Spring Security-在Spring Boot中针对LDAP对Active Directory的用户进行身份验证

时间:2018-08-16 10:50:59

标签: spring-boot active-directory ldap spring-security-ldap

当我们配置LDAP身份验证时,我发现LDAP身份验证错误。我的属性文件如下配置:

 ldap.urls=ldap://***.***.local:8389
    ldap.base.dn=dc=test,dc=com
    ldap.user.dn.pattern=(&(objectClass=user)(userPrincipalName={0})(memberof=CN=Group Name,OU=***,OU=****,DC=test,DC=com))

通过传递有效的用户名和密码来访问wsdl时出现以下错误:

While accessing wsdl it is asking username & Password. If we provided then it saying that “ActiveDirectoryLdapAuthenticationProvider - Active Directory authentication failed: Supplied password was invalid

在启动应用程序时,我可以在控制台上看到以下信息:

`org.springframework.ldap.core.support.AbstractContextSource - Property 'userDn' not set - anonymous context will be used for read-write operation`

对于SOAP调用,因为我在SOAPWebServiceConfig.java中提供了更多功能,甚至无法正常工作。

//XwsSecurityInterceptor
    @Bean
    public XwsSecurityInterceptor securityInterceptor(){
        XwsSecurityInterceptor securityInterceptor = new XwsSecurityInterceptor();
        //Callback Handler -> SimplePasswordValidationCallbackHandler
        securityInterceptor.setCallbackHandler(callbackHandler());
        //Security Policy -> securityPolicy.xml
        securityInterceptor.setPolicyConfiguration(new ClassPathResource("securityPolicy.xml"));
        return securityInterceptor;
    }

    @Bean
    public SimplePasswordValidationCallbackHandler callbackHandler() {
        SimplePasswordValidationCallbackHandler handler = new SimplePasswordValidationCallbackHandler();
        handler.setUsersMap(Collections.singletonMap("user", "password"));
        return handler;
    }

    //Interceptors.add -> XwsSecurityInterceptor
    @Override
    public void addInterceptors(List<EndpointInterceptor> interceptors) {
        interceptors.add(securityInterceptor());
    }

我不明白这里是什么问题。任何人都可以对此提出建议。

1 个答案:

答案 0 :(得分:0)

Active-Directory具有LDAP兼容协议,但与其他ldap目录相比,使用一些特殊约定。 要获得正确的配置(例如将域附加到用户名上),请使用ActiveDirectoryLdapAuthenticationProvider而不是LdapAuthenticationProvider,后者将在通过属性使用自动配置时使用。然后从application.yml中删除或重命名“ ldap.urls”和其他属性。

package com.test;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        ActiveDirectoryLdapAuthenticationProvider adProvider = new ActiveDirectoryLdapAuthenticationProvider("domain.org",
                "ldap://activedirectory-url:389");
        adProvider.setConvertSubErrorCodesToExceptions(true);
        adProvider.setUseAuthenticationRequestCredentials(true);
        auth.authenticationProvider(adProvider);
    }

}