1配置認證方式為LDAP
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>CN={0},CN=Users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="cn=users" />
<beans:property name="groupRoleAttribute" value="cn" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
¤認證方式:使用LdapAuthenticationProvider.查看SpringSecurity javadoc對於LdapAuthenticationProvider的描述如下:
An AuthenticationProvider implementation that authenticates against an LDAP server.
There are many ways in which an LDAP directory can be configured so this class delegates most of its responsibilities to two separate strategy interfaces, LdapAuthenticator and LdapAuthoritiesPopulator.
LdapAuthenticator:用戶信息Demo使用BindAuthenticator
This interface is responsible for performing the user authentication and retrieving the user's information from the directory.
LdapAuthoritiesPopulator:用戶權限信息Demo使用DefaultLdapAuthoritiesPopulator(
The default strategy for obtaining user role information from the directory.
It obtains roles by performing a search for "groups" the user is a member of.
)
Once the user has been authenticated, this interface is called to obtain the set of granted authorities for the user.
¤DN模式:設置為CN={0}(用戶名),CN=Users...DN對應為DistingudeName在LDAP中必須唯一標識用戶,Spring Security會自動幫你講baseDN添加到UserDN后面,根據實際情況進行配置
¤groupRoleAttribute分組對應到角色信息
2配置認證方式
<authentication-manager>
<authentication-provider ref="ldapAuthProvider">
</authentication-provider>
</authentication-manager>
3配置認證服務器信息
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://xxxxxx:389/DC=xxx,DC=xxx" />
<beans:property name="userDn"
value="cn=administrator,cn=users,DC=xxx,DC=com" />
<beans:property name="password" value="xxxxx!" />
</beans:bean>
DefaultSpringSecurityContextSource主要包括:
¤providerUrl :LDAP認證服務器地址
¤userDn:LDAP服務器登錄用戶DN
¤password:LDAP服務器用戶登錄密碼
然后再配置上登錄頁面以及受限制頁面的信息即可:
<http use-expressions="true" access-denied-page="/AccessDenied.jsp">
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?error=true"
default-target-url="/" />
<logout logout-success-url="/login.jsp" />
</http>
如此即可實現登錄:
登錄之后的信息如下:
獲取登錄用戶信息:
添加Spring Security標簽:
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags"%>
<div>
username :
<sec:authentication property="name" />
</div>
獲取權限列表可以使用如下代碼:
List<GrantedAuthority> auths = (List<GrantedAuthority>) SecurityContextHolder.getContext()
.getAuthentication().getAuthorities();
如此運行認證即可使用ldap認證
另外如果需要獲取一些用戶的屬性信息需要在xxxContext.xml中配置的provider節點中配置
<beans:bean id="ldapAuthProvider">
<beans:property name="userAttributes">
<beans:list>
<beans:value>CN</beans:value>
<beans:value>entryDN</beans:value>
<beans:value>entryUUID</beans:value>
<beans:value>mail</beans:value>
<beans:value>giveName</beans:value>
</beans:list>
</beans:property>
</beans:bean>
如果是使用ad身份認證,獲取的objectGUID為字符串信息,那么需要添加
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
...
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry key="java.naming.ldap.attributes.binary" value="objectGUID" />
</beans:map>
</beans:property>
...
</bean>
如此才能獲取相應的GUID二進制編碼信息
如果使用ldap進行身份認證?那么需要在attribute中配置entryUUID屬性,但是獲取到的是字符串,直接轉換為uuid即可.