如何将 AD 组映射到用户角色 Spring Security LDAP
我有一个使用 Java Spring MVC 构建的 Web 应用程序.
I have a web application built using Java Spring MVC.
我只是设置连接到 LDAP 服务器进行身份验证的 Spring Security.
I'm just setting up spring security connecting to an LDAP server for authentication.
我已成功设置,以便能够登录到我的应用程序,但我找不到任何可以帮助我将 AD 组映射到 Java 中的用户角色的东西,因为我只能获得 403 禁止页面即我已经通过身份验证但还没有权限.
I've successfully set it up so that I am able to login to my application but I can't find anything to help me in mapping an AD group to a user role within Java as I can only get a 403 forbidden page i.e. I've been authenticated but don't have permissions yet.
我目前有:
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_USER" />
</http>
<ldap-server id="ldapServer" url="LDAPURL" manager-dn="USER" manager-password="PASSWORD" />
<authentication-manager >
<ldap-authentication-provider
group-search-base="OU=GROUPS"
group-search-filter="sAMAccountName={0}"
user-search-base="OU=USERS"
user-search-filter="sAMAccountName={0}"
/>
</authentication-manager>
假设该用户是 AD 组 g-group-UK-user 的一部分,然后我希望能够将该 AD 组映射到 ROLE_USER 以便用户可以看到整个网络应用程序.
Say that user was a part of the AD group g-group-UK-user I then want to be able to map that AD group to ROLE_USER so that user can then see the whole web app.
我似乎只能找到组是 ADMIN 或 USER 的非常简单的示例,在这种情况下前缀 ROLE 只是添加到组中,或者其他方法似乎正在使用 UserDetailContextMapper 但我找不到明确的用途这个.
I can only seem to find very simple examples where the groups are either ADMIN or USER in which case the prefix ROLE is just added to the group or the other method seems to be using UserDetailContextMapper but I can't find a clear use of this.
推荐答案
为此,我在身份验证管理器中使用了以下内容:
To do this I used the following within authentication manager:
user-context-mapper-ref="customUserContextMapper"
然后我使用以下类来检查该用户是否属于某个 AD 组,然后将 ROLE_USER 角色分配给他们的权限:
I then used the following class to check if that user belongs to a certain AD group and then assign the ROLE_USER role to their authorities:
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities)
{
Attributes attributes = ctx.getAttributes();
Object[] groups = new Object[100];
groups = ctx.getObjectAttributes("memberOf");
LOGGER.debug("Attributes: {}", attributes);
Set<GrantedAuthority> authority = new HashSet<GrantedAuthority>();
for(Object group: groups)
{
if (group.toString().toLowerCase().contains("AD_GROUP_NAME".toLowerCase()) == true)
{
authority.add(new SimpleGrantedAuthority("ROLE_USER"));
break;
}
}
User userDetails = new User(username, "", false, false, false, false, authority);
return userDetails;
}
请注意,由于我连接的 LDAP 服务器的结构与平常不同,该类比平常稍微复杂一点,因为用户有权访问的组存储在用户下的属性中,而不是另一种方式是,一个组将拥有属于它的所有用户作为属性.
Please note that the class is a little more complicated than usual because of the LDAP server I was connecting which has a different structure than usual in that the groups a user has access to are stored in an attribute under the user and not the other way round in which a group would have as an attribute all the users that belong to it.
相关文章