我目前正在尝试使用相互身份验证实现Spring Boot Web服务,该服务需要用户认证,并对用户提供针对ldap服务器的详细信息进行身份验证和授权。
到目前为止,相互认证工作,服务器向用户标识自己并要求提供用户证书。使用内存中用户的示例,整个身份验证和授权过程都可以正常工作。但是,只要我实现LDAP连接,我就会得到“java.lang.IllegalStateException:UserDetailsService是必需的”。例外。有趣的是,当我使用登录页面时,LDAP配置本身工作正常,用户必须手动提示他的凭证。所以简而言之:
登录页面+ LDAP工作,
CERT +内存用户工作,
CERT + LDAP不起作用。
到目前为止,这是我的代码:web / config / Application.java
@SpringBootApplication
@ComponentScan({ "web.*" })
public class Application extends SpringBootServletInitializer {
@Bean
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/WEB-INF/jsp/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
public static void main(String[] args) throws Exception {
SpringApplication.run(Application.class, args);
}
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory();
tomcat.addAdditionalTomcatConnectors(createSslConnector());
return tomcat;
}
// *************************************************************************************************
// Mutual Cert Authentication
// *************************************************************************************************
private Connector createSslConnector() {
Connector connector = new Connector(
"org.apache.coyote.http11.Http11NioProtocol");
Http11NioProtocol protocol = (Http11NioProtocol) connector
.getProtocolHandler();
try {
File keystore = new ClassPathResource("server.jks").getFile();
File truststore = new ClassPathResource("cacerts.jks").getFile();
connector.setScheme("https");
connector.setSecure(true);
connector.setPort(8443);
protocol.setSSLEnabled(true);
protocol.setKeystoreFile(keystore.getAbsolutePath());
protocol.setKeystorePass("toor"); //example password
protocol.setTruststoreFile(truststore.getAbsolutePath());
protocol.setTruststorePass("toor"); //example passsword
protocol.setKeyAlias("server");
protocol.setClientAuth("want");
protocol.setSslProtocol("TLS");
return connector;
} catch (IOException ex) {
throw new IllegalStateException("can't access keystore: ["
+ "keystore" + "] or truststore: [" + "keystore" + "]", ex);
}
}
// *************************************************************************************************
// The Authentication Manager Bean provides the source that userdata gets
// authenticated against. In this Scenario a ldap server is used.
// *************************************************************************************************
@Bean
public DefaultSpringSecurityContextSource getSource() throws Exception {
String address = "ldap://lokalhost:389/dc=ldap"; //example url
String ldapUser = "cn=admin,dc=ldap"; //example login
String ldapPassword = "toor"; //example password
DefaultSpringSecurityContextSource source = new DefaultSpringSecurityContextSource(
address);
source.setUserDn(ldapUser);
source.setPassword(ldapPassword);
source.afterPropertiesSet();
return source;
}
}
幅/配置/ WebSecurity.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DefaultSpringSecurityContextSource source;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication().contextSource(source)
.userSearchBase("dc=users,dc=ldap")
.userDnPatterns("cn={0},dc=users")
.groupSearchBase("ou=groups")
;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// *************************************************************************************************
// Insert pages that need propper authentication/authorization here
// *************************************************************************************************
http
.x509().subjectPrincipalRegex("CN=(.*?),").and()
.authorizeRequests()
.antMatchers("/**")
.access("hasRole('ROLE_USER')")
.and()
.csrf().disable();
}
}
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>SpringCertAuth</groupId>
<artifactId>spring-cert-authentication</artifactId>
<version>0.1.0</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.2.5.RELEASE</version>
</parent>
<dependencies>
<!-- ldap -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>org.apache.directory.server</groupId>
<artifactId>apacheds-server-jndi</artifactId>
<version>1.5.5</version>
</dependency>
<!-- end ldap -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<properties>
<main.basedir>${basedir}/../..</main.basedir>
<java.version>1.8</java.version>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
web / controller / HomeController.java
@Controller
public class HomeController {
@RequestMapping("/welcome")
public ModelAndView index() {
ModelAndView model = new ModelAndView();
model.addObject("title","Secure Web Application");
model.addObject("message", "this is the welcome page");
model.setViewName("welcome");
return model;
}
}
webapp / WEB-INF / jsp / welcome.jsp
<%@page session="false"%>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<h1>Title : ${title}</h1>
<h1>Message : ${message}</h1>
</body>
</html>
PS:我使用的证书是自签名的,位于src / main / resources文件夹中。
我希望有人可以帮助我。
祝你好运 多米尼克
答案 0 :(得分:1)
您必须在web / config / WebSecurity.java文件中添加UserDetailService。
例如
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and()
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(userDetailsService());
}
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) {
if (username.equals("Bob")) {
return new User(username, "",
AuthorityUtils
.commaSeparatedStringToAuthorityList("ROLE_USER"));
}
throw new UsernameNotFoundException("User not found!");
}
};
}
希望如此。
答案 1 :(得分:0)
好的,我找到了解决方案。我将Application类重写为:
.
