<small id='qjJni'></small><noframes id='qjJni'>

        <bdo id='qjJni'></bdo><ul id='qjJni'></ul>

    1. <i id='qjJni'><tr id='qjJni'><dt id='qjJni'><q id='qjJni'><span id='qjJni'><b id='qjJni'><form id='qjJni'><ins id='qjJni'></ins><ul id='qjJni'></ul><sub id='qjJni'></sub></form><legend id='qjJni'></legend><bdo id='qjJni'><pre id='qjJni'><center id='qjJni'></center></pre></bdo></b><th id='qjJni'></th></span></q></dt></tr></i><div id='qjJni'><tfoot id='qjJni'></tfoot><dl id='qjJni'><fieldset id='qjJni'></fieldset></dl></div>

        <tfoot id='qjJni'></tfoot><legend id='qjJni'><style id='qjJni'><dir id='qjJni'><q id='qjJni'></q></dir></style></legend>
      1. Spring Security LDAP 认证用户必须是 AD 组的成员

        Spring Security LDAP authentication user must be a member of an AD group(Spring Security LDAP 认证用户必须是 AD 组的成员)

          <i id='iARMJ'><tr id='iARMJ'><dt id='iARMJ'><q id='iARMJ'><span id='iARMJ'><b id='iARMJ'><form id='iARMJ'><ins id='iARMJ'></ins><ul id='iARMJ'></ul><sub id='iARMJ'></sub></form><legend id='iARMJ'></legend><bdo id='iARMJ'><pre id='iARMJ'><center id='iARMJ'></center></pre></bdo></b><th id='iARMJ'></th></span></q></dt></tr></i><div id='iARMJ'><tfoot id='iARMJ'></tfoot><dl id='iARMJ'><fieldset id='iARMJ'></fieldset></dl></div>
              <legend id='iARMJ'><style id='iARMJ'><dir id='iARMJ'><q id='iARMJ'></q></dir></style></legend>

                <tbody id='iARMJ'></tbody>
            • <tfoot id='iARMJ'></tfoot>

              <small id='iARMJ'></small><noframes id='iARMJ'>

                • <bdo id='iARMJ'></bdo><ul id='iARMJ'></ul>
                  本文介绍了Spring Security LDAP 认证用户必须是 AD 组的成员的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

                  问题描述

                  我已经按照以下方式配置了 Spring Boot 安全性:https://spring.io/guides/gs/securing-web/

                  I've configured the Spring Boot Security as per: https://spring.io/guides/gs/securing-web/

                  我可以完美地使用我的凭据登录.但是,我需要添加一项检查,确认 AD 用户也必须属于特定的 AD 组(即 AD-this-is-a-specific-group).登录时,如果用户不属于特定的 AD 组,则应该返回登录错误.

                  I am able to login using my credentials perfectly. However, I need to add a checking that the AD user must also belong to a specific AD group (ie. AD-this-is-a-specific-group). On login, if the user does not belong to the specific AD group, then it should return a login error.

                  我已经搜索了几个小时,似乎无法在 WebSecurityConfigurerAdapter 中找到明确的方法,我是否正确使用了 auth.groupSearchFilter?

                  I've been searching for hours now and cannot seem to find a clear way to do this in the WebSecurityConfigurerAdapter , am I using the auth.groupSearchFilter correctly?

                  这是我的代码:

                  @Configuration 
                  @EnableWebSecurity    
                  public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                  
                  @Autowired
                  Environment env;
                  
                  public LdapContextSource contextSource () {
                      LdapContextSource contextSource= new LdapContextSource();
                  
                      contextSource.setUrl(env.getRequiredProperty("ldap.url"));
                      contextSource.setBase(env.getRequiredProperty("ldap.baseDn"));
                      contextSource.setUserDn(env.getRequiredProperty("ldap.bindDn"));
                      contextSource.setPassword(env.getRequiredProperty("ldap.batchPassword"));
                      contextSource.afterPropertiesSet();
                      return contextSource;
                  }
                  
                  @Override
                  protected void configure(AuthenticationManagerBuilder auth)
                          throws Exception {
                       auth.ldapAuthentication()
                          .userSearchFilter("(cn={0})")           
                          .groupSearchBase("OU=Account Groups,OU=ITS Security")
                          .groupSearchFilter("(cn=AD-this-is-a-specific-group)") 
                          .contextSource(contextSource()); 
                  }
                  
                  @Override
                  protected void configure(HttpSecurity http) throws Exception {
                      http.authorizeRequests().anyRequest().fullyAuthenticated()
                          .and()
                          .formLogin();
                  }
                  

                  推荐答案

                  不确定这是否是最好的方法(就 Spring Security 的生命周期而言),但基本上我提供了自己的DefaultLdapAuthoritiesPopulator,这里我只覆盖 getGroupMembershipRoles.

