使用Ldap进行Spring授权和角色管理

时间:2017-03-26 14:20:05

标签: spring spring-security ldap authorization spring-ldap

我正在开发一个基于Spring java的应用程序,我想使用apache目录工作室ldap来管理用户,所以我想给每个用户一个角色并管理我使用spring安全性。

这是我的security-context.xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">


<security:authentication-manager>
    <security:ldap-authentication-provider
        user-search-filter="(uid={0})" user-search-base="ou=users"
        group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
        group-role-attribute="cn" role-prefix="ROLE_" />

</security:authentication-manager>
<security:ldap-server url="ldap://localhost:8389/o=mojo"
    manager-dn="uid=admin,ou=system" manager-password="secret" />
<security:http use-expressions="true">
    <security:intercept-url pattern="/" access="hasRole('ROLE_Admin')" />
    <security:form-login />
</security:http>

这是我的ldap层次结构

and this is my ldap hierarchy

这对我不起作用,即使我使用管理员凭据登录,也会因拒绝访问而给出403错误。

任何帮助?

2 个答案:

答案 0 :(得分:2)

尝试以<security:intercept-url pattern="/" access="hasRole('ROLE_ADMIN')" />大写的方式设置您的角色。

默认情况下<security:ldap-authentication-provider />会自动配置org.springframework.security.ldap.authentication.LdapAuthenticationProvider,会创建一个org.springframework.security.ldap.userdetails.LdapUserDetailsMapper的实例,默认情况下具有以下属性:

public class LdapUserDetailsMapper implements UserDetailsContextMapper {
    // ~ Instance fields
    // ================================================================================================

    private final Log logger = LogFactory.getLog(LdapUserDetailsMapper.class);
    private String passwordAttributeName = "userPassword";
    private String rolePrefix = "ROLE_";
    private String[] roleAttributes = null;
    private boolean convertToUpperCase = true;

依此类推,当convertToUpperCase被设置为true时,此方法

/**
     * Creates a GrantedAuthority from a role attribute. Override to customize authority
     * object creation.
     * <p>
     * The default implementation converts string attributes to roles, making use of the
     * <tt>rolePrefix</tt> and <tt>convertToUpperCase</tt> properties. Non-String
     * attributes are ignored.
     * </p>
     *
     * @param role the attribute returned from
     * @return the authority to be added to the list of authorities for the user, or null
     * if this attribute should be ignored.
     */
    protected GrantedAuthority createAuthority(Object role) {
        if (role instanceof String) {
            if (this.convertToUpperCase) {
                role = ((String) role).toUpperCase();
            }
            return new SimpleGrantedAuthority(this.rolePrefix + role);
        }
        return null;
    }

最后将您的ou:groups Admin转换为与ROLE_ADMIN不匹配的ROLE_Admin

答案 1 :(得分:-1)

错误是在我的LDAP层次结构中我应该将组cn=ROLE_ADMIN命名为cn=Admin,因为我的security-context.xml文件中有role-prefix="ROLE_"

相关问题
最新问题