我一直想知道是否有办法配置Spring Security LDAP插件以不按标准方式执行身份验证,但如下所示:
If one is able to connect and login to the LDAP server then
the user is authenticated.
Read the authorization from this user's account on LDAP
(this is probably the default behavior)
所以基本上没有配置主帐户,而是使用用户传递的用户/传递来实际执行登录(如果成功允许用户获取其他数据)。
提前致谢!
答案 0 :(得分:0)
希望你还在寻找这个。听起来是BindAuthenticator向正确方向迈出的一大步。您必须将权限填充程序更改为不使用安全上下文源。我相信默认的populator使用具有相应管理员帐户的连接池。
以下是使用BindAuthenticator和自定义AuthoritiesPopulator进行设置的示例。
<bean id="authPopulator" class="org.springframework.security.ldap.populator.CustomLdapAuthoritiesPopulator">
<constructor-arg ref="securityContextSource"/>
<constructor-arg value="ou=Roles,o=data"/>
<property name="groupRoleAttribute" value="resourceGroupType"/>
<property name="groupSearchFilter" value="member={0}" />
</bean>
<bean id="ldap-authentication-provider"
class="org.springframework.security.providers.ldap.LdapAuthenticationProvider" >
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="securityContextSource"/>
<property name="userDnPatterns">
<list><value>cn={0},ou=users,o=system</value>
<value>cn={0},ou=users,o=xyz</value>
<value>cn={0},ou=users,ou=external,o=xyz</value>
</list>
</property>
<property name="userSearch" ref="userSearch">
</property>
</bean>
</constructor-arg>
<constructor-arg ref="authPopulator"/>
<s:custom-authentication-provider />
</bean>
这是我的上下文源def:
<bean id="securityContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://192.168.254.254:389"/>
<property name="userDn" value="cn=admin,ou=users,o=xyz"/>
<property name="password" value="password"/>
</bean>
我决定在没有用户名或密码的情况下测试上下文源,它似乎部分工作。这是我的日志输出。
[java] - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER
[java] - Updated SecurityContextHolder to contain the following Authentication: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER'
我没有收到任何错误,但它没有填充所有角色。这可能是eDirectory权限问题,或者您可能必须创建自己的权限填充程序。 populator确实传递给用户dirContext。