Java Spring基于角色/域组的Active Directory访问

huangapple go评论76阅读模式
英文:

Java Spring access based on roles/domain groups Active Directory

问题

我想为Active Directory中的组成员提供访问网页的权限。
在授权阶段检查memberOf,例如,然后将用户重定向到特定的网页。
该应用程序已经使用了身份验证用户的方法:

@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            // ---- 某些代码 ------
    }
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
        authBuilder
            .ldapAuthentication()
            .userSearchFilter("(sAMAccountName={0})")
            .userSearchBase("OU=Active,OU=Users,OU=nsk,DC=office,DC=ru")
            .groupSearchBase("OU=Groups,OU=nsk,DC=office,DC=ru")
            .groupSearchFilter("memberOf={0}")
            .contextSource()
            .url("ldap://regions.office.ru:389")
            .managerDn("CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru")
            .managerPassword("password");

以及在AD中搜索用户的代码:

public class LdapSearch {
    public List<String> getAllPersonNames() {
        Hashtable env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://office.ru:389");
        env.put(Context.SECURITY_PRINCIPAL, "CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru");
        env.put(Context.SECURITY_CREDENTIALS, "password");

        DirContext ctx;
        try {
            ctx = new InitialDirContext(env);
        } catch (NamingException | javax.naming.NamingException e) {
            throw new RuntimeException(e);
        }

        List<String> list = new LinkedList<String>();
        NamingEnumeration results = null;
        try {
            SearchControls controls = new SearchControls();
            controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            results = ctx.search("OU=Active,OU=Users,OU=nsk,DC=office,DC=ru", "(objectclass=user)", controls);

            while (results.hasMore()) {
                SearchResult searchResult = (SearchResult) results.next();
                Attributes attributes = searchResult.getAttributes();
                Attribute attr = attributes.get("displayName");
                String cn = attr.get().toString();
                list.add(cn);
            }

哪些模块将需要用于解决这个问题?
我认为需要使用WebSecurityConfigurerAdapter,但我对是否正确有些疑虑。

英文:

I would like to provide access to web page only member of the group in the AD.
At the authorization stage check memberOf, eg, and user redirect to specific web page.
The application already uses method for authentification users:

@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
  .authorizeRequests()
---- some code ------
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
authBuilder
        .ldapAuthentication()
        .userSearchFilter(&quot;(sAMAccountName={0})&quot;)
        .userSearchBase(&quot;OU=Active,OU=Users,OU=nsk,DC=office,DC=ru&quot;)
        .groupSearchBase(&quot;OU=Groups,OU=nsk,DC=office,DC=ru&quot;)
        .groupSearchFilter(&quot;memberOf={0}&quot;)
        .contextSource()
        .url(&quot;ldap://regions.office.ru:389&quot;)
        .managerDn(&quot;CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru&quot;)
        .managerPassword(&quot;password&quot;);

and for searching users in the AD:

public class LdapSearch {
public List&lt;String&gt; getAllPersonNames() {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, &quot;com.sun.jndi.ldap.LdapCtxFactory&quot;);
env.put(Context.PROVIDER_URL, &quot;ldap://office.ru:389&quot;);
env.put(Context.SECURITY_PRINCIPAL, &quot;CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru&quot;);
env.put(Context.SECURITY_CREDENTIALS, &quot;password&quot;);

DirContext ctx;
try {
    ctx = new InitialDirContext(env);
} catch (NamingException | javax.naming.NamingException e) {
    throw new RuntimeException(e);
}

List&lt;String&gt; list = new LinkedList&lt;String&gt;();
NamingEnumeration results = null;
try {
    SearchControls controls = new SearchControls();
    controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
    results = ctx.search(&quot;OU=Active,OU=Users,OU=nsk,DC=office,DC=ru&quot;, &quot;(objectclass=user)&quot;, controls);

    while (results.hasMore()) {
        SearchResult searchResult = (SearchResult) results.next();
        Attributes attributes = searchResult.getAttributes();
        Attribute attr = attributes.get(&quot;displayName&quot;);
        String cn = attr.get().toString();
        list.add(cn);
    }

Which of the modules is will need for solve the problem?
I think need WebSecurityConfigurerAdapter, but i doubt it is correct.

答案1

得分: 0

感谢大家的帮助。

public class AuthoritiesMapper implements GrantedAuthoritiesMapper {
    @Override
    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
        Set<Roles> roles = EnumSet.noneOf(Roles.class);

        for (GrantedAuthority a: authorities) {
            if ("inventadmin".equals(a.getAuthority())) {
                roles.add(Roles.INVENTADMIN);
            } else if ("inventuser".equals(a.getAuthority())) {
                roles.add(Roles.INVENTUSER);
            }
        }
        return roles;
    }
}

public enum Roles implements GrantedAuthority {
    INVENTADMIN,
    INVENTUSER;

    public String getAuthority() {
        return name();
    }
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
    authBuilder
            .ldapAuthentication()
            .userSearchFilter("(&(objectClass=person)(objectClass=user)(sAMAccountName={0})(|(memberOf=cn=inventadmin,OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru)(memberOf=cn=inventuser,OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru)))")
            .userSearchBase("OU=Active,OU=Users,OU=nsk,DC=office,DC=ru")
            .groupSearchBase("OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru")
            .groupSearchFilter("(member={0})")
            .contextSource()
            .url("ldap://office.ru:389")
            .managerDn("CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru")
            .managerPassword("password");
}
英文:

Thanks for help everybody.

public class AuthoritiesMapper implements GrantedAuthoritiesMapper {
@Override
public Collection&lt;? extends GrantedAuthority&gt; mapAuthorities(Collection&lt;? extends GrantedAuthority&gt; authorities) {
    Set&lt;Roles&gt; roles = EnumSet.noneOf(Roles.class);

    for (GrantedAuthority a: authorities) {
        if (&quot;inventadmin&quot;.equals(a.getAuthority())) {
            roles.add(Roles.INVENTADMIN);
        } else if (&quot;inventuser&quot;.equals(a.getAuthority())) {
            roles.add(Roles.INVENTUSER);
        }
    }
    return roles;
}

}

Roles:

public enum Roles implements GrantedAuthority {
INVENTADMIN,
INVENTUSER;

public String getAuthority() {
    return name();
}

}

WebSecurityconfig

    @Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {

    authBuilder
            .ldapAuthentication()
            .userSearchFilter(&quot;(&amp;(objectClass=person)(objectClass=user)(sAMAccountName={0})(|(memberOf=cn=inventadmin,OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru)(memberOf=cn=inventuser,OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru)))&quot;)
            .userSearchBase(&quot;OU=Active,OU=Users,OU=nsk,DC=office,DC=ru&quot;)
            .groupSearchBase(&quot;OU=inventorization,OU=Groups,OU=nsk,DC=office,DC=ru&quot;)
            .groupSearchFilter(&quot;(member={0})&quot;)
            .contextSource()
            .url(&quot;ldap://office.ru:389&quot;)
            .managerDn(&quot;CN=ldap_user_ro,OU=Service,OU=Users,OU=nsk,DC=office,DC=ru&quot;)
            .managerPassword(&quot;password&quot;);
}

huangapple
  • 本文由 发表于 2020年10月14日 18:40:38
  • 转载请务必保留本文链接:https://go.coder-hub.com/64351551.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定