春天的LDAP角色映射

Question

我跟着this article並配置我的應用程序通過LDAP進行身份驗證（這是完美的工作）。 現在我在應用程序中只使用3個角色，我想爲它們創建映射。

所以我實現的接口GrantedAuthoritiesMapper

@Component 
public class MyAuthorityMapper implements GrantedAuthoritiesMapper { 

    @Autowired 
    private MyAuthorityConfig authoritiesConfig; 

    @Override 
    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> collection) { 
     Set<MyAuthority> roles = EnumSet.noneOf(MyAuthority.class); 

     for (GrantedAuthority g : collection) { 
      for (String role : authoritiesConfig.getAuthoritiesMap().keySet()) { 
       if (Arrays.asList(authoritiesConfig.getAuthoritiesMap().get(role).split(",")).contains(g.getAuthority())) { 
        roles.add(MyAuthority.valueOf(role)); 
       } 
      } 
     } 
     return roles; 
    } 
} 

這裏是角色填充器

@Component 
@ConfigurationProperties(prefix = "auth.role.mapping") 
public class MyAuthorityConfig { 

    private Map<String, String> authroritiesMap = new HashMap<String, String>(); 

    public Map<String, String> getAuthoritiesMap() { 
     return this.authroritiesMap; 
    } 
} 

和application-dev.properties

auth.role.mapping.ROLE_COMPETENCE_CENTER=ROLECC 
auth.role.mapping.ROLE_OPERATIONS=ROLEOPS,ROLEPAR 
auth.role.mapping.ROLE_ADMINISTRATOR=ROLEADM,ROLESUPUSR 

現在MyAuhtorityConfig只包含空映射。是否可以使用@ConfigurationProperties，就像我在這裏使用它？我找不到如何用它填充地圖。還是有配置文件特定的屬性文件的問題？

在WebSecurityConfig我對LDAP的配置方法，但我不知道如何/在哪裏注入MyAuthorityMapper，或者因此對第一個問題與@ConfigurationProperties有修正像它甚至有可能不使用ActiveDirectoryLdapAuthenticationProvider

private void configureLdap(AuthenticationManagerBuilder auth) throws Exception { 
     DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(env.getProperty("auth.ldap.urls")); 
     contextSource.setUserDn(env.getProperty("auth.ldap.user")); 
     contextSource.setPassword(env.getProperty("auth.ldap.password")); 
     contextSource.setReferral("follow"); 
     contextSource.afterPropertiesSet(); 

     auth.ldapAuthentication() 
       .userSearchBase(env.getProperty("auth.ldap.user.search.base")) 
       .userSearchFilter(env.getProperty("auth.ldap.user.search.filter")) 
       .groupSearchBase(env.getProperty("auth.ldap.group.search.base")) 
       .groupSearchFilter(env.getProperty("auth.ldap.group.search.filter")) 
       .groupRoleAttribute(env.getProperty("auth.ldap.group.search.attribute")) 
       .contextSource(contextSource) 
       ; 
    } 

Answer 1

好這樣的：

@Component 
@ConfigurationProperties(prefix = "auth.role") 
public class MyAuthorityConfig { 

    private Map<String, String> mapping = new HashMap<String, String>(); 

    public Map<String, String> getMapping() { 
     return this.mapping; 
    } 
} 

@ConfigurationProperties尋找在性質前綴auth.role然後拿到映射部分應該是道具的名稱在我的班上。

對於第二個問題，我發現解決方案與​​

@Component(value = "myUserDetailsContextMapper") 
public class MyUserDetailsContextMapper implements UserDetailsContextMapper { 

    private static final Logger log = LoggerFactory.getLogger(MyUserDetailsContextMapper.class); 

    @Autowired 
    private MyAuthorityConfig authoritiesConfig; 

    @Override 
    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) { 
     log.debug("mapUserFromContext start"); 
     List<GrantedAuthority> mappedAuthorities = new ArrayList<>(); 

     for (GrantedAuthority g : authorities) { 
      for (String role : authoritiesConfig.getMapping().keySet()) { 
       if (Arrays.asList(authoritiesConfig.getMapping().get(role).split(",")) 
         .contains(g.getAuthority().startsWith("ROLE_") ? g.getAuthority().substring("ROLE_".length()) : g.getAuthority())) { 
        log.debug("Mapping from LDAP role {} to application role {} for user {}", g.getAuthority(), role, username); 
        mappedAuthorities.add(MyAuthority.valueOf(role)); 
       } 
      } 
     } 

     return new User(username, "", mappedAuthorities); 
    } 

    @Override 
    public void mapUserToContext(UserDetails user, DirContextAdapter ctx) { 

    } 
} 

我不知道，如果只返回new User(username, "", mappedAuthorities);是OK（我必須正確地鎖定/禁用用戶測試），但現在它的工作原理。