如何使用 Spring Security 针对 Active Directory 服务器进行身份验证?
-
01-07-2019 - |
题
我正在编写一个需要用户登录的 Spring Web 应用程序。我的公司有一个 Active Directory 服务器,我想将其用于此目的。但是,我在使用 Spring Security 连接到服务器时遇到问题。
我正在使用 Spring 2.5.5 和 Spring Security 2.0.3 以及 Java 1.6。
如果我将 LDAP URL 更改为错误的 IP 地址,它不会抛出异常或任何异常,所以我想知道它是否均匀 试 首先连接到服务器。
尽管 Web 应用程序启动得很好,但我在登录页面中输入的任何信息都会被拒绝。我之前使用过 InMemoryDaoImpl,它工作得很好,所以我的应用程序的其余部分似乎配置正确。
这是我与安全相关的 Bean:
<beans:bean id="ldapAuthProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<beans:constructor-arg ref="initialDirContextFactory" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>CN={0},OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Acme,DC=com</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userDetailsService" class="org.springframework.security.userdetails.ldap.LdapUserDetailsManager">
<beans:constructor-arg ref="initialDirContextFactory" />
</beans:bean>
<beans:bean id="initialDirContextFactory" class="org.springframework.security.ldap.DefaultInitialDirContextFactory">
<beans:constructor-arg value="ldap://192.168.123.456:389/DC=Acme,DC=com" />
</beans:bean>
解决方案
我也有过与您相同的头撞墙的经历,并最终编写了一个自定义身份验证提供程序,该提供程序对 Active Directory 服务器执行 LDAP 查询。
所以我的安全相关 bean 是:
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://hostname.queso.com:389/" />
</beans:bean>
<beans:bean id="ldapAuthenticationProvider"
class="org.queso.ad.service.authentication.LdapAuthenticationProvider">
<beans:property name="authenticator" ref="ldapAuthenticator" />
<custom-authentication-provider />
</beans:bean>
<beans:bean id="ldapAuthenticator"
class="org.queso.ad.service.authentication.LdapAuthenticatorImpl">
<beans:property name="contextFactory" ref="contextSource" />
<beans:property name="principalPrefix" value="QUESO\" />
</beans:bean>
然后是 LdapAuthenticationProvider 类:
/**
* Custom Spring Security authentication provider which tries to bind to an LDAP server with
* the passed-in credentials; of note, when used with the custom {@link LdapAuthenticatorImpl},
* does <strong>not</strong> require an LDAP username and password for initial binding.
*
* @author Jason
*/
public class LdapAuthenticationProvider implements AuthenticationProvider {
private LdapAuthenticator authenticator;
public Authentication authenticate(Authentication auth) throws AuthenticationException {
// Authenticate, using the passed-in credentials.
DirContextOperations authAdapter = authenticator.authenticate(auth);
// Creating an LdapAuthenticationToken (rather than using the existing Authentication
// object) allows us to add the already-created LDAP context for our app to use later.
LdapAuthenticationToken ldapAuth = new LdapAuthenticationToken(auth, "ROLE_USER");
InitialLdapContext ldapContext = (InitialLdapContext) authAdapter
.getObjectAttribute("ldapContext");
if (ldapContext != null) {
ldapAuth.setContext(ldapContext);
}
return ldapAuth;
}
public boolean supports(Class clazz) {
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(clazz));
}
public LdapAuthenticator getAuthenticator() {
return authenticator;
}
public void setAuthenticator(LdapAuthenticator authenticator) {
this.authenticator = authenticator;
}
}
然后是LdapAuthenticatorImpl类:
/**
* Custom Spring Security LDAP authenticator which tries to bind to an LDAP server using the
* passed-in credentials; does <strong>not</strong> require "master" credentials for an
* initial bind prior to searching for the passed-in username.
*
* @author Jason
*/
public class LdapAuthenticatorImpl implements LdapAuthenticator {
private DefaultSpringSecurityContextSource contextFactory;
private String principalPrefix = "";
public DirContextOperations authenticate(Authentication authentication) {
// Grab the username and password out of the authentication object.
String principal = principalPrefix + authentication.getName();
String password = "";
if (authentication.getCredentials() != null) {
password = authentication.getCredentials().toString();
}
// If we have a valid username and password, try to authenticate.
if (!("".equals(principal.trim())) && !("".equals(password.trim()))) {
InitialLdapContext ldapContext = (InitialLdapContext) contextFactory
.getReadWriteContext(principal, password);
// We need to pass the context back out, so that the auth provider can add it to the
// Authentication object.
