Spring 使用 LDAP 身份验证引导 REST API
Spring Boot REST API using LDAP authentication
所以我正在尝试构建一个将使用 LDAP 身份验证的 REST API。基本上,当我的登录端点被使用时,我希望它使用 httpBasic 身份验证检测凭据,然后将这些凭据用于我的 LDAP 服务器。我还想考虑用户角色,保护端点,以便只有具有适当角色的特定用户才能访问所述端点。
这可以吗?到目前为止,在我的阅读中,我还没有看到一篇教程或文章明确说明如何实现这一点。
*更新: 我设法将其配置为能够使用 httpBasic 接受凭据。现在我想知道如何使用基于 LDAP 组(例如经理、开发人员)的用户角色为特定端点设置权限
这实际上可以通过 Spring Boot 非常简洁地完成。
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.so</groupId>
<artifactId>rest-ldap</artifactId>
<version>1.0.1</version>
<name>rest-ldap</name>
<description>SO REST LDAP Solution</description>
<properties>
<java.version>11</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
App.java
package com.so;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@EnableWebSecurity
@RestController
@SpringBootApplication
public class App extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.httpBasic()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.csrf()
.disable();
}
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.ldapAuthentication()
.contextSource()
.url("ldap://ldap-server.com:3268")
.managerDn("CN=MGR_USERNAME")
.managerPassword("MGR_PASSWORD")
.and()
.userSearchFilter("CN={0}");
}
@RequestMapping
public Authentication getAuth() {
return SecurityContextHolder.getContext().getAuthentication();
}
public static void main(String[] args) {
SpringApplication.run(com.so.App.class, args);
}
}
发送请求
http://USERNAME:PASSWORD@localhost:8080
收到(成功)响应
HTTP/1.1 200
Set-Cookie: JSESSIONID=COOKIE-VALUE; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 01 Jan 1970 00:00:00 GMT
{
"authorities": [],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null
},
"authenticated": true,
"principal": {
"dn": "cn=USERNAME",
"password": null,
"username": "USERNAME",
"authorities": [],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true,
"timeBeforeExpiration": 2147483647,
"graceLoginsRemaining": 2147483647
},
"credentials": null,
"name": "USERNAME"
}
尽情享受吧!
所以我正在尝试构建一个将使用 LDAP 身份验证的 REST API。基本上,当我的登录端点被使用时,我希望它使用 httpBasic 身份验证检测凭据,然后将这些凭据用于我的 LDAP 服务器。我还想考虑用户角色,保护端点,以便只有具有适当角色的特定用户才能访问所述端点。
这可以吗?到目前为止,在我的阅读中,我还没有看到一篇教程或文章明确说明如何实现这一点。
*更新: 我设法将其配置为能够使用 httpBasic 接受凭据。现在我想知道如何使用基于 LDAP 组(例如经理、开发人员)的用户角色为特定端点设置权限
这实际上可以通过 Spring Boot 非常简洁地完成。
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.so</groupId>
<artifactId>rest-ldap</artifactId>
<version>1.0.1</version>
<name>rest-ldap</name>
<description>SO REST LDAP Solution</description>
<properties>
<java.version>11</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
App.java
package com.so;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@EnableWebSecurity
@RestController
@SpringBootApplication
public class App extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.httpBasic()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.csrf()
.disable();
}
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.ldapAuthentication()
.contextSource()
.url("ldap://ldap-server.com:3268")
.managerDn("CN=MGR_USERNAME")
.managerPassword("MGR_PASSWORD")
.and()
.userSearchFilter("CN={0}");
}
@RequestMapping
public Authentication getAuth() {
return SecurityContextHolder.getContext().getAuthentication();
}
public static void main(String[] args) {
SpringApplication.run(com.so.App.class, args);
}
}
发送请求
http://USERNAME:PASSWORD@localhost:8080
收到(成功)响应
HTTP/1.1 200
Set-Cookie: JSESSIONID=COOKIE-VALUE; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 01 Jan 1970 00:00:00 GMT
{
"authorities": [],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null
},
"authenticated": true,
"principal": {
"dn": "cn=USERNAME",
"password": null,
"username": "USERNAME",
"authorities": [],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true,
"timeBeforeExpiration": 2147483647,
"graceLoginsRemaining": 2147483647
},
"credentials": null,
"name": "USERNAME"
}
尽情享受吧!