Spring-引导 LDAP 自定义 UserDetails
Spring-boot LDAP customize UserDetails
我在 spring-boot 应用程序中使用 LDAP 身份验证(基于注释的配置)。我想自定义 UserDetails 对象。默认的 UserDetails 实现是 LdapUserDetailsImpl。我想扩展这个 class 并添加一些额外的接口并绑定到 spring-security。
我的配置 class:
@Configuration
protected static class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter {
@Autowired
private UserService userService;
@Autowired
private Environment env;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
AuthMethod authMethod = AuthMethod.valueOf(env.getRequiredProperty("auth_method"));
switch (authMethod) {
case LDAP:
auth.ldapAuthentication()
.userDnPatterns(env.getRequiredProperty("ldap.user_dn_patterns"))
.groupSearchBase(env.getRequiredProperty("ldap.group_search_base"))
.contextSource()
.url(env.getRequiredProperty("ldap.url"));
break;
default:
auth.userDetailsService(userService);
break;
}
}
@Bean
public LdapContextSource contextSource () {
LdapContextSource contextSource= new LdapContextSource();
contextSource.setUrl(env.getRequiredProperty("ldap.url"));
contextSource.setUserDn(env.getRequiredProperty("ldap.user"));
contextSource.setPassword(env.getRequiredProperty("ldap.password"));
contextSource.afterPropertiesSet();
return contextSource;
}
}
UserService 是自定义身份验证方法(它是 database/jpa 身份验证)。
UserDetails 访问器(当 auth 方法是 LDAP 时,它返回 LdapUserDetailsImpl 对象):
@Component("activeUserAccessor")
public class ActiveUserAccessorImpl implements ActiveUserAccessor
{
public UserDetails getActiveUser()
{
return (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
}
感谢您的帮助。
我的解决方案:
1.Create 自定义 UserDetailsContextMapper:
@Bean
public UserDetailsContextMapper userDetailsContextMapper() {
return new LdapUserDetailsMapper() {
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
UserDetails details = super.mapUserFromContext(ctx, username, authorities);
return new CustomLdapUserDetails((LdapUserDetails) details, env);
}
};
}
2.Bind 带有 LdapAuthenticationProviderConfigurer 的 UserDetailsContextMapper:
auth.ldapAuthentication()
.userDetailsContextMapper(userDetailsContextMapper())
.userDnPatterns(env.getRequiredProperty("ldap.user_dn_patterns"))
.groupSearchBase(env.getRequiredProperty("ldap.group_search_base"))
.contextSource()
.url(env.getRequiredProperty("ldap.url"));
3.Implement CustomLdapUserDetails(目前只改变了isEnabled方法)。您可以在 ActiveUserAccessor.getActiveUser().
中向 CustomLdapUserDetails 和 return extended class 添加一些额外的接口、方法。
public class CustomLdapUserDetails implements LdapUserDetails {
private static final long serialVersionUID = 1L;
private LdapUserDetails details;
private Environment env;
public CustomLdapUserDetails(LdapUserDetails details, Environment env) {
this.details = details;
this.env = env;
}
public boolean isEnabled() {
return details.isEnabled() && getUsername().equals(env.getRequiredProperty("ldap.username"));
}
public String getDn() {
return details.getDn();
}
public Collection<? extends GrantedAuthority> getAuthorities() {
return details.getAuthorities();
}
public String getPassword() {
return details.getPassword();
}
public String getUsername() {
return details.getUsername();
}
public boolean isAccountNonExpired() {
return details.isAccountNonExpired();
}
public boolean isAccountNonLocked() {
return details.isAccountNonLocked();
}
public boolean isCredentialsNonExpired() {
return details.isCredentialsNonExpired();
}
}
我在 spring-boot 应用程序中使用 LDAP 身份验证(基于注释的配置)。我想自定义 UserDetails 对象。默认的 UserDetails 实现是 LdapUserDetailsImpl。我想扩展这个 class 并添加一些额外的接口并绑定到 spring-security。 我的配置 class:
@Configuration
protected static class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter {
@Autowired
private UserService userService;
@Autowired
private Environment env;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
AuthMethod authMethod = AuthMethod.valueOf(env.getRequiredProperty("auth_method"));
switch (authMethod) {
case LDAP:
auth.ldapAuthentication()
.userDnPatterns(env.getRequiredProperty("ldap.user_dn_patterns"))
.groupSearchBase(env.getRequiredProperty("ldap.group_search_base"))
.contextSource()
.url(env.getRequiredProperty("ldap.url"));
break;
default:
auth.userDetailsService(userService);
break;
}
}
@Bean
public LdapContextSource contextSource () {
LdapContextSource contextSource= new LdapContextSource();
contextSource.setUrl(env.getRequiredProperty("ldap.url"));
contextSource.setUserDn(env.getRequiredProperty("ldap.user"));
contextSource.setPassword(env.getRequiredProperty("ldap.password"));
contextSource.afterPropertiesSet();
return contextSource;
}
}
UserService 是自定义身份验证方法(它是 database/jpa 身份验证)。 UserDetails 访问器(当 auth 方法是 LDAP 时,它返回 LdapUserDetailsImpl 对象):
@Component("activeUserAccessor")
public class ActiveUserAccessorImpl implements ActiveUserAccessor
{
public UserDetails getActiveUser()
{
return (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
}
感谢您的帮助。
我的解决方案:
1.Create 自定义 UserDetailsContextMapper:
@Bean
public UserDetailsContextMapper userDetailsContextMapper() {
return new LdapUserDetailsMapper() {
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
UserDetails details = super.mapUserFromContext(ctx, username, authorities);
return new CustomLdapUserDetails((LdapUserDetails) details, env);
}
};
}
2.Bind 带有 LdapAuthenticationProviderConfigurer 的 UserDetailsContextMapper:
auth.ldapAuthentication()
.userDetailsContextMapper(userDetailsContextMapper())
.userDnPatterns(env.getRequiredProperty("ldap.user_dn_patterns"))
.groupSearchBase(env.getRequiredProperty("ldap.group_search_base"))
.contextSource()
.url(env.getRequiredProperty("ldap.url"));
3.Implement CustomLdapUserDetails(目前只改变了isEnabled方法)。您可以在 ActiveUserAccessor.getActiveUser().
中向 CustomLdapUserDetails 和 return extended class 添加一些额外的接口、方法。public class CustomLdapUserDetails implements LdapUserDetails {
private static final long serialVersionUID = 1L;
private LdapUserDetails details;
private Environment env;
public CustomLdapUserDetails(LdapUserDetails details, Environment env) {
this.details = details;
this.env = env;
}
public boolean isEnabled() {
return details.isEnabled() && getUsername().equals(env.getRequiredProperty("ldap.username"));
}
public String getDn() {
return details.getDn();
}
public Collection<? extends GrantedAuthority> getAuthorities() {
return details.getAuthorities();
}
public String getPassword() {
return details.getPassword();
}
public String getUsername() {
return details.getUsername();
}
public boolean isAccountNonExpired() {
return details.isAccountNonExpired();
}
public boolean isAccountNonLocked() {
return details.isAccountNonLocked();
}
public boolean isCredentialsNonExpired() {
return details.isCredentialsNonExpired();
}
}