Spring Security LDAP 认证用户必须是 AD 组的成员

2022-01-17 00:00:00 ldap java spring-boot spring-security spring-ldap

我已经按照以下方式配置了 Spring Boot 安全性:https://spring.io/guides/gs/securing-web/

I've configured the Spring Boot Security as per: https://spring.io/guides/gs/securing-web/

我可以完美地使用我的凭据登录.但是,我需要添加一项检查,确认 AD 用户也必须属于特定的 AD 组(即 AD-this-is-a-specific-group).登录时,如果用户不属于特定的 AD 组,则应该返回登录错误.

I am able to login using my credentials perfectly. However, I need to add a checking that the AD user must also belong to a specific AD group (ie. AD-this-is-a-specific-group). On login, if the user does not belong to the specific AD group, then it should return a login error.

我已经搜索了几个小时,似乎无法在 WebSecurityConfigurerAdapter 中找到明确的方法,我是否正确使用了 auth.groupSearchFilter?

I've been searching for hours now and cannot seem to find a clear way to do this in the WebSecurityConfigurerAdapter , am I using the auth.groupSearchFilter correctly?

这是我的代码:

@Configuration 
@EnableWebSecurity    
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
Environment env;

public LdapContextSource contextSource () {
    LdapContextSource contextSource= new LdapContextSource();

    contextSource.setUrl(env.getRequiredProperty("ldap.url"));
    contextSource.setBase(env.getRequiredProperty("ldap.baseDn"));
    contextSource.setUserDn(env.getRequiredProperty("ldap.bindDn"));
    contextSource.setPassword(env.getRequiredProperty("ldap.batchPassword"));
    contextSource.afterPropertiesSet();
    return contextSource;
}

@Override
protected void configure(AuthenticationManagerBuilder auth)
        throws Exception {
     auth.ldapAuthentication()
        .userSearchFilter("(cn={0})")           
        .groupSearchBase("OU=Account Groups,OU=ITS Security")
        .groupSearchFilter("(cn=AD-this-is-a-specific-group)") 
        .contextSource(contextSource()); 
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().anyRequest().fullyAuthenticated()
        .and()
        .formLogin();
}

推荐答案

不确定这是否是最好的方法(就 Spring Security 的生命周期而言),但基本上我提供了自己的DefaultLdapAuthoritiesPopulator,这里我只覆盖 getGroupMembershipRoles.

Not sure if this is the best way to do this (in terms of Spring Security's lifecycle), but basically I provided my own DefaultLdapAuthoritiesPopulator, where I only override the getGroupMembershipRoles.

首先,我上面的 auth.groupSearchFilter 有误,应该是:

First thing though, I have wrong auth.groupSearchFilter above, it should be:

    .groupSearchFilter("(member={0})")

其次,我创建了一个带有重写方法的匿名类(它调用 super 并检查角色列表中的成员资格):

Second, I've created an anonymous class with overridden method (that calls the super and checks for a the membership in the list of roles):

auth
        .ldapAuthentication()
        .ldapAuthoritiesPopulator(new DefaultLdapAuthoritiesPopulator(contextSource, "OU=Account Groups,OU=ITS Security") {

            @Override
            public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) {
                Set<GrantedAuthority> groupMembershipRoles = super.getGroupMembershipRoles(userDn, username);

                boolean isMemberOfSpecificAdGroup = false;
                for (GrantedAuthority grantedAuthority : groupMembershipRoles) {

                    if ("ROLE_AD-this-is-a-specific-group".equals(grantedAuthority.toString())) {                                                       
                        isMemberOfSpecificAdGroup = true;
                        break;
                    }
                }

                if (!isMemberOfSpecificAdGroup ) {

                    throw new BadCredentialsException("User must be a member of " + "AD-this-is-a-specific-group");
                }
                return groupMembershipRoles;
            }
        })
        .userSearchFilter("(cn={0})")           
        .groupSearchBase("OU=Account Groups,OU=ITS Security")
        .groupSearchFilter("(member={0})") 
        .contextSource(contextSource);

相关文章