我一直想知道是否有一种方法可以配置 Spring Security LDAP 插件以不以标准方式执行身份验证,但如下所示:
If one is able to connect and login to the LDAP server then
the user is authenticated.
Read the authorization from this user's account on LDAP
(this is probably the default behavior)
因此,基本上不是配置主帐户,而是使用用户传递的用户/密码来实际执行登录(如果成功,则允许用户获取其他数据)。
提前致谢!
Hope you're still looking for this. What it sounds like is a good step in the right direction is the BindAuthenticator. You'd have to change the authorities populator to not use the security context source though. I believe the default populator uses a connection pool with the appropriate admin account.
Here is a sample of a setup with a BindAuthenticator and a custom AuthoritiesPopulator.
<bean id="authPopulator" class="org.springframework.security.ldap.populator.CustomLdapAuthoritiesPopulator">
<constructor-arg ref="securityContextSource"/>
<constructor-arg value="ou=Roles,o=data"/>
<property name="groupRoleAttribute" value="resourceGroupType"/>
<property name="groupSearchFilter" value="member={0}" />
</bean>
<bean id="ldap-authentication-provider"
class="org.springframework.security.providers.ldap.LdapAuthenticationProvider" >
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="securityContextSource"/>
<property name="userDnPatterns">
<list><value>cn={0},ou=users,o=system</value>
<value>cn={0},ou=users,o=xyz</value>
<value>cn={0},ou=users,ou=external,o=xyz</value>
</list>
</property>
<property name="userSearch" ref="userSearch">
</property>
</bean>
</constructor-arg>
<constructor-arg ref="authPopulator"/>
<s:custom-authentication-provider />
</bean>
Here is my context source def:
<bean id="securityContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://192.168.254.254:389"/>
<property name="userDn" value="cn=admin,ou=users,o=xyz"/>
<property name="password" value="password"/>
</bean>
I decided to test the context source without a username or password and it appears to work partially. Here is my log output.
[java] - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER
[java] - Updated SecurityContextHolder to contain the following Authentication: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER'
I don't get any errors, but it doesn't populate all of the roles. That might be an eDirectory permissions issue or you might have to create your own authorities populator. The populator does get passed the user dirContext.