.
.
public static DefaultSpringSecurityContextSource getSource() throws Exception {
String address = "ldap://lokalhost:389/dc=ldap"; //example url
String ldapUser = "cn=admin,dc=ldap"; //example login
String ldapPassword = "toor"; //example password
DefaultSpringSecurityContextSource source = new DefaultSpringSecurityContextSource(
address);
source.setUserDn(ldapUser);
source.setPassword(ldapPassword);
source.afterPropertiesSet();
return source;
}
@Bean
public static LdapAuthenticationProvider ldapAuthProvider() throws Exception{
LdapAuthenticationProvider provider = new LdapAuthenticationProvider(authenticator(),authPopulator());
return provider;
}
@Bean
public static BindAuthenticator authenticator() throws Exception{
String[] userDn = {"cn={0},dc=users"};
BindAuthenticator auth = new BindAuthenticator(getSource());
auth.setUserDnPatterns(userDn);
return auth;
}
//authenticator2 only neccessary if authentiction with passwordcompare instead of binduser is wanted.
@Bean
public static PasswordComparisonAuthenticator authenticator2() throws Exception{
String[] userDn = {"cn={0},dc=users"};
PasswordComparisonAuthenticator auth = new PasswordComparisonAuthenticator(getSource());
auth.setUserDnPatterns(userDn);
auth.setPasswordAttributeName("userPassword");
auth.setPasswordEncoder(Md5Encoder());
return auth;
}
@Bean
public static DefaultLdapAuthoritiesPopulator authPopulator() throws Exception{
DefaultLdapAuthoritiesPopulator authPop = new DefaultLdapAuthoritiesPopulator(getSource(),"dc=groups");
authPop.setGroupRoleAttribute("cn");
authPop.setGroupSearchFilter("(member={0})");
return authPop;
}
//Certificate Authentication
@Bean
public static LdapUserDetailsService CustomLdapUserDetailsService() throws Exception{
LdapUserDetailsService userDetails = new LdapUserDetailsService(userSearch(),authPopulator());
return userDetails;
}
@Bean
public static FilterBasedLdapUserSearch userSearch() throws Exception{
FilterBasedLdapUserSearch search = new FilterBasedLdapUserSearch("","cn={0}",getSource());
return search;
}
}
我也改变了WebSecurityConfig类。现在它看起来像这样:
@Configuration
@EnableWebSecurity
@EnableAutoConfiguration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception{
auth.authenticationProvider(Application.ldapAuthProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// *************************************************************************************************
// Insert pages that need proper authentication/authorization here
// *************************************************************************************************
http
.exceptionHandling().accessDeniedPage("/403")
.and()
.x509().subjectPrincipalRegex("CN=(.*?),").userDetailsService(Application.CustomLdapUserDetailsService())
.and()
.authorizeRequests()
.antMatchers("/profile/**").access("hasRole('ROLE_VIEW') or hasRole('ROLE_ADMINISTRATOR')")
.antMatchers("/welcome**").permitAll()
.antMatchers("/authenticate").access("hasRole('ROLE_VIEW') or hasRole('ROLE_ADMIN')")
.antMatchers("/admin").access("hasRole('ROLE_ADMINISTRATOR')")
.and()
.formLogin()
.and()
.logout().logoutSuccessUrl("/welcome?logout").logoutUrl("/logout")
.deleteCookies("JSESSIONID")
.and()
.csrf().disable()
;
}
}
最后的线索给了我这篇文章: spring-security : Using user's certificate to authenticate against LDAP
我希望我可以帮助那些人。
此致 多米尼克