1. 首頁
  2. 問答
  3. 春季授權和角色管理與Ldap

春季授權和角色管理與Ldap

2017-03-26 60 views
3

我devoloping基於Spring的基於Java的應用程序,我想用apache目錄studio ldap來管理用戶,所以我想給每個用戶一個角色,並管理我使用彈簧安全。春季授權和角色管理與Ldap

這是我的安全context.xml的

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" 
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd 
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd"> 


<security:authentication-manager> 
    <security:ldap-authentication-provider 
     user-search-filter="(uid={0})" user-search-base="ou=users" 
     group-search-filter="(uniqueMember={0})" group-search-base="ou=groups" 
     group-role-attribute="cn" role-prefix="ROLE_" /> 

</security:authentication-manager> 
<security:ldap-server url="ldap://localhost:8389/o=mojo" 
    manager-dn="uid=admin,ou=system" manager-password="secret" /> 
<security:http use-expressions="true"> 
    <security:intercept-url pattern="/" access="hasRole('ROLE_Admin')" /> 
    <security:form-login /> 
</security:http>

,這是我的LDAP層次

and this is my ldap hierarchy

這並沒有爲我工作,給我一個403即使我使用管理員登錄登錄,訪問被拒絕也會出錯。

任何幫助?

來源

2017-03-26 Wassim Makni

+0

不確定它是否有幫助,但是上次我處理spring-security LDAP時,我必須使用hasAuthority而不是hasRole。給它一個機會... –

+0

沒有不適合我 –

回答

-1

的錯誤是,在我的LDAP層次,因爲我在安全context.xml文件有role-prefix="ROLE_"

來源

2017-03-27 09:15:09

+0

我建議你刪除你的問題。 –

2

嘗試在<security:intercept-url pattern="/" access="hasRole('ROLE_ADMIN')" />設置你的角色資本這樣,我應該將組命名爲cn=ROLE_ADMINcn=Admin

默認<security:ldap-authentication-provider />,該自動配置org.springframework.security.ldap.authentication.LdapAuthenticationProvider創建的org.springframework.security.ldap.userdetails.LdapUserDetailsMapper一個實例,其由缺省具有此特性:

public class LdapUserDetailsMapper implements UserDetailsContextMapper { 
    // ~ Instance fields 
    // ================================================================================================ 

    private final Log logger = LogFactory.getLog(LdapUserDetailsMapper.class); 
    private String passwordAttributeName = "userPassword"; 
    private String rolePrefix = "ROLE_"; 
    private String[] roleAttributes = null; 
    private boolean convertToUpperCase = true;

依此類推,如convertToUpperCase被設置好的爲true,此方法

/** 
    * Creates a GrantedAuthority from a role attribute. Override to customize authority 
    * object creation. 
    * <p> 
    * The default implementation converts string attributes to roles, making use of the 
    * <tt>rolePrefix</tt> and <tt>convertToUpperCase</tt> properties. Non-String 
    * attributes are ignored. 
    * </p> 
    * 
    * @param role the attribute returned from 
    * @return the authority to be added to the list of authorities for the user, or null 
    * if this attribute should be ignored. 
    */ 
    protected GrantedAuthority createAuthority(Object role) { 
     if (role instanceof String) { 
      if (this.convertToUpperCase) { 
       role = ((String) role).toUpperCase(); 
      } 
      return new SimpleGrantedAuthority(this.rolePrefix + role); 
     } 
     return null; 
    }

最終會將您的ou:groupsAdmin轉換爲ROLE_ADMIN,這與ROLE_Admin

來源

2017-03-27 11:59:19 jlumietu

相關問題

 相關問題