在春季用Kerberos获取获取登录用户的objectSid或distinguishedName

时间:2018-07-31 15:22:33

标签: spring spring-security spring-ldap spring-security-kerberos

在我的应用程序中,我想启用SSO,以便用户可以使用存储在数据库中的登录名/密码,使用Active Directory凭据登录,或者由Windows帐户自动登录(成功登录到域之后)。

我的代码类似于:https://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#ssk-spnego

当用户通过Active Directory凭据登录表单时,我可以获取他的objectSid,然后从数据库中加载适当的上下文,如下所示:

@Bean
public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
    final ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(adDomain, adServer);
    provider.setUserDetailsContextMapper(new LdapUserDetailsContextMapper());
    return provider;
}

public class LdapUserDetailsContextMapper implements UserDetailsContextMapper {
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> collection) {        
    log.info("DN from ctx: " + ctx.getDn()); // return correct DN        
    byte[] byteSid = ctx.getObjectAttribute("objectSid").toString().getBytes();
    sid = LdapUtils.convertBinarySidToString(byteSid);
    log.info("SID: " + sid);
    //find username in database by SID
    return new User(username, "notUsed", true, true, true, true,
            AuthorityUtils.createAuthorityList("ROLE_USER"));
}

顺便说一句,这里的SID不正确,如我在this link中所述,但是我仍然可以在ldapTemplate和用户DN中找到它。

问题是如何在kerberos提供程序中设置User Details Context Mapper?我只能设置UserDetailsService并获得user@AD_DOMAIN之类的用户名,但我不知道如何获得此用户的objectSIDdistinguishedName

@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth
            .authenticationProvider(kerberosAuthenticationProvider())
            .authenticationProvider(activeDirectoryLdapAuthenticationProvider())
            .authenticationProvider(kerberosServiceAuthenticationProvider());
}

@Bean
public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
    KerberosAuthenticationProvider provider =
            new KerberosAuthenticationProvider();
    SunJaasKerberosClient client = new SunJaasKerberosClient();
    client.setDebug(true);
    provider.setKerberosClient(client);
    provider.setUserDetailsService(dummyUserDetailsService());
    return provider;
}

@Bean
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
    KerberosServiceAuthenticationProvider provider =
            new KerberosServiceAuthenticationProvider();
    provider.setTicketValidator(sunJaasKerberosTicketValidator());
    provider.setUserDetailsService(dummyUserDetailsService());
    return provider;
}

0 个答案:

没有答案
相关问题
最新问题