将角色名称映射到from角色

时间:2018-08-09 19:30:15

标签: ldap tomcat7 jndi web.xml security-constraint

我为tomcat 7配置了一个LDAP领域。它在组用户中搜索某人,一旦找到该用户便会对他们进行身份验证并允许他们访问应用程序。

这是我的境界:

<Realm className="org.apache.catalina.realm.JNDIRealm"
          connectionURL="ldap://adldap.mycompany.com:3268"
          userSearch="(sAMAccountName={0})"
          userSubtree="true"
          userBase="DC=mycompany,DC=com"
          roleSubtree="true"
          roleName="CN"
          userRoleName="memberOf"/>

它找到用户,然后搜索相应的角色名称。这是我对web.xml中角色的安全限制。

<security-constraint>
    <display-name>user</display-name>
    <web-resource-collection>
        <web-resource-name>user</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>HEAD</http-method>
        <http-method>TRACE</http-method>
        <http-method>POST</http-method>
        <http-method>DELETE</http-method>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>users</description>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <role-name>user</role-name>
</security-role>

但是用户将具有类似于CN=Domain Users,CN=Users,DC=mycompany,DC=com的角色。所以我的问题是,有没有办法可以将该角色映射到用户的角色名称?否则,我需要这样定义我的安全约束:

<security-constraint>
    <display-name>user</display-name>
    <web-resource-collection>
        <web-resource-name>user</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>HEAD</http-method>
        <http-method>TRACE</http-method>
        <http-method>POST</http-method>
        <http-method>DELETE</http-method>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>users</description>
        <role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
</security-role>

2 个答案:

答案 0 :(得分:0)

将该角色映射到用户的角色名称?

<Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionURL="ldap://adldap.mycompany.com:3268"
   userSearch="(sAMAccountName={0})"
   userSubtree="true"
   userBase="DC=mycompany,DC=com"
   roleSubtree="true"
   roleName="CN"
   userRoleName="sAMAccountName"/>

这应该(我无法测试)从经过身份验证的用户条目中拉出属性(sAMAccountName)。

答案 1 :(得分:0)

您尝试过使用

<security-role-ref>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
<role-link>user</role-link>
</security-role-ref>