我为 tomcat 7 配置了一个 LDAP 领域。它在用户组中搜索某人,一旦找到,将对他们进行身份验证并允许他们访问应用程序。
这是我的境界:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://adldap.mycompany.com:3268"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userBase="DC=mycompany,DC=com"
roleSubtree="true"
roleName="CN"
userRoleName="memberOf"/>
它找到用户,然后搜索相应的角色名称。这是我在 web.xml 中对角色的安全约束。
<security-constraint>
<display-name>user</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description>users</description>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
但是用户将拥有看起来像CN=Domain Users,CN=Users,DC=mycompany,DC=com. 所以我的问题是,有没有办法可以将该角色映射到用户的角色名称?否则我需要这样定义我的安全约束:
<security-constraint>
<display-name>user</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description>users</description>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
</security-role>