差異處
這裏顯示兩個版本的差異處。
下次修改 | 前次修改 | ||
java:ldap:spring:object-relation [2016/05/05 23:08] tony 建立 |
java:ldap:spring:object-relation [2023/06/25 09:48] (目前版本) |
||
---|---|---|---|
行 1: | 行 1: | ||
{{tag>ldap spring spring-ldap spring-security}} | {{tag>ldap spring spring-ldap spring-security}} | ||
- | ====== Spring-Security with LDAP中,物件的關係 ====== | + | ====== Spring-Security with LDAP物件關係(整理中) ====== |
- | 在透過spring-security將LDAP功能整到Web登入時,如果透過程式碼配置的方式,會去extend [[http://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html|WebSecurityConfigurerAdapter]]。其中的configure的method,可以讓你配置AuthenticationProvider: | + | ===== Introduction ===== |
+ | 本篇主要記載Spring-Security-LDAP中,我們有使用到的物件去做說明。我們目的是整合LDAP與AD驗證,其中為了滿足我們的需求,有對不少Spring所提供的物件做擴充。這部分有機會再另外分享。 | ||
+ | ===== Configuration With Code ===== | ||
+ | 以我的範例來說,首先會透過資料庫做登入認證,接著會是AD,最後是LDAP。而透過程式碼配置的方式,會去extend [[http://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html|WebSecurityConfigurerAdapter]];接著override configure的method,[[http://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.html|AuthenticationManagerBuilder]]可以讓你配置AuthenticationProvider: | ||
<code java> | <code java> | ||
+ | @Autowired | ||
+ | @Qualifier("dataSource") | ||
+ | DataSource datasource; | ||
+ | |||
+ | @Autowired | ||
+ | @Qualifier("ldapConfig") | ||
+ | Properties ldapConfig; | ||
+ | |||
+ | @Autowired | ||
+ | @Qualifier("adConfig") | ||
+ | Properties adConfig; | ||
+ | |||
@Override | @Override | ||
protected void configure(AuthenticationManagerBuilder aAuth) throws Exception { | protected void configure(AuthenticationManagerBuilder aAuth) throws Exception { | ||
- | // 相關配置 | + | aAuth.jdbcAuthentication().dataSource(datasource); |
+ | |||
+ | String domain = (String)adConfig.get("ad.domain"); | ||
+ | String url = (String)adConfig.get("ad.url"); | ||
+ | ActiveDirectoryLdapAuthenticationProvider adProvider = new ActiveDirectoryLdapAuthenticationProvider(domain, url); | ||
+ | aAuth.authenticationProvider(adProvider); | ||
+ | |||
+ | aAuth.ldapAuthentication() | ||
+ | .groupSearchBase(ldapConfig.get("ldap.groupSearchBase")) | ||
+ | .groupSearchFilter(StringUtil.apendStrings(ldapConfig.get("ldap.groupSearchAttr"), "={0}")) | ||
+ | .userSearchBase(ldapConfig.get("ldap.userSearchBase")) | ||
+ | .userSearchFilter(StringUtil.apendStrings(ldapConfig.get("ldap.userSearchAttr"), "={0}")) | ||
+ | .contextSource() | ||
+ | .url(StringUtil.apendStrings("ldap://", ldapConfig.get("ldap.host"), ":", ldapConfig.get("ldap.port"), "/", ldapConfig.get("ldap.baseDn"))) | ||
+ | .managerDn(ldapConfig.get("ldap.managerDn")) | ||
+ | .managerPassword(ldapConfig.get("ldap.managerPassword")); | ||
} | } | ||
</code> | </code> | ||
- | [[http://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.html|AuthenticationManagerBuilder]]是用來建立你所需要的AuthenticationProvider,其中我有使用到的兩個builder: | + | 以上程式碼的三個主要部分為: |
- | * jdbcAuthentication(): 去透過資料庫做驗證。 | + | * jdbcAuthentication(): 建立JdbcUserDetailsManager去透過資料庫做驗證。 |
- | * ldapAuthentication(): 透過Ldap做驗證。 | + | * ldapAuthentication(): 建立LdapAuthenticationProvider去透過Ldap做驗證。 |
- | 如果要用AD做驗證: | + | * authenticationProvider(): 將ActiveDirectoryLdapAuthenticationProvider加到Provider列表中,去透過AD做驗證。 |
- | * authenticationProvider(): 透過其它的AuthenticationProvider做驗證。 | + | \\ |
+ | 假如你想做更多的變化,也可以自行實做AuthenticationProvider將這些東西串起來。 | ||
+ | ===== AuthenticationProvider ===== | ||
+ | AuthenticationProvider是驗證的核心。舉例來說,使用者在登入畫面輸入了帳號密碼,最後就會透過authenticate method做驗證;其中傳入的[[http://docs.spring.io/autorepo/docs/spring-security/4.0.3.RELEASE/apidocs/org/springframework/security/core/Authentication.html|Authentication]]會包含帳號密碼,回傳的則包含使用者權限: | ||
<code java> | <code java> | ||
- | ActiveDirectoryLdapAuthenticationProvider adProvider = new ActiveDirectoryLdapAuthenticationProvider(domain, url); | + | Authentication authenticate(Authentication authentication) throws AuthenticationException; |
- | aAuth.authenticationProvider(adProvider); | + | |
</code> | </code> | ||
- | + | Authentication比較重要的methods: | |
+ | * Object getCredentials(): 密碼。 | ||
+ | * Object getPrincipal(): 帳號。 | ||
+ | * Collection<? extends GrantedAuthority> getAuthorities(): 泛指權限。 | ||
+ | \\ | ||
+ | 接著對LDAP與AD的AuthenticationProvider做說明。 |