如何使用带有 LDAP 身份验证的 Apache Shiro 添加角色授权
How to add role authorization using Apache Shiro with LDAP Authentication
我是 Apache Shiro 和 LDAP 的新手。
我正在尝试使用 Apache shiro 创建一个简单的 LDAP 身份验证。身份验证有效,但我无法为用户添加角色。下面是我正在使用的 shiro.ini 文件:
[main]
realm = org.apache.shiro.realm.ldap.JndiLdapRealm
realm.contextFactory.url = ldap://localhost:389
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.systemUsername = cn=Manager,dc=maxcrc,dc=com
contextFactory.systemPassword = secret
[roles]
People = *
role = *
Administrator = *
下面是 java class 文件:
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import java.util.ArrayList;
import java.util.List;
import javax.naming.NamingException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.ldap.JndiLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.subject.PrincipalCollection;
public class LDAPTest extends JndiLdapRealm
{
public static final String userName = "uid=aarippa,ou=People,dc=maxcrc,dc=com";
//public static final String userName = "uid=arjunarippa";
public static final String password = "SomePassword";
public static void main(String[] args)
{
Factory<SecurityManager> factory = new IniSecurityManagerFactory("N:\workspace\LdapAuthentication\src\auth.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager( securityManager );
System.out.println( "userName is : " +userName);
System.out.println( "password is : " +password);
//UsernamePasswordToken token = new UsernamePasswordToken( "cn=Panji Pratomo,ou=people,dc=maxcrc,dc=com", "SomePassword" );
UsernamePasswordToken token = new UsernamePasswordToken( userName,password );
Subject currentUser = SecurityUtils.getSubject();
//System.out.println(currentUser);
try
{
currentUser.login( token );
System.out.println( "We've authenticated! :)" );
}
catch ( AuthenticationException e )
{
System.out.println( "We did not authenticate :(" );
e.printStackTrace();
}
if ( currentUser.hasRole( "people" ) )
{
System.out.println( "We have the role! :)" );
}
else
{
System.out.println( "We do not have the role :(" );
}
if ( currentUser.isPermitted( "foo.blah" ) )
{
System.out.println( "We're authorized! :)" );
}
else
{
System.out.println( "We are not authorized :(" );
}
}
}
我无法理解如何为用户添加角色。身份验证工作正常但收到错误消息 "We do not have the role :(" 和 "We are not authorized :("
目前我正在使用 OpenLDAP 服务器,下面是我在服务器中创建的一个 .LDIF 条目:
dn: uid=aarippa,ou=people,dc=maxcrc,dc=com
objectclass: inetOrgPerson
cn: Arjun Arippa
cn: A Arippa
cn: Aarippa
sn: fahmi
uid: aarippa
userpassword: SomePassword
carlicense: HISCAR 123
homephone: 555-111-2222
mail: f.satrio222@gmail.com
mail: f.satrio222@mysamz.com
mail: guest108222@fif.co.id
description: tukang ngulik ga jelas
ou: SOA
任何人都可以让我知道我是否通过添加正确的角色做了正确的事情,如果有错请纠正我。我在编写的方法中遗漏了什么吗?
谢谢,
阿俊
开箱即用的通用 LDAPRealm 不处理角色。 Active Directory 领域可以(如果您在 AD 上)。否则,您可以扩展领域并实施 doGetAuthorizationInfo
方法。
LDAP 服务器的配置方式几乎是无限的,但有一些常见的策略。您的用户如何与您的组相关联?您有示例查询或示例组记录吗?
我是 Apache Shiro 和 LDAP 的新手。 我正在尝试使用 Apache shiro 创建一个简单的 LDAP 身份验证。身份验证有效,但我无法为用户添加角色。下面是我正在使用的 shiro.ini 文件:
[main]
realm = org.apache.shiro.realm.ldap.JndiLdapRealm
realm.contextFactory.url = ldap://localhost:389
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.systemUsername = cn=Manager,dc=maxcrc,dc=com
contextFactory.systemPassword = secret
[roles]
People = *
role = *
Administrator = *
下面是 java class 文件:
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import java.util.ArrayList;
import java.util.List;
import javax.naming.NamingException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.ldap.JndiLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.subject.PrincipalCollection;
public class LDAPTest extends JndiLdapRealm
{
public static final String userName = "uid=aarippa,ou=People,dc=maxcrc,dc=com";
//public static final String userName = "uid=arjunarippa";
public static final String password = "SomePassword";
public static void main(String[] args)
{
Factory<SecurityManager> factory = new IniSecurityManagerFactory("N:\workspace\LdapAuthentication\src\auth.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager( securityManager );
System.out.println( "userName is : " +userName);
System.out.println( "password is : " +password);
//UsernamePasswordToken token = new UsernamePasswordToken( "cn=Panji Pratomo,ou=people,dc=maxcrc,dc=com", "SomePassword" );
UsernamePasswordToken token = new UsernamePasswordToken( userName,password );
Subject currentUser = SecurityUtils.getSubject();
//System.out.println(currentUser);
try
{
currentUser.login( token );
System.out.println( "We've authenticated! :)" );
}
catch ( AuthenticationException e )
{
System.out.println( "We did not authenticate :(" );
e.printStackTrace();
}
if ( currentUser.hasRole( "people" ) )
{
System.out.println( "We have the role! :)" );
}
else
{
System.out.println( "We do not have the role :(" );
}
if ( currentUser.isPermitted( "foo.blah" ) )
{
System.out.println( "We're authorized! :)" );
}
else
{
System.out.println( "We are not authorized :(" );
}
}
}
我无法理解如何为用户添加角色。身份验证工作正常但收到错误消息 "We do not have the role :(" 和 "We are not authorized :(" 目前我正在使用 OpenLDAP 服务器,下面是我在服务器中创建的一个 .LDIF 条目:
dn: uid=aarippa,ou=people,dc=maxcrc,dc=com
objectclass: inetOrgPerson
cn: Arjun Arippa
cn: A Arippa
cn: Aarippa
sn: fahmi
uid: aarippa
userpassword: SomePassword
carlicense: HISCAR 123
homephone: 555-111-2222
mail: f.satrio222@gmail.com
mail: f.satrio222@mysamz.com
mail: guest108222@fif.co.id
description: tukang ngulik ga jelas
ou: SOA
任何人都可以让我知道我是否通过添加正确的角色做了正确的事情,如果有错请纠正我。我在编写的方法中遗漏了什么吗?
谢谢, 阿俊
开箱即用的通用 LDAPRealm 不处理角色。 Active Directory 领域可以(如果您在 AD 上)。否则,您可以扩展领域并实施 doGetAuthorizationInfo
方法。
LDAP 服务器的配置方式几乎是无限的,但有一些常见的策略。您的用户如何与您的组相关联?您有示例查询或示例组记录吗?