0

我正在构建一些已经开发的代码,并被要求通过 ldap 进行身份验证,但现在我被要求根据 Active Directory 组设置权限。问题是我不确定如何利用我所拥有的并以此为基础。我在 Spring 方面完全没有经验,我尝试(但没有成功)使用一些教程从头开始使用 Active Directory,包括 [this][1] 并且我已经在 [here][2] 和[这里][3] 但没有成功。首先,我不能使用 spring 3.1,我们只能使用 3.0,而且我在改编上面提到的任何示例时都没有成功。

有没有办法从我已有的中获取 Active Directory 组(和其他属性)?
这是我到目前为止所做的:

弹簧安全.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans" xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/login" access="permitAll" />
        <intercept-url pattern="/loginfailed" access="permitAll" />
        <intercept-url pattern="/resources/images/**" access="permitAll" />
        <intercept-url pattern="/resources/css/**" access="permitAll" />
        <intercept-url pattern="/**" access="hasRole('CUSTOMADMIN')" />
        <form-login login-page="/login" default-target-url="/index" authentication-failure-url="/loginfailed" />
        <logout logout-success-url="/logout" />
    </http>
    <ldap-server id="ldapServer" url="ldap://url:portnumber/ou=People,dc=abc,dc=com" manager-dn="dn" manager-password="password" />
    <authentication-manager>
        <authentication-provider ref="ldapAuthProvider" />
    </authentication-manager>
    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="ldapServer" />
                <beans:property name="userDnPatterns">
                    <beans:list>
                        <beans:value>uid={0}</beans:value>
                    </beans:list>
                </beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="com.company.group.appname.ldap.RolesPopulator">
                <beans:constructor-arg ref="userRoleService" />
            </beans:bean>
        </beans:constructor-arg>            
</beans:beans>

RolesPopulator.java

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import org.apache.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;

import com.company.group.appname.service.IUserRoleService;

public class RolesPopulator implements LdapAuthoritiesPopulator 
{
    private static Logger log = Logger.getLogger(RolesPopulator.class);
    @Autowired
    private IUserRoleService userRoleService;

    public RolesPopulator(IUserRoleService userRoleService)
    {
       this.userRoleService = userRoleService;
    }

    @Override
    public Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) 
    {
        List<GrantedAuthority> userPerms = new ArrayList<GrantedAuthority>();
        log.debug("UserPermsions: "+userPerms.toString());

        //get users permissions from service
        List<String> userRoles = userRoleService.getPermissions(username);
        for (String string : userRoles) 
        {
            userPerms.add(new GrantedAuthorityImpl(string));
        }

        return userPerms;
    }

}

UserRoleServiceImpl.java(IUserRoleService的实现)

package com.company.group.appname.service.impl;

import java.util.ArrayList;
import java.util.List;

import org.apache.log4j.Logger;
import org.springframework.stereotype.Service;

import com.company.group.appname.service.IUserRoleService;

@Service("userRoleService")
public class UserRoleServiceImpl implements IUserRoleService {

    private static Logger log = Logger.getLogger(UserRoleServiceImpl.class);

    public List<String> getPermissions(String username) {


        List<String> roles = new ArrayList<String>();
        roles.add("CUSTOMADMIN");
        return roles;
    }

}

这一切都很好,但我不了解如何从这里获取 Active Directory 组。我想要做的是从getPermissions(username)我希望能够从 Active Directory 获取与用户名关联的组列表的方法,如果它包含特定的组名,则返回角色,否则返回 null(或其他角色)。

老实说,我已经查看了很多通过 Active Directory 进行身份验证的代码示例,然后可以获取这些组,但我从来没有让它们中的任何一个工作(我发现的大多数示例都可以解决这些问题spring security 3.1,不幸的是,这不是一个选项)而且我也没有找到以这种方式接近它的示例。

任何指导或帮助都会很棒

4

1 回答 1

3

如果您真的无法从 3.0 升级,为什么不将ActiveDirectoryLdapAuthenticationProvider类从 3.1 复制到您的代码库中并使用它呢?memberOf它从AD 用户条目中的属性加载用户权限。

Upgrading from 3.0 to 3.1 should be relatively painless, but if you can't there's nothing to stop you using an individual class as part of your own build. Then you wouldn't need the LdapAuthoritiesPopulator code you've written (which isn't a very good fit for AD anyway).

于 2013-03-20T20:16:38.197 回答