Spring安全配置来验证ldap用户

时间:2015-08-18 10:40:42

标签: java spring spring-security active-directory spring-ldap

我一直在我们公司的Spring Web应用程序上工作,它根据数据库对用户进行身份验证。但是我们希望在我们公司中使用活动目录服务器而不是数据库。不幸的是,我很难连接到服务器。 这是我的spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:p="http://www.springframework.org/schema/p"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">


    <beans:bean id="successHandler"
        class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/App/Index" />
    </beans:bean>

    <beans:bean id="failureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/App/loginError" />
    </beans:bean>

    <beans:bean id="loginUrlAuthenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/App/Login" />
    </beans:bean>

    <beans:bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl">
    </beans:bean>

    <beans:bean id="sas"
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry"
            ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
    </beans:bean>

    <http auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
        <intercept-url pattern="/Content/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/Desktop/New_Them/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/App/Index" access="ROLE_USER" />
        <intercept-url pattern="/App/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/rest/clc/ClcLogPhon/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/**" access="ROLE_USER" />
        <custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
        <logout logout-success-url="/App/Login" />
        <remember-me key="myAppKey" />
        <session-management
            session-authentication-strategy-ref="sas">
        </session-management>
        <csrf />
        <headers>
            <xss-protection />
        </headers>
    </http>
    <global-method-security pre-post-annotations="enabled"
        secured-annotations="enabled" proxy-target-class="true" />

    <beans:bean id="concurrencyFilter"
        class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/App/Login" />
    </beans:bean>

    <beans:bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <beans:constructor-arg index="0" value="256" />
    </beans:bean>

    <ldap-server id="ldapServer"
        url="ldap://192.168.1.143/dc=springframework,dc=org" />

    <authentication-manager>
        <ldap-authentication-provider server-ref="ldapServer"
            user-dn-pattern="uid={0},ou=people" />
    </authentication-manager>
</beans:beans>

实际上我刚刚删除了与数据库相关的bean,然后添加了ldap-server和authentication-manager,以便使用ldap进行身份验证。我使用Spring 4.0.1和Spring security 3.2.1以及java 1.7。虽然Web应用程序启动,但我在登录页面中输入的任何信息都被拒绝了,我在eclipse的控制台中出现Access is denied错误。 此外,我将Ldap url更改为错误的IP地址,仅用于测试应用程序是否失败。但它根本没有变化。所以,我怀疑它甚至试图连接到服务器。

1 个答案:

答案 0 :(得分:1)

由于我在这里没有收到任何答案,我会搜索解决我的问题。 首先,我应该像我的Active目录设置一样设置url。例如,我完全忽略了IP地址后的端口地址,默认为389。此外,我将url地址末尾的域更改为我的特定活动目录域地址。 最后,我的网址变为

 ldap://192.168.1.143:389/DC=myDomain,DC=org

其次,我应该使用用户名密码连接到Ldap。所以我改变了我的spring-security.xml,如下所示:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:p="http://www.springframework.org/schema/p"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">


    <beans:bean id="successHandler"
        class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/App/Index" />
    </beans:bean>

    <beans:bean id="failureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/App/loginError" />
    </beans:bean>

    <beans:bean id="loginUrlAuthenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/App/Login" />
    </beans:bean>

    <beans:bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl">
    </beans:bean>

    <beans:bean id="sas"
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry"
            ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
    </beans:bean>

    <http auto-config="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
        <intercept-url pattern="/Content/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/Desktop/New_Them/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/App/Index" access="ROLE_USER" />
        <intercept-url pattern="/App/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/rest/clc/ClcLogPhon/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/**" access="ROLE_USER" />
        <custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
        <logout logout-success-url="/App/Login" />
        <remember-me key="myAppKey" />
        <session-management
            session-authentication-strategy-ref="sas">
        </session-management>
        <csrf />
        <headers>
            <xss-protection />
        </headers>
    </http>
    <global-method-security pre-post-annotations="enabled"
        secured-annotations="enabled" proxy-target-class="true" />

    <beans:bean id="concurrencyFilter"
        class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/App/Login" />
    </beans:bean>

    <beans:bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <beans:constructor-arg index="0" value="256" />
    </beans:bean>

    <beans:bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg
            value="ldap://192.168.1.143:389/DC=myDomain,DC=org" />
        <beans:property name="userDn"
            value="CN=username,CN=Users,DC=myDomain,DC=org" />
        <beans:property name="password" value="password" />
    </beans:bean>

    <beans:bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource" />
                <beans:property name="userDnPatterns">
                    <beans:list>
                        <beans:value>uid={0},ou=users</beans:value>
                    </beans:list>
                </beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource" />
                <beans:constructor-arg value="ou=groups" />
                <beans:property name="groupRoleAttribute" value="ou" />
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>

    <authentication-manager>
        <authentication-provider ref="ldapAuthProvider"/>
    </authentication-manager>

</beans:beans>

总而言之,我建议首先使用JXplorer连接到Ldap。