1配置認證方式為LDAP
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>CN={0},CN=Users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="cn=users" />
<beans:property name="groupRoleAttribute" value="cn" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
¤認證方式:使用LdapAuthenticationProvider.檢視SpringSecurity javadoc對于LdapAuthenticationProvider的描述如下:
An AuthenticationProvider implementation that authenticates against an LDAP server.
There are many ways in which an LDAP directory can be configured so this class delegates most of its responsibilities to two separate strategy interfaces, LdapAuthenticator and LdapAuthoritiesPopulator.
LdapAuthenticator:使用者資訊Demo使用BindAuthenticator
This interface is responsible for performing the user authentication and retrieving the user's information from the directory.
LdapAuthoritiesPopulator:使用者權限資訊Demo使用DefaultLdapAuthoritiesPopulator(
The default strategy for obtaining user role information from the directory.
It obtains roles by performing a search for "groups" the user is a member of.
)
Once the user has been authenticated, this interface is called to obtain the set of granted authorities for the user.
¤DN模式:設定為CN={0}(使用者名),CN=Users...DN對應為DistingudeName在LDAP中必須唯一辨別使用者,Spring Security會自動幫你講baseDN添加到UserDN後面,根據實際情況進行配置
¤groupRoleAttribute分組對應到角色資訊
2配置認證方式
<authentication-manager>
<authentication-provider ref="ldapAuthProvider">
</authentication-provider>
</authentication-manager>
3配置認證伺服器資訊
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://xxxxxx:389/DC=xxx,DC=xxx" />
<beans:property name="userDn"
value="cn=administrator,cn=users,DC=xxx,DC=com" />
<beans:property name="password" value="xxxxx!" />
</beans:bean>
DefaultSpringSecurityContextSource主要包括:
¤providerUrl :LDAP認證伺服器位址
¤userDn:LDAP伺服器登入使用者DN
¤password:LDAP伺服器使用者登入密碼
然後再配置上登入頁面以及受限制頁面的資訊即可:
<http use-expressions="true" access-denied-page="/AccessDenied.jsp">
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?error=true"
default-target-url="/" />
<logout logout-success-url="/login.jsp" />
</http>
如此即可實作登入:
登入之後的資訊如下:
擷取登入使用者資訊:
添加Spring Security标簽:
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags"%>
<div>
username :
<sec:authentication property="name" />
</div>
擷取權限清單可以使用如下代碼:
List<GrantedAuthority> auths = (List<GrantedAuthority>) SecurityContextHolder.getContext()
.getAuthentication().getAuthorities();
如此運作認證即可使用ldap認證
另外如果需要擷取一些使用者的屬性資訊需要在xxxContext.xml中配置的provider節點中配置
<beans:bean id="ldapAuthProvider">
<beans:property name="userAttributes">
<beans:list>
<beans:value>CN</beans:value>
<beans:value>entryDN</beans:value>
<beans:value>entryUUID</beans:value>
<beans:value>mail</beans:value>
<beans:value>giveName</beans:value>
</beans:list>
</beans:property>
</beans:bean>
如果是使用ad身份認證,擷取的objectGUID為字元串資訊,那麼需要添加
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
...
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry key="java.naming.ldap.attributes.binary" value="objectGUID" />
</beans:map>
</beans:property>
...
</bean>
如此才能擷取相應的GUID二進制編碼資訊
如果使用ldap進行身份認證?那麼需要在attribute中配置entryUUID屬性,但是擷取到的是字元串,直接轉換為uuid即可.
![馴服爛代碼_馴服Tomcat:Tomcat 5的過濾技巧[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)