我建立在一些已經開發的代碼之上,並且被要求通過ldap進行身份驗證,但我現在可以根據Active Directory組來設置權限。這個問題是我不確定如何採取我擁有的並且建立在它之上。我根本沒有經歷過Spring的經歷,並且我嘗試過(但沒有成功)從Active Directory開始使用一些教程,包括[this] [1],並且我已經在尋找幫助[here] [2]和[這裏] [3]但沒有成功。首先,我不能使用spring 3.1,我們只能使用3.0,並且我在修改上面提到的任何示例方面都沒有成功。當通過ldap Spring 3.0進行身份驗證時,如何獲得Active Directory組?
有沒有一種方法,我可以得到活動目錄組(和其他屬性)從我已經?
以下是我迄今所做的:
彈簧security.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans" xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/loginfailed" access="permitAll" />
<intercept-url pattern="/resources/images/**" access="permitAll" />
<intercept-url pattern="/resources/css/**" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('CUSTOMADMIN')" />
<form-login login-page="/login" default-target-url="/index" authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<ldap-server id="ldapServer" url="ldap://url:portnumber/ou=People,dc=abc,dc=com" manager-dn="dn" manager-password="password" />
<authentication-manager>
<authentication-provider ref="ldapAuthProvider" />
</authentication-manager>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="ldapServer" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>uid={0}</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="com.company.group.appname.ldap.RolesPopulator">
<beans:constructor-arg ref="userRoleService" />
</beans:bean>
</beans:constructor-arg>
</beans:beans>
RolesPopulator.java
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.apache.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
import com.company.group.appname.service.IUserRoleService;
public class RolesPopulator implements LdapAuthoritiesPopulator
{
private static Logger log = Logger.getLogger(RolesPopulator.class);
@Autowired
private IUserRoleService userRoleService;
public RolesPopulator(IUserRoleService userRoleService)
{
this.userRoleService = userRoleService;
}
@Override
public Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username)
{
List<GrantedAuthority> userPerms = new ArrayList<GrantedAuthority>();
log.debug("UserPermsions: "+userPerms.toString());
//get users permissions from service
List<String> userRoles = userRoleService.getPermissions(username);
for (String string : userRoles)
{
userPerms.add(new GrantedAuthorityImpl(string));
}
return userPerms;
}
}
UserRoleServiceImpl.java(實施IUserRoleService的)
package com.company.group.appname.service.impl;
import java.util.ArrayList;
import java.util.List;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Service;
import com.company.group.appname.service.IUserRoleService;
@Service("userRoleService")
public class UserRoleServiceImpl implements IUserRoleService {
private static Logger log = Logger.getLogger(UserRoleServiceImpl.class);
public List<String> getPermissions(String username) {
List<String> roles = new ArrayList<String>();
roles.add("CUSTOMADMIN");
return roles;
}
}
這一切認證很好,但我不知道如何從這裏獲取Active Directory組。我希望能夠做的是從getPermissions(username)
方法我希望能夠從Active Directory中獲得與用戶名相關聯的組列表,如果它包含特定的組名,則返回角色else返回null(或其他角色)。
我會誠實地說,我已經看了很多代碼示例,通過活動目錄執行身份驗證,然後可以獲取這些組,但是我從來沒有得到過其中的任何一個工作(我發現的大多數示例都可以修復彈簧安全3.1的問題,這不是一個不幸的選擇)我還沒有找到一個這樣接近它的例子。
任何指導或幫助將是巨大