                  Not sure if this is the best way to do this (in terms of Spring Security's lifecycle), but basically I provided my own DefaultLdapAuthoritiesPopulator, where I only override the getGroupMembershipRoles.

                  首先,我上面的 auth.groupSearchFilter 有误,应该是:

                  First thing though, I have wrong auth.groupSearchFilter above, it should be:

                      .groupSearchFilter("(member={0})") 
                  

                  其次,我创建了一个带有重写方法的匿名类(它调用 super 并检查角色列表中的成员资格):

                  Second, I've created an anonymous class with overridden method (that calls the super and checks for a the membership in the list of roles):

                  auth
                          .ldapAuthentication()
                          .ldapAuthoritiesPopulator(new DefaultLdapAuthoritiesPopulator(contextSource, "OU=Account Groups,OU=ITS Security") {
                  
                              @Override
                              public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) {
                                  Set<GrantedAuthority> groupMembershipRoles = super.getGroupMembershipRoles(userDn, username);
                  
                                  boolean isMemberOfSpecificAdGroup = false;
                                  for (GrantedAuthority grantedAuthority : groupMembershipRoles) {
                  
                                      if ("ROLE_AD-this-is-a-specific-group".equals(grantedAuthority.toString())) {                                                       
                                          isMemberOfSpecificAdGroup = true;
                                          break;
                                      }
                                  }
                  
                                  if (!isMemberOfSpecificAdGroup ) {
                  
                                      throw new BadCredentialsException("User must be a member of " + "AD-this-is-a-specific-group");
                                  }
                                  return groupMembershipRoles;
                              }
                          })
                          .userSearchFilter("(cn={0})")           
                          .groupSearchBase("OU=Account Groups,OU=ITS Security")
                          .groupSearchFilter("(member={0})") 
                          .contextSource(contextSource); 
                  

                  这篇关于Spring Security LDAP 认证用户必须是 AD 组的成员的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

                  本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

                  相关文档推荐

                  Slf4j LoggerFactory.getLogger and sonarqube(Slf4j LoggerFactory.getLogger 和 sonarqube)
                  Security - Array is stored directly(安全性 - 数组直接存储)
                  SonarQube quot;Class Not Foundquot; during Main AST Scan(SonarQube“找不到类在主 AST 扫描期间)
                  Integrate Spock#39;s test with Sonar(将 Spock 的测试与声纳集成)
                  How do I make Hudson/Jenkins fail if Sonar thresholds are breached?(如果违反声纳阈值,我如何让 Hudson/Jenkins 失败?)
                  automatically add curly brackets to all if/else/for/while etc. in a java code-base(自动将大括号添加到 java 代码库中的所有 if/else/for/while 等)

                    <small id='WLXzi'></small><noframes id='WLXzi'>

                    <tfoot id='WLXzi'></tfoot>

                    1. <i id='WLXzi'><tr id='WLXzi'><dt id='WLXzi'><q id='WLXzi'><span id='WLXzi'><b id='WLXzi'><form id='WLXzi'><ins id='WLXzi'></ins><ul id='WLXzi'></ul><sub id='WLXzi'></sub></form><legend id='WLXzi'></legend><bdo id='WLXzi'><pre id='WLXzi'><center id='WLXzi'></center></pre></bdo></b><th id='WLXzi'></th></span></q></dt></tr></i><div id='WLXzi'><tfoot id='WLXzi'></tfoot><dl id='WLXzi'><fieldset id='WLXzi'></fieldset></dl></div>

                      <legend id='WLXzi'><style id='WLXzi'><dir id='WLXzi'><q id='WLXzi'></q></dir></style></legend>
                        <bdo id='WLXzi'></bdo><ul id='WLXzi'></ul>
                          <tbody id='WLXzi'></tbody>