">
<b:bean
class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource" />
</b:property>
<b:property name="authenticationFailureHandler">
<b:bean
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/casfailed.jsp" />
</b:property>
<b:property name="authenticationSuccessHandler">
<b:bean
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"
p:defaultTargetUrl="/requests/add.html" />
</b:property>
</b:bean>
<!-- NOTE: In a real application you should not use an in memory implementation.
You will also want to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup() -->
<b:bean id="pgtStorage"
class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<b:bean id="casAuthProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey">
<b:property name="authenticationUserDetailsService">
<b:bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<b:constructor-arg ref="userService" />
</b:bean>
</b:property>
<b:property name="ticketValidator">
<b:bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
p:acceptAnyProxy="true"
p:proxyCallbackUrl="https://${cas.service.host}/MemberInquiry/j_spring_cas_security_proxyreceptor"
p:proxyGrantingTicketStorage-ref="pgtStorage">
<b:constructor-arg value="https://${cas.server.host}/cas-server-webapp" />
</b:bean>
</b:property>
<b:property name="statelessTicketCache">
<b:bean
class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
<b:property name="cache">
<b:bean class="net.sf.ehcache.Cache" init-method="initialise"
destroy-method="dispose">
<b:constructor-arg value="casTickets" />
<b:constructor-arg value="50" />
<b:constructor-arg value="true" />
<b:constructor-arg value="false" />
<b:constructor-arg value="3600" />
<b:constructor-arg value="900" />
</b:bean>
</b:property>
</b:bean>
</b:property>
</b:bean>
<!-- Configuration for the environment can be overriden by system properties -->
<context:property-placeholder
system-properties-mode="OVERRIDE" properties-ref="environment" />
<util:properties id="environment">
<b:prop key="cas.service.host">wcmisdlin07.uftmasterad.org:8443</b:prop>
<b:prop key="cas.server.host">wcmisdlin07.uftmasterad.org:8443</b:prop>
</util:properties>
<b:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<b:constructor-arg
value="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />
<b:property name="userDn" value="cn=Manager,dc=uftwf,dc=dev" />
<b:property name="password" value="uftwf" />
</b:bean>
<b:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<b:constructor-arg>
<b:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<b:constructor-arg ref="contextSource" />
<b:property name="userDnPatterns">
<b:list>
<b:value>
uid={0},ou=webusers
</b:value>
</b:list>
</b:property>
</b:bean>
</b:constructor-arg>
<b:constructor-arg>
<b:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<b:constructor-arg ref="contextSource" />
<b:constructor-arg value="ou=groups" />
<b:property name="groupRoleAttribute" value="ou" />
</b:bean>
</b:constructor-arg>
</b:bean>
<ldap-server url="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />
</b:beans>
答案 0 :(得分:2)
您需要使用LdapUserDetailsService替换内存中的UserDetailsService bean(userService)。如果您以前使用LDAP进行身份验证,则配置应该基本相同,假设CAS返回的用户名可以轻松映射到目录中。
更详细:您目前有一个名为userService的bean,它是使用命名空间创建的:
<user-service id="userService">
<user name="rod" password="rod" authorities="ROLE_SUPERVISOR,ROLE_USER" />
<user name="cpilling04@aol.com.dev" password="testing"
authorities="ROLE_MEMBER_INQUIRY" />
</user-service>
您需要将其替换为类似下面的内容:
<ldap-user-service id="userService"
server-ref="yourLdapServer"
user-search-base="ou=people"
user-search-filter="(uid={0})"
group-search-base="ou=groups"
group-role-attribute="cn"
group-search-filter="(member={0})"
role-prefix="ROLE_" />
但设置了各种属性以匹配您的目录配置。在移动到CAS之前,它们应与您在<ldap-authentication-provider>配置中的任何内容类似。您还需要声明<ldap-server>元素以指向目录服务器。再次,这应该与你以前的相匹配。