来自LDAP的Spring Security LDAP加载角色

时间:2017-03-01 15:55:40

标签: spring-security spring-security-ldap

使用Spring Security LDAP及其身份验证正常,但现在我需要从LDAP条目加载userLevel属性以确定用户的级别。

我的Spring Security配置如下所示

@Profile(value = {"sit", "uat", "prod"})
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    protected Environment environment;

    public SecurityConfig() {
        super();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication()
                .userSearchBase("dc=fantasycompany,dc=com")
                .userDnPatterns("cn={0},ou=users,ou=somedepartment,o=departments,c=US,dc=fantasycompany,dc=com")
                .contextSource()
                    .url("ldaps://someserver:636")
                    .managerDn("cn=someone,cn=users,dc=fantasycompany,dc=com")
                    .managerPassword("somethingsomething");
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        /**httpSecurity.authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
                .formLogin()
                    .loginPage("/login")
                    .loginProcessingUrl("/perform_login")
                    .defaultSuccessUrl("/",true)
                    .failureUrl("/login.html?error=true");*/

        httpSecurity
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/login*").permitAll()
                .antMatchers("/css/*").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/login")
                .defaultSuccessUrl("/",true)
                .failureUrl("/login?error=true")
                .and()
                .logout()
                .logoutUrl("/logout")
                .deleteCookies("JSESSIONID");
    }
}

我如何让Spring将userLevel属性从LDAP条目加载到ROLES中?

1 个答案:

答案 0 :(得分:0)

您需要一个自定义LdapAuthoritiesPopulator来读取属性(例如,使用AD时为'memberOf'或使用OpenDJ时为'isMemberOf')以提取'角色'。

ActiveDirectoryLdapAuthenticationProvider在不使用LdapAuthoritiesPopulator的情况下执行此操作。