问题描述
我已经按照以下方式配置了 Spring Boot 安全性:https://spring.io/guides/gs/securing-web/
I've configured the Spring Boot Security as per: https://spring.io/guides/gs/securing-web/
我可以完美地使用我的凭据登录.但是,我需要添加一项检查,确认 AD 用户也必须属于特定的 AD 组(即 AD-this-is-a-specific-group).登录时,如果用户不属于特定的 AD 组,则应该返回登录错误.
I am able to login using my credentials perfectly. However, I need to add a checking that the AD user must also belong to a specific AD group (ie. AD-this-is-a-specific-group). On login, if the user does not belong to the specific AD group, then it should return a login error.
我已经搜索了几个小时,似乎无法在 WebSecurityConfigurerAdapter 中找到明确的方法,我是否正确使用了 auth.groupSearchFilter?
I've been searching for hours now and cannot seem to find a clear way to do this in the WebSecurityConfigurerAdapter , am I using the auth.groupSearchFilter correctly?
这是我的代码:
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired Environment env; public LdapContextSource contextSource () { LdapContextSource contextSource= new LdapContextSource(); contextSource.setUrl(env.getRequiredProperty("ldap.url")); contextSource.setBase(env.getRequiredProperty("ldap.baseDn")); contextSource.setUserDn(env.getRequiredProperty("ldap.bindDn")); contextSource.setPassword(env.getRequiredProperty("ldap.batchPassword")); contextSource.afterPropertiesSet(); return contextSource; } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.ldapAuthentication() .userSearchFilter("(cn={0})") .groupSearchBase("OU=Account Groups,OU=ITS Security") .groupSearchFilter("(cn=AD-this-is-a-specific-group)") .contextSource(contextSource()); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().fullyAuthenticated() .and() .formLogin(); }
推荐答案
不确定这是否是最好的方法(就 Spring Security 的生命周期而言),但基本上我提供了自己的DefaultLdapAuthoritiesPopulator,这里我只覆盖 getGroupMembershipRoles.
Not sure if this is the best way to do this (in terms of Spring Security's lifecycle), but basically I provided my own DefaultLdapAuthoritiesPopulator, where I only override the getGroupMembershipRoles.
首先,我上面的 auth.groupSearchFilter 有误,应该是:
First thing though, I have wrong auth.groupSearchFilter above, it should be:
.groupSearchFilter("(member={0})")
其次,我创建了一个带有重写方法的匿名类(它调用 super 并检查角色列表中的成员资格):
Second, I've created an anonymous class with overridden method (that calls the super and checks for a the membership in the list of roles):
auth .ldapAuthentication() .ldapAuthoritiesPopulator(new DefaultLdapAuthoritiesPopulator(contextSource, "OU=Account Groups,OU=ITS Security") { @Override public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) { Set<GrantedAuthority> groupMembershipRoles = super.getGroupMembershipRoles(userDn, username); boolean isMemberOfSpecificAdGroup = false; for (GrantedAuthority grantedAuthority : groupMembershipRoles) { if ("ROLE_AD-this-is-a-specific-group".equals(grantedAuthority.toString())) { isMemberOfSpecificAdGroup = true; break; } } if (!isMemberOfSpecificAdGroup ) { throw new BadCredentialsException("User must be a member of " + "AD-this-is-a-specific-group"); } return groupMembershipRoles; } }) .userSearchFilter("(cn={0})") .groupSearchBase("OU=Account Groups,OU=ITS Security") .groupSearchFilter("(member={0})") .contextSource(contextSource);