问题

我想为Active Directory中的组成员提供访问网页的权限。
在授权阶段检查memberOf，例如，然后将用户重定向到特定的网页。
该应用程序已经使用了身份验证用户的方法：

@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            // ---- 某些代码 ------
    }
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
        authBuilder
            .ldapAuthentication()
            .userSearchFilter("(sAMAccountName={0})")
            .userSearchBase("OU=Active,OU=Users,OU=nsk,DC=office,DC=ru")
            .groupSearchBase("OU=Groups,OU=nsk,DC=office,DC=ru")
            .groupSearchFilter("memberOf={0}")
            .contextSource()
            .url("ldap://regions.office.ru:389")
            .managerDn("CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru")
            .managerPassword("password");

以及在AD中搜索用户的代码：

public class LdapSearch {
    public List<String> getAllPersonNames() {
        Hashtable env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://office.ru:389");
        env.put(Context.SECURITY_PRINCIPAL, "CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru");
        env.put(Context.SECURITY_CREDENTIALS, "password");

        DirContext ctx;
        try {
            ctx = new InitialDirContext(env);
        } catch (NamingException | javax.naming.NamingException e) {
            throw new RuntimeException(e);
        }

        List<String> list = new LinkedList<String>();
        NamingEnumeration results = null;
        try {
            SearchControls controls = new SearchControls();
            controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            results = ctx.search("OU=Active,OU=Users,OU=nsk,DC=office,DC=ru", "(objectclass=user)", controls);

            while (results.hasMore()) {
                SearchResult searchResult = (SearchResult) results.next();
                Attributes attributes = searchResult.getAttributes();
                Attribute attr = attributes.get("displayName");
                String cn = attr.get().toString();
                list.add(cn);
            }

哪些模块将需要用于解决这个问题？
我认为需要使用WebSecurityConfigurerAdapter，但我对是否正确有些疑虑。

英文:

I would like to provide access to web page only member of the group in the AD.
At the authorization stage check memberOf, eg, and user redirect to specific web page.
The application already uses method for authentification users:

@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
  .authorizeRequests()
---- some code ------
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
authBuilder
        .ldapAuthentication()
        .userSearchFilter(&quot;(sAMAccountName={0})&quot;)
        .userSearchBase(&quot;OU=Active,OU=Users,OU=nsk,DC=office,DC=ru&quot;)
        .groupSearchBase(&quot;OU=Groups,OU=nsk,DC=office,DC=ru&quot;)
        .groupSearchFilter(&quot;memberOf={0}&quot;)
        .contextSource()
        .url(&quot;ldap://regions.office.ru:389&quot;)
        .managerDn(&quot;CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru&quot;)
        .managerPassword(&quot;password&quot;);

and for searching users in the AD:

public class LdapSearch {
public List&lt;String&gt; getAllPersonNames() {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, &quot;com.sun.jndi.ldap.LdapCtxFactory&quot;);
env.put(Context.PROVIDER_URL, &quot;ldap://office.ru:389&quot;);
env.put(Context.SECURITY_PRINCIPAL, &quot;CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru&quot;);
env.put(Context.SECURITY_CREDENTIALS, &quot;password&quot;);

DirContext ctx;
try {
    ctx = new InitialDirContext(env);
} catch (NamingException | javax.naming.NamingException e) {
    throw new RuntimeException(e);
}

List&lt;String&gt; list = new LinkedList&lt;String&gt;();
NamingEnumeration results = null;
try {
    SearchControls controls = new SearchControls();
    controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
    results = ctx.search(&quot;OU=Active,OU=Users,OU=nsk,DC=office,DC=ru&quot;, &quot;(objectclass=user)&quot;, controls);

    while (results.hasMore()) {
        SearchResult searchResult = (SearchResult) results.next();
        Attributes attributes = searchResult.getAttributes();
        Attribute attr = attributes.get(&quot;displayName&quot;);
        String cn = attr.get().toString();
        list.add(cn);
    }

Which of the modules is will need for solve the problem?
I think need WebSecurityConfigurerAdapter, but i doubt it is correct.

答案1

得分: 0

感谢大家的帮助。

public class AuthoritiesMapper implements GrantedAuthoritiesMapper {
    @Override
    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
        Set<Roles> roles = EnumSet.noneOf(Roles.class);

        for (GrantedAuthority a: authorities) {
            if ("inventadmin".equals(a.getAuthority())) {
                roles.add(Roles.INVENTADMIN);
            } else if ("inventuser".equals(a.getAuthority())) {
                roles.add(Roles.INVENTUSER);
            }
        }
        return roles;
    }
}

public enum Roles implements GrantedAuthority {
    INVENTADMIN,
    INVENTUSER;

    public String getAuthority() {
        return name();
    }
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
    authBuilder
            .ldapAuthentication()
            .userSearchFilter("(&(objectClass=person)(objectClass=user)(sAMAccountName={0})(|(memberOf=cn=inventadmin,OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru)(memberOf=cn=inventuser,OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru)))")
            .userSearchBase("OU=Active,OU=Users,OU=nsk,DC=office,DC=ru")
            .groupSearchBase("OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru")
            .groupSearchFilter("(member={0})")
            .contextSource()
            .url("ldap://office.ru:389")
            .managerDn("CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru")
            .managerPassword("password");
}

英文:

Thanks for help everybody.

public class AuthoritiesMapper implements GrantedAuthoritiesMapper {
@Override
public Collection&lt;? extends GrantedAuthority&gt; mapAuthorities(Collection&lt;? extends GrantedAuthority&gt; authorities) {
    Set&lt;Roles&gt; roles = EnumSet.noneOf(Roles.class);

    for (GrantedAuthority a: authorities) {
        if (&quot;inventadmin&quot;.equals(a.getAuthority())) {
            roles.add(Roles.INVENTADMIN);
        } else if (&quot;inventuser&quot;.equals(a.getAuthority())) {
            roles.add(Roles.INVENTUSER);
        }
    }
    return roles;
}

}

Roles:

public enum Roles implements GrantedAuthority {
INVENTADMIN,
INVENTUSER;

public String getAuthority() {
    return name();
}

}

WebSecurityconfig

    @Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {

    authBuilder
            .ldapAuthentication()
            .userSearchFilter(&quot;(&amp;(objectClass=person)(objectClass=user)(sAMAccountName={0})(|(memberOf=cn=inventadmin,OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru)(memberOf=cn=inventuser,OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru)))&quot;)
            .userSearchBase(&quot;OU=Active,OU=Users,OU=nsk,DC=office,DC=ru&quot;)
            .groupSearchBase(&quot;OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru&quot;)
            .groupSearchFilter(&quot;(member={0})&quot;)
            .contextSource()
            .url(&quot;ldap://office.ru:389&quot;)
            .managerDn(&quot;CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru&quot;)
            .managerPassword(&quot;password&quot;);
}

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

Java Spring基于角色/域组的Active Directory访问

问题

答案1

List如果从流中收集，可以包含多种不同的ChildTypes。

无法在基于GUI的Java程序中添加标题页

TextInputLayout在程序中不显示

具有泛型类型作为成员变量的函数

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

发表评论