我需要在LDAP中授予属于组(ABCD)的用户的访问权限。我能够使用Spring LDAP安全性成功进行身份验证,但由于某种原因,未加载组成员身份。我尝试登录时收到“403 access Denied”错误。我确认用户的组不会填充到权限中。
SecurityContextHolder.getContext().getAuthentication().getAuthorities();
有没有办法可以将用户组加载到权限中?这是我的弹簧安全配置。
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/js/**"
access="true" />
<security:intercept-url pattern="/css/**"
access="true" />
<security:intercept-url pattern="/images/**"
access="true" />
<security:intercept-url pattern="/**"
access="hasRole('ABCD')" />
</security:http>
<security:ldap-server id="ldapServer" url="${ldap.url}" />
<security:authentication-manager alias="authenticationManager">
<security:ldap-authentication-provider
server-ref="ldapServer" user-dn-pattern="uid={0},ou=people,o=xxxx.com"
group-search-base="ou=groups,o=xxxx.com" />
</security:authentication-manager>
答案 0 :(得分:1)
应该是这样的:
<security:ldap-server id="ldapServer" url="${ldap.url}/o=xxxx.com" />
<security:authentication-manager alias="authenticationManager">
group-search-filter="member={0}"
group-search-base="ou=groups"
user-search-base="ou=people"
user-search-filter="uid={0}"
</security:authentication-manager>
主要问题围绕group-search-filter,其中应包含attribute中的一些user(带占位符),它指的是当前用户所属的群组。