`
hanqunfeng
  • 浏览: 1526296 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

SpringSecurity3.X--LDAP:AD配置

 
阅读更多

前面介绍过基于本地数据库验证的方式,参考http://hanqunfeng.iteye.com/blog/1155226,这里说一下如何修改为使用AD进行身份验证【只对用户名和密码进行验证,权限依旧存储在本地数据库中】。

 

将配置文件中的如下部分删除:

  <!-- 认证管理器,使用自定义的UserDetailsService,并对密码采用md5加密-->  
    <authentication-manager>  
        <authentication-provider user-service-ref="userService">  
            <password-encoder hash="md5" />  
        </authentication-provider>  
    </authentication-manager>  
  
    <beans:bean id="userService" class="com.piaoyi.common.security.UserService" />

 并添加如下内容:

<!-- ldap contextSource ldap服务器 -->
	<!-- 继承于org.springframework.ldap.core.support.LdapContextSource -->
	<beans:bean id="contextSource"
		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
		<beans:constructor-arg value="ldap://192.168.159.xxx:389" />
		<beans:property name="userDn"
			value="cn=admin,cn=Users,dc=piaoyi,dc=local" />
		<beans:property name="password" value="xxxxxxx" />
	</beans:bean>

	<!-- ldap 认证代理 -->
	<beans:bean id="ldapAuthProvider"
		class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
		<beans:constructor-arg ref="ldapBindAuthenticator" />
		<beans:constructor-arg ref="ldapAuthoritiesPopulator" />
	</beans:bean>

	<!-- 用户认证:凭证绑定 -->
	<beans:bean id="ldapBindAuthenticator"
		class="org.springframework.security.ldap.authentication.BindAuthenticator">
		<beans:constructor-arg ref="contextSource" />
		<beans:property name="userSearch" ref="userSearch" />
	</beans:bean>

	<!-- 用户查询规则 -->
	<beans:bean id="userSearch"
		class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
		<beans:constructor-arg index="0"
			value="cn=Users,dc=piaoyi,dc=local" />
		<beans:constructor-arg index="1"
			value="(sAMAccountName={0})" />
		<beans:constructor-arg index="2" ref="contextSource" />
	</beans:bean>
	
	<!-- 角色控制,这里授予所有AD验证通过的用户HODLE角色 -->
	<beans:bean
		class="com.netqin.common.security.SimpleRoleGrantingLdapAuthoritiesPopulator"
		id="ldapAuthoritiesPopulator" />


	<!-- 认证管理器,如果使用基于cookie的<remember-me/>,需要声明LdapUserDetailsService -->
	<authentication-manager>
		<authentication-provider ref="ldapAuthProvider" />
	</authentication-manager>

        <!-- ldapUserDetailsService 用于<remember-me user-service-ref="ldapUserDetailsService"/> -->
        <beans:bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
		<beans:constructor-arg index="0" ref="userSearch" />
		<beans:constructor-arg index="1" ref="ldapAuthoritiesPopulator" />
	</beans:bean>

 这里仅使用到一个自定义类,它只有一个作用,就是授予所有用户HODLE角色,而真正的权限验证还是交给投票器处理

SimpleRoleGrantingLdapAuthoritiesPopulator

package com.netqin.common.security;
import java.util.Arrays;
import java.util.Collection;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;

public class SimpleRoleGrantingLdapAuthoritiesPopulator implements
		LdapAuthoritiesPopulator {
	protected String role = "HODLE";


	public Collection<GrantedAuthority> getGrantedAuthorities(
			DirContextOperations userData, String username) {
		GrantedAuthority ga = new SimpleGrantedAuthority(role);
		return Arrays.asList(ga);
	}

	public String getRole() {
		return role;
	}

	public void setRole(String role) {
		this.role = role;
	}
}

 

参考资料:

http://lengyun3566.iteye.com/blog/1358310

0
0
分享到:
| linux下SAMBA服务安装与配置
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics