具有LDAP和数据库角色的Spring Security

时间:2013-05-22 17:18:48

标签: spring spring-security spring-ldap

在我们的新保险项目中,我正尝试使用Ldap 实施

一旦用户在AD中找到,我想只检查用户名/密码。我想从用户表(app授权用户)授权他在数据库中具有访问级别。有人可以提供样品/指出我的资源。

2 个答案:

答案 0 :(得分:3)

现在实现这一目标的最简单方法(Spring Security 3.2.5.RELEASE)是通过实现自定义LdapAuthoritiesPopulator,使用自定义JdbcDaoImpl从数据库中获取权限。

代码

假设您正在使用the default database schema,并且您在LDAP中使用相同的用户名进行身份验证,并使用authorities表中的外键,则只需要:

package demo;

import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Collection;
import java.util.List;

import org.springframework.jdbc.core.RowMapper;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;

import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;

/*
 * You need to extend JdbcDaoImpl to expose the protected method loadUserAuthorities.
 */
public class CustomJdbcUserDetailsService extends JdbcDaoImpl {

    @Override
    public List<GrantedAuthority> loadUserAuthorities(String username) {
        return super.loadUserAuthorities(username);
    }
}


/*
 * Then, the only thing your populator needs to do is use the custom UserDetailsService above.
 */
public class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {

    private static final Logger LOGGER = LoggerFactory.getLogger(CustomLdapAuthoritiesPopulator.class);

    private CustomJdbcUserDetailsService service;

    public CustomLdapAuthoritiesPopulator(CustomJdbcUserDetailsService service) {
        this.service = service;
    }

    public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations user, String username) {
        return service.loadUserAuthorities(username);
    }

}

现在唯一要做的就是配置LDAP身份验证提供程序以使用CustomLdapAuthoritiesPopulator

Java Config

@ConfigurationGlobalMethodSecurityConfiguration的{​​{1}}注释子类中(视您的情况而定),添加以下内容:

WebSecurityConfigurerAdapter

有关工作示例,请参阅https://github.com/pfac/howto-spring-security

XML配置

免责声明:我一直专注于Java配置,因此谨慎行事,可能会出现一些错误。

与使用LDAP进行身份验证的其他配置不同,似乎没有可用于自定义@Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { /* other authentication configurations you might have */ /* * This assumes that the dataSource configuring * the connection to the database has been Autowired * into this bean. * * Adapt according to your specific case. */ CustomJdbcUserDetailsService customJdbcUserDetailsService = new CustomJdbcUserDetailsService(); customJdbcUserDetailsService.setDataSource(dataSource); CustomLdapAuthoritiesPopulator customLdapAuthoritiesPopulator = new CustomLdapAuthoritiesPopulator(customJdbcUserDetailsService); auth.ldapAuthentication().ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)/* other LDAP configurations you might have */; /* yet more authentication configurations you might have */ } 的漂亮XML标记。所以,它必须手动完成。假设已经定义了配置与LDAP服务器的连接的bean LdapAuthoritiesPopulator,请将以下内容添加到Spring XML配置中:

contextSource

来源:http://spapas.github.io/2013/10/14/spring-ldap-custom-authorities/#spring-security-ldap-with-custom-authorities

答案 1 :(得分:1)

您很可能必须执行自定义UserDetailsServer,因为您通过LDAP进行身份验证,但通过数据库查询获取角色。 UserDetailsS​​ervice是一个接口。您将实现该接口,然后将您的自定义实现添加到Spring Security配置中,执行以下操作:

<beans:bean id="userDetailsService" class="com.app.MyUserDetailsServiceImpl" />

<authentication-manager>
  <authentication-provider user-service-ref="userDetailsService">
    <password-encoder hash="plaintext" />
  </authentication-provider>
</authentication-manager>

在loadUserByUsername()中,您将创建一个UserDetails,设置用户名,密码和“权限”,即角色。

This Blog Post有一个关于如何使用数据库的示例,您应该能够适应您的要求。