DirContextOperations authAdapter = new DirContextAdapter();
authAdapter.addAttributeValue("ldapContext", ldapContext);
return authAdapter;
} else {
throw new BadCredentialsException("Blank username and/or password!");
}
}
/**
* Since the InitialLdapContext that's stored as a property of an LdapAuthenticationToken is
* transient (because it isn't Serializable), we need some way to recreate the
* InitialLdapContext if it's null (e.g., if the LdapAuthenticationToken has been serialized
* and deserialized). This is that mechanism.
*
* @param authenticator
* the LdapAuthenticator instance from your application's context
* @param auth
* the LdapAuthenticationToken in which to recreate the InitialLdapContext
* @return
*/
static public InitialLdapContext recreateLdapContext(LdapAuthenticator authenticator,
LdapAuthenticationToken auth) {
DirContextOperations authAdapter = authenticator.authenticate(auth);
InitialLdapContext context = (InitialLdapContext) authAdapter
.getObjectAttribute("ldapContext");
auth.setContext(context);
return context;
}
public DefaultSpringSecurityContextSource getContextFactory() {
return contextFactory;
}
/**
* Set the context factory to use for generating a new LDAP context.
*
* @param contextFactory
*/
public void setContextFactory(DefaultSpringSecurityContextSource contextFactory) {
this.contextFactory = contextFactory;
}
public String getPrincipalPrefix() {
return principalPrefix;
}
/**
* Set the string to be prepended to all principal names prior to attempting authentication
* against the LDAP server. (For example, if the Active Directory wants the domain-name-plus
* backslash prepended, use this.)
*
* @param principalPrefix
*/
public void setPrincipalPrefix(String principalPrefix) {
if (principalPrefix != null) {
this.principalPrefix = principalPrefix;
} else {
this.principalPrefix = "";
}
}
}
最后是 LdapAuthenticationToken 类:
/**
* <p>
* Authentication token to use when an app needs further access to the LDAP context used to
* authenticate the user.
* </p>
*
* <p>
* When this is the Authentication object stored in the Spring Security context, an application
* can retrieve the current LDAP context thusly:
* </p>
*
* <pre>
* LdapAuthenticationToken ldapAuth = (LdapAuthenticationToken) SecurityContextHolder
* .getContext().getAuthentication();
* InitialLdapContext ldapContext = ldapAuth.getContext();
* </pre>
*
* @author Jason
*
*/
public class LdapAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = -5040340622950665401L;
private Authentication auth;
transient private InitialLdapContext context;
private List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
/**
* Construct a new LdapAuthenticationToken, using an existing Authentication object and
* granting all users a default authority.
*
* @param auth
* @param defaultAuthority
*/
public LdapAuthenticationToken(Authentication auth, GrantedAuthority defaultAuthority) {
this.auth = auth;
if (auth.getAuthorities() != null) {
this.authorities.addAll(Arrays.asList(auth.getAuthorities()));
}
if (defaultAuthority != null) {
this.authorities.add(defaultAuthority);
}
super.setAuthenticated(true);
}
/**
* Construct a new LdapAuthenticationToken, using an existing Authentication object and
* granting all users a default authority.
*
* @param auth
* @param defaultAuthority
*/
public LdapAuthenticationToken(Authentication auth, String defaultAuthority) {
this(auth, new GrantedAuthorityImpl(defaultAuthority));
}
public GrantedAuthority[] getAuthorities() {
GrantedAuthority[] authoritiesArray = this.authorities.toArray(new GrantedAuthority[0]);
return authoritiesArray;
}
public void addAuthority(GrantedAuthority authority) {
this.authorities.add(authority);
}
public Object getCredentials() {
return auth.getCredentials();
}
public Object getPrincipal() {
return auth.getPrincipal();
}
/**
* Retrieve the LDAP context attached to this user's authentication object.
*
* @return the LDAP context
*/
public InitialLdapContext getContext() {
return context;
}
/**
* Attach an LDAP context to this user's authentication object.
