如何使用Apache Shiro和LDAP身份验证添加角色授权

时间:2017-09-13 13:01:49

标签: java apache authentication ldap shiro

我是Apache Shiro和LDAP的新手。 我正在尝试使用Apache shiro创建一个简单的LDAP身份验证。身份验证有效,但我无法向用户添加角色。下面是我正在使用的shiro.ini文件:

[main]
realm = org.apache.shiro.realm.ldap.JndiLdapRealm
realm.contextFactory.url = ldap://localhost:389
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.systemUsername = cn=Manager,dc=maxcrc,dc=com
contextFactory.systemPassword = secret
[roles]
People = *
role = *
Administrator = *

以下是java类文件:

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;

import java.util.ArrayList;
import java.util.List;

import javax.naming.NamingException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.ldap.JndiLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.subject.PrincipalCollection;

public class LDAPTest extends JndiLdapRealm 
{

public static final String userName = "uid=aarippa,ou=People,dc=maxcrc,dc=com";
//public static final String userName = "uid=arjunarippa";
public static final String password = "SomePassword";

public static void main(String[] args)
{
    Factory<SecurityManager> factory = new IniSecurityManagerFactory("N:\\workspace\\LdapAuthentication\\src\\auth.ini");
    SecurityManager securityManager = factory.getInstance();
    SecurityUtils.setSecurityManager( securityManager );
    System.out.println( "userName is  : " +userName);
    System.out.println( "password is  : " +password);
    //UsernamePasswordToken token = new UsernamePasswordToken( "cn=Panji Pratomo,ou=people,dc=maxcrc,dc=com", "SomePassword" );
    UsernamePasswordToken token = new UsernamePasswordToken( userName,password );
    Subject currentUser = SecurityUtils.getSubject();
    //System.out.println(currentUser);

    try
    {
        currentUser.login( token );
        System.out.println( "We've authenticated! :)" );
    }
    catch ( AuthenticationException e )
    {
        System.out.println( "We did not authenticate :(" );
        e.printStackTrace();
    }


    if ( currentUser.hasRole( "people" ) )
    {
        System.out.println( "We have the role! :)" );
    }
    else
    {
        System.out.println( "We do not have the role :(" );
    }
    if ( currentUser.isPermitted( "foo.blah" ) )
    {
        System.out.println( "We're authorized! :)" );
    }
    else
    {
        System.out.println( "We are not authorized :(" );
    }
}
}

我无法理解如何向用户添加角色。身份验证工作正常,但收到错误消息“我们没有角色:(”和“我们没有授权:(” 目前我正在使用OpenLDAP服务器,下面是我在服务器中创建的一个.LDIF条目:

dn: uid=aarippa,ou=people,dc=maxcrc,dc=com
objectclass: inetOrgPerson
cn: Arjun Arippa
cn: A Arippa
cn: Aarippa
sn: fahmi
uid: aarippa
userpassword: SomePassword
carlicense: HISCAR 123
homephone: 555-111-2222
mail: f.satrio222@gmail.com
mail: f.satrio222@mysamz.com
mail: guest108222@fif.co.id
description: tukang ngulik ga jelas
ou: SOA

任何人都可以告诉我,如果我通过添加正确的角色做了正确的事情,并在错误时纠正我。我在写的方法中遗漏了什么吗?

谢谢, 阿琼

1 个答案:

答案 0 :(得分:2)

开箱即用的通用LDAPRealm不处理角色。 Active Directory域(如果您在AD上)。否则,您可以扩展领域并实现doGetAuthorizationInfo方法。 尽管存在一些常见策略,但可以以几乎无限多种方式配置LDAP服务器。您的用户如何与您的群组相关联?您是否有示例查询或示例组记录?

相关问题
最新问题