1配置认证方式为LDAP
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>CN={0},CN=Users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="cn=users" />
<beans:property name="groupRoleAttribute" value="cn" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
¤认证方式:使用LdapAuthenticationProvider.查看SpringSecurity javadoc对于LdapAuthenticationProvider的描述如下:
An AuthenticationProvider implementation that authenticates against an LDAP server.
There are many ways in which an LDAP directory can be configured so this class delegates most of its responsibilities to two separate strategy interfaces, LdapAuthenticator and LdapAuthoritiesPopulator.
LdapAuthenticator:用户信息Demo使用BindAuthenticator
This interface is responsible for performing the user authentication and retrieving the user's information from the directory.
LdapAuthoritiesPopulator:用户权限信息Demo使用DefaultLdapAuthoritiesPopulator(
The default strategy for obtaining user role information from the directory.
It obtains roles by performing a search for "groups" the user is a member of.
)
Once the user has been authenticated, this interface is called to obtain the set of granted authorities for the user.
¤DN模式:设置为CN={0}(用户名),CN=Users...DN对应为DistingudeName在LDAP中必须唯一标识用户,Spring Security会自动帮你讲baseDN添加到UserDN后面,根据实际情况进行配置
¤groupRoleAttribute分组对应到角色信息
2配置认证方式
<authentication-manager>
<authentication-provider ref="ldapAuthProvider">
</authentication-provider>
</authentication-manager>
3配置认证服务器信息
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://xxxxxx:389/DC=xxx,DC=xxx" />
<beans:property name="userDn"
value="cn=administrator,cn=users,DC=xxx,DC=com" />
<beans:property name="password" value="xxxxx!" />
</beans:bean>
DefaultSpringSecurityContextSource主要包括:
¤providerUrl :LDAP认证服务器地址
¤userDn:LDAP服务器登录用户DN
¤password:LDAP服务器用户登录密码
然后再配置上登录页面以及受限制页面的信息即可:
<http use-expressions="true" access-denied-page="/AccessDenied.jsp">
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?error=true"
default-target-url="/" />
<logout logout-success-url="/login.jsp" />
</http>
如此即可实现登录:
登录之后的信息如下:
获取登录用户信息:
添加Spring Security标签:
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags"%>
<div>
username :
<sec:authentication property="name" />
</div>
获取权限列表可以使用如下代码:
List<GrantedAuthority> auths = (List<GrantedAuthority>) SecurityContextHolder.getContext()
.getAuthentication().getAuthorities();
如此运行认证即可使用ldap认证
另外如果需要获取一些用户的属性信息需要在xxxContext.xml中配置的provider节点中配置
<beans:bean id="ldapAuthProvider">
<beans:property name="userAttributes">
<beans:list>
<beans:value>CN</beans:value>
<beans:value>entryDN</beans:value>
<beans:value>entryUUID</beans:value>
<beans:value>mail</beans:value>
<beans:value>giveName</beans:value>
</beans:list>
</beans:property>
</beans:bean>
如果是使用ad身份认证,获取的objectGUID为字符串信息,那么需要添加
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
...
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry key="java.naming.ldap.attributes.binary" value="objectGUID" />
</beans:map>
</beans:property>
...
</bean>
如此才能获取相应的GUID二进制编码信息
如果使用ldap进行身份认证?那么需要在attribute中配置entryUUID属性,但是获取到的是字符串,直接转换为uuid即可.