*
* @param context
* the LDAP context
*/
public void setContext(InitialLdapContext context) {
this.context = context;
}
}
您会注意到其中有一些您可能不需要的位。
例如,我的应用程序需要保留成功登录的 LDAP 上下文,以便用户登录后进一步使用 - 该应用程序的目的是让用户通过其 AD 凭据登录,然后执行进一步的 AD 相关功能。因此,我有一个自定义身份验证令牌 LdapAuthenticationToken,我传递它(而不是 Spring 的默认身份验证令牌),它允许我附加 LDAP 上下文。在 LdapAuthenticationProvider.authenticate() 中,我创建该令牌并将其传回;在 LdapAuthenticatorImpl.authenticate() 中,我将登录上下文附加到返回对象,以便可以将其添加到用户的 Spring 身份验证对象中。
另外,在 LdapAuthenticationProvider.authenticate() 中,我为所有登录用户分配 ROLE_USER 角色——这让我可以在拦截 url 元素中测试该角色。您需要使其与您想要测试的任何角色相匹配,甚至可以根据 Active Directory 组或其他内容分配角色。
最后,推论是,我实现 LdapAuthenticationProvider.authenticate() 的方式为所有拥有有效 AD 帐户的用户提供相同的 ROLE_USER 角色。显然,在该方法中,您可以对用户执行进一步的测试(即,该用户是否位于特定的 AD 组中?)并以这种方式分配角色,甚至在授予用户访问权限之前测试某些条件 全部.
其他提示
作为参考,Spring Security 3.1 有一个身份验证提供程序 专门针对活动目录.
只是为了使其达到最新状态。Spring Security 3.0 有一个 完整的包装 默认实现专门用于 ldap-bind 以及查询和比较身份验证。
我能够使用 spring security 2.0.4 对活动目录进行身份验证。
我记录了设置
http://maniezhilan.blogspot.com/2008/10/spring-security-204-with-active.html
正如卢克在上面的回答:
Spring Security 3.1 有一个专门针对 Active Directory 的身份验证提供程序。
以下是如何使用 ActiveDirectoryLdapAuthenticationProvider 轻松完成此操作的详细信息。
在 resources.groovy 中:
ldapAuthProvider1(ActiveDirectoryLdapAuthenticationProvider,
"mydomain.com",
"ldap://mydomain.com/"
)
在 Config.groovy 中:
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider1']
这就是您需要的全部代码。您几乎可以删除 Config.groovy 中的所有其他 grails.plugin.springsecurity.ldap.* 设置,因为它们不适用于此 AD 设置。
没有 SSL 的 LDAP 身份验证并不安全,当用户凭据传输到 LDAP 服务器时,任何人都可以看到用户凭据。我建议使用 LDAPS:\ 协议进行身份验证。它不需要对 Spring 部分进行任何重大更改,但您可能会遇到一些与证书相关的问题。看 Spring 中使用 SSL 的 LDAP Active Directory 身份验证 更多细节
从卢克上面的回答来看:
作为参考,Spring Security 3.1具有一个身份验证提供商[专门用于Active Directory] [1]。
我用 Spring Security 3.1.1 尝试了上述操作:与 ldap 相比,有一些细微的变化 - 用户所属的活动目录组与原始情况一样。
以前在 ldap 下,组是大写的,并以“ROLE_”为前缀,这使得在项目中通过文本搜索很容易找到它们,但如果由于某种奇怪的原因有 2 个单独的组仅按大小写区分,显然可能会在 Unix 组中出现问题(即帐户和帐户)。
此外,该语法需要手动指定域控制器名称和端口,这使得冗余有点可怕。当然有一种方法可以在java中查找域的SRV DNS记录,即相当于(来自Samba 4 howto):
$ host -t SRV _ldap._tcp.samdom.example.com.
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.
接下来是常规的 A 查找:
$ host -t A samba.samdom.example.com.
samba.samdom.example.com has address 10.0.0.1
(实际上可能还需要查找 _kerberos SRV 记录...)
以上是 Samba4.0rc1 的情况,我们正在逐步从 Samba 3.x LDAP 环境升级到 Samba AD 环境。
如果你使用的是Spring 安全4 您也可以使用给定的类实现相同
- 安全配置.java
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfig.class);
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.anyRequest().authenticated();
.and()
.formLogin()
.and()
.logout();
}
@Bean
public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider authenticationProvider =
new ActiveDirectoryLdapAuthenticationProvider("<domain>", "<url>");
authenticationProvider.setConvertSubErrorCodesToExceptions(true);
authenticationProvider.setUseAuthenticationRequestCredentials(true);
return authenticationProvider;
}
}