差異處
這裏顯示兩個版本的差異處。
Both sides previous revision 前次修改 下次修改 | 前次修改 | ||
java:ldap:spring:simpleauthentication [2016/04/02 18:44] tony [Normal] |
java:ldap:spring:simpleauthentication [2023/06/25 09:48] (目前版本) |
||
---|---|---|---|
行 2: | 行 2: | ||
====== LDAP Simple Authentication with Spring API ====== | ====== LDAP Simple Authentication with Spring API ====== | ||
===== Normal ===== | ===== Normal ===== | ||
- | 此範例為: 給予一個admin的dn與password做query,然後針對某一個user做驗證。在此範例中ldapTemplate.authenticate的第一個參數,即使你沒有設定一個對應base,也會從contextSource所設定的base開始找尋。 | + | 此範例為: 給予一個admin的dn與password做query,然後針對某一個user做驗證。在此範例中ldapTemplate.authenticate的第一個參數,即使你沒有設定一個對應base,也會從contextSource所設定的base開始找尋。我是以cn為使用者的名稱。 |
<code java> | <code java> | ||
LdapContextSource contextSource = new LdapContextSource(); | LdapContextSource contextSource = new LdapContextSource(); | ||
行 23: | 行 23: | ||
</code> | </code> | ||
===== With SSL ===== | ===== With SSL ===== | ||
+ | LDAP server如果允許SSL連線,且client已經將server的certificate加為可信任的,我們只要依照Normal範例,將URL的protocol與port做調整就可以使用了: | ||
<code java> | <code java> | ||
LdapContextSource contextSource = new LdapContextSource(); | LdapContextSource contextSource = new LdapContextSource(); | ||
行 36: | 行 37: | ||
Filter filter = new EqualsFilter("cn", "tonylin"); | Filter filter = new EqualsFilter("cn", "tonylin"); | ||
boolean authed = ldapTemplate.authenticate("ou=sw", filter.encode(), "123456"); | boolean authed = ldapTemplate.authenticate("ou=sw", filter.encode(), "123456"); | ||
- | System.out.println(authed); | + | Assert.assertTrue(ldapTemplate.authenticate("ou=sw", filter.encode(), "123456")); |
+ | Assert.assertFalse(ldapTemplate.authenticate("ou=sw", filter.encode(), "654321")); | ||
} catch (Exception e) { | } catch (Exception e) { | ||
- | e.printStackTrace(); | + | Assert.fail(e.getMessage()); |
+ | } | ||
+ | </code> | ||
+ | ===== With TLS(StartTLS) ===== | ||
+ | 有幾個要點: | ||
+ | * 使用ldap protocol。 | ||
+ | * 透過DefaultTlsDirContextAuthenticationStrategy讓client與server negotiate。 | ||
+ | * 由於會做hostname的verify,為了測試,所以我們先override去避掉它。 | ||
+ | * 做authenticate時,透過LookupAttemptingCallback讓它在連線完成後做search,以驗證密碼是否正確。 | ||
+ | <code java> | ||
+ | LdapContextSource contextSource = new LdapContextSource(); | ||
+ | contextSource.setUrl("ldap://192.168.1.13:389"); | ||
+ | contextSource.setBase("dc=testldap,dc=org"); | ||
+ | contextSource.setUserDn("cn=admin,dc=testldap,dc=org"); | ||
+ | contextSource.setPassword("123456"); | ||
+ | |||
+ | DefaultTlsDirContextAuthenticationStrategy strategy = new DefaultTlsDirContextAuthenticationStrategy(); | ||
+ | strategy.setHostnameVerifier((hostname, sslsession) -> { | ||
+ | return true; | ||
+ | }); | ||
+ | |||
+ | contextSource.setAuthenticationStrategy(strategy); | ||
+ | contextSource.afterPropertiesSet(); | ||
+ | |||
+ | LdapTemplate ldapTemplate = new LdapTemplate(contextSource); | ||
+ | try { | ||
+ | ldapTemplate.afterPropertiesSet(); | ||
+ | Filter filter = new EqualsFilter("cn", "tonylin"); | ||
+ | Assert.assertTrue(ldapTemplate.authenticate("ou=sw", filter.encode(), "123456", new LookupAttemptingCallback())); | ||
+ | Assert.assertFalse(ldapTemplate.authenticate("ou=sw", filter.encode(), "654321", new LookupAttemptingCallback())); | ||
+ | } catch (Exception e) { | ||
+ | Assert.fail(e.getMessage()); | ||
} | } | ||
</code> | </code> | ||
+ | 為了確認真的是TLS,透別使用wireshark觀察一下: [[pc:goodsoftware:wireshark|link]]。 | ||
+ | ===== Reference ===== | ||
+ | * [[http://www.jayway.com/2009/02/02/simple-authentication-using-spring-ldap/|simple-authentication-using-spring-ldap]] | ||
+ | * [[http://stackoverflow.com/questions/16570222/how-to-authenticate-against-active-directory-via-ldap-over-tls|how-to-authenticate-against-active-directory-via-ldap-over-tls]] | ||
+ | |||
+ | ===== ===== | ||
+ | ---- | ||
+ | \\ | ||
+ | ~~DISQUS~~ |