我目前正致力于将我的应用与公司ldap集成。虽然我能够让应用程序实际检查ldap上的用户进行身份验证,但用户无法克服Spring安全性ROLES配置。我越来越: "被拒绝 抱歉,您无权查看此页面。" 每次我尝试输入@Secured([' ROLE_USER'])的页面。我想知道如何在LDAP上添加每个用户以获得ROLE_USER,以便他能够完全使用应用程序。
我的ldap配置非常简单:
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider','anonymousAuthenticationProvider','rememberMeAuthenticationProvider']
grails.plugin.springsecurity.ldap.context.anonymousReadOnly = true
grails.plugin.springsecurity.ldap.context.server = "SOME LDAP ADRESS"
grails.plugin.springsecurity.ldap.authorities.groupSearchBase = 'ou=Employees,O=*****,C=****'
grails.plugin.springsecurity.ldap.search.base = 'O=****,C=****'
grails.plugin.springsecurity.ldap.authorities.retrieveGroupRoles = true
grails.plugin.springsecurity.ldap.authorities.retrieveDatabaseRoles = true
grails.plugin.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'
grails.plugin.springsecurity.ldap.search.attributesToReturn = null
Spring安全核心是默认核心:
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'amelinium1.grails.SecUser'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'amelinium1.grails.SecUserSecRole'
grails.plugin.springsecurity.authority.className = 'amelinium1.grails.SecRole'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/**': ['permitAll'],
'/**/systeminfo': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll']]
grails.plugin.springsecurity.logout.postOnly = false
http://grails-plugins.github.io/grails-spring-security-core/docs/manual/guide/single.pdf上提供的文档似乎不是最新的,即使它是针对2.0版本的spring安全核心。 我试图实现Custom GrailsUser和GrailsUserDetailsService,但它们似乎与插件的其余部分混合在一起。(基于文档的实现)。
任何人都可以向我指出正确的方向,并提供有关如何在最新版本2.0-RC2中实施LDAP的一些信息?
修改
我的CustomUserDetailsService类,但我不确定它是否适用于LDAP:
class CustomUserDetailsService implements GrailsUserDetailsService{
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User.withTransaction { status ->
User user = User.findByUsername(username)
if (!user) throw new UsernameNotFoundException('User not found', username)
def authorities = user.authorities.collect {new GrantedAuthorityImpl(it.authority)}
return new CustomUserDetails(user.username, user.password, user.enabled,
!user.accountExpired, !user.passwordExpired,
!user.accountLocked, authorities ?: NO_ROLES, user.id,
user.firstName, user.lastName)
} as UserDetails
}
@Override
public UserDetails loadUserByUsername(String username, boolean loadRoles)
throws UsernameNotFoundException, DataAccessException {
return loadUserByUsername(username);
}
}
和CustomUserDetails类:
class CustomUserDetails extends GrailsUser{
final String firstName
final String lastName
CustomUserDetails(String username, String password, boolean enabled,
boolean accountNonExpired, boolean credentialsNonExpired,
boolean accountNonLocked,
Collection<GrantedAuthority> authorities,
long id, String firstName, String lastName) {
super(username, password, enabled, accountNonExpired,
credentialsNonExpired, accountNonLocked, authorities, id)
this.firstName = firstName
this.lastName = lastName
}
}
问题是我无法从LDAP获取其他信息,而不是ldap登录。 非常感谢这里的帮助。重新编写应用程序后,在Customclasses上获取错误,如: 没有方法签名:static org.springframework.security.core.userdetails.User.findByUsername()适用于参数类型:(java.lang.String)值:[hajduk]
答案 0 :(得分:5)
默认情况下,Spring Security插件从数据库中获取用户和角色数据。负责读取用户和角色数据的Spring bean名为userDetailsService。如果您想从其他地方获取用户和角色数据 - 例如LDAP - 你只需要用你自己的bean替换它,例如
import org.springframework.security.core.userdetails.*
import org.springframework.security.core.userdetails.UsernameNotFoundException
import org.springframework.dao.DataAccessException
class LdapUserDetailsService implements UserDetailsService {
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
// load the user and their role(s) from LDAP by username and return their
// details as an instance of a class that implements the UserDetails interface
}
}
不要忘记在resources.groovy
userDetailsService(LdapUserDetailsService)
有一些插件可以将Spring Security与LDAP集成,但我更愿意自己动手,因为它非常简单。文档提供自定义UserDetailsService的{{3}}。请注意,在编写自己的UserDetailsService / UserDetails实现时,没有必要扩展任何特定的类,并且出于调试的目的,可能更容易直接实现接口。