1. 首页
  2. 问答
  3. 对Spring和Active Directory使用bindAuthentication是不可能的?

对Spring和Active Directory使用bindAuthentication是不可能的?

2010-03-16 72 views
0

我想验证我的web应用程序对我们的内部活动目录useres。 我已经ApplicationContext的安全设置如下:对Spring和Active Directory使用bindAuthentication是不可能的?

<beans:beans xmlns="http://www.springframework.org/schema/security" 
     xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

     <!-- HTTP security configurations --> 
     <http auto-config="true" use-expressions="true"> 
       <form-login login-processing-url="/static/j_spring_security_check" 
         login-page="/login" authentication-failure-url="/login?login_error=t" /> 
       <logout logout-url="/static/j_spring_security_logout" /> 


       <!-- Configure these elements to secure URIs in your application --> 
       <!-- 
         <intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/> 
       --> 
       <!-- 
         <intercept-url pattern="/member/**" access="isAuthenticated()" /> 
       --> 
       <intercept-url pattern="/resources/**" access="permitAll" /> 
       <intercept-url pattern="/static/**" access="permitAll" /> 
       <intercept-url pattern="/login" access="permitAll" /> 
       <intercept-url pattern="/**" access="isAuthenticated()" /> 
     </http> 

     <!-- Configure Authentication mechanism --> 
     <authentication-manager alias="authenticationManager"> 
       <!-- 
         SHA-256 values can be produced using 'echo -n your_desired_password | 
         sha256sum' (using normal *nix environments) 
       --> 
       <authentication-provider> 
         <password-encoder hash="sha-256" /> 
         <user-service> 
           <user name="admin" 
             password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" 
             authorities="ROLE_ADMIN" /> 
           <user name="user" 
             password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" 
             authorities="ROLE_USER" /> 
         </user-service> 
       </authentication-provider> 

       <ldap-authentication-provider user-dn-pattern="{0}@company.domain"/> 
       <!-- <ldap-authentication-provider user-search-filter="(sAMAccountName={0})" user-search-base="OU=UNIT,OU=CE,OU=company,OU=Accounts"/>--> 


     </authentication-manager> 

     <!-- LDAP Security Configuration --> 
     <ldap-server url="ldap://10.9.1.1:389/DC=company,DC=domain"/>

我的问题是:我不知道如何建立正确的DN使用绑定认证?

上面的值({0] @ company.domain)可用于Windows(AD的特殊'特性'),但spring-security不会接受它,因为它不符合DN的正确语法。

来源

2010-03-16 er4z0r

+0

没有任何事情是不可能的,但你可能需要编写自己的UserDetailsS​​ervice。 – Gandalf 2010-03-17 13:34:58

+0

O.K.这是我想避免的。我想知道为什么没有一个班级做AD登录。 AD并不罕见,我猜;-) – er4z0r 2010-03-17 15:52:06

回答

2

O.K.我没有写我自己的用户详细信息服务。相反,我使用低权限的accouont(只读访问权限)来执行ldap搜索,并使用匹配的凭据搜索用户。

这很丑陋,因为我仍然需要考虑我在Active Directory中的应用程序。但到目前为止它的工作。我也无法弄清楚如何使用新的spring-security命名空间来相互设置ldapAuthenticationProvider。因此,我通过将必要的豆类连接在一起来“配置旧的”配置。

这是我的例子。

它使用两个身份验证提供程序:一个简单的用户名和密码存储在配置文件和一个ldapAuthenticationProvider。

希望它能帮助:

<?xml version="1.0" encoding="UTF-8"?> 

<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

    <!-- HTTP security configurations --> 
    <http auto-config="true" use-expressions="true"> 
     <form-login login-processing-url="/static/j_spring_security_check" 
      login-page="/login" authentication-failure-url="/login?login_error=t" /> 
     <logout logout-url="/static/j_spring_security_logout" /> 


     <!-- Configure these elements to secure URIs in your application --> 
     <!-- 
      <intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/> 
     --> 
     <!-- 
      <intercept-url pattern="/member/**" access="isAuthenticated()" /> 
     --> 
     <intercept-url pattern="/resources/**" access="permitAll" /> 
     <intercept-url pattern="/static/**" access="permitAll" /> 
     <intercept-url pattern="/login" access="permitAll" /> 
     <intercept-url pattern="/**" access="isAuthenticated()" /> 
    </http> 

    <!-- Configure Authentication mechanism --> 
    <authentication-manager alias="authenticationManager"> 
     <!-- 
      SHA-256 values can be produced using 'echo -n your_desired_password | 
      sha256sum' (using normal *nix environments) 
     --> 
     <authentication-provider> 
      <password-encoder hash="sha-256" /> 
      <user-service> 
       <user name="admin" 
        password="8c6976e5b5410415mydepartmente908mydepartment4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" 
        authorities="ROLE_ADMIN" /> 
       <user name="user" 
        password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" 
        authorities="ROLE_USER" /> 
      </user-service> 
     </authentication-provider> 

     <authentication-provider ref="ldapAuthProvider"> 

     </authentication-provider> 

    </authentication-manager> 

    <beans:bean id="contextSource" 
     class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
     <beans:constructor-arg value="ldap://10.9.1.1:389/DC=mydomain,DC=com" /> 
     <beans:property name="userDn" 
      value="CN=ReadOnly,OU=Services,DC=mydomain,DC=com" /> 
     <beans:property name="password" value="thesecret" /> 
    </beans:bean> 

    <beans:bean id="ldapAuthProvider" 
     class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
     <beans:constructor-arg> 
      <beans:bean 
       class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
       <beans:constructor-arg ref="contextSource" /> 
       <beans:property name="userSearch"> 
        <beans:bean id="userSearch" 
         class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> 
         <beans:constructor-arg index="0" value="" /> 
         <beans:constructor-arg index="1" 
          value="(&amp;(sAMAccountName={0})(objectclass=user))" /> 
         <beans:constructor-arg index="2" ref="contextSource" /> 
        </beans:bean> 
       </beans:property> 

      </beans:bean> 
     </beans:constructor-arg> 
     <beans:constructor-arg> 
      <beans:bean 
       class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> 
       <beans:constructor-arg ref="contextSource" /> 
       <beans:constructor-arg value="ou=groups" /> 
       <beans:property name="groupRoleAttribute" value="ou" /> 
      </beans:bean> 
     </beans:constructor-arg> 
    </beans:bean> 

</beans:beans>

来源

2010-03-24 16:18:11 er4z0r

相关问题

 相关问题