Spring 使用 LDAP 身份验证引导 REST API

Spring Boot REST API using LDAP authentication

所以我正在尝试构建一个将使用 LDAP 身份验证的 REST API。基本上,当我的登录端点被使用时,我希望它使用 httpBasic 身份验证检测凭据,然后将这些凭据用于我的 LDAP 服务器。我还想考虑用户角色,保护端点,以便只有具有适当角色的特定用户才能访问所述端点。

这可以吗?到目前为止,在我的阅读中,我还没有看到一篇教程或文章明确说明如何实现这一点。

*更新: 我设法将其配置为能够使用 httpBasic 接受凭据。现在我想知道如何使用基于 LDAP 组(例如经理、开发人员)的用户角色为特定端点设置权限

这实际上可以通过 Spring Boot 非常简洁地完成。

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.3.3.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <groupId>com.so</groupId>
    <artifactId>rest-ldap</artifactId>
    <version>1.0.1</version>
    <name>rest-ldap</name>
    <description>SO REST LDAP Solution</description>

    <properties>
        <java.version>11</java.version>
    </properties>

    <dependencies>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-ldap</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

App.java

package com.so;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@EnableWebSecurity
@RestController
@SpringBootApplication
public class App extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .httpBasic()
                .and()
                .authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
                .csrf()
                .disable();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder
                .ldapAuthentication()
                .contextSource()
                .url("ldap://ldap-server.com:3268")
                .managerDn("CN=MGR_USERNAME")
                .managerPassword("MGR_PASSWORD")
                .and()
                .userSearchFilter("CN={0}");
    }

    @RequestMapping
    public Authentication getAuth() {
        return SecurityContextHolder.getContext().getAuthentication();
    }

    public static void main(String[] args) {
        SpringApplication.run(com.so.App.class, args);
    }

}

发送请求 http://USERNAME:PASSWORD@localhost:8080

收到(成功)响应

HTTP/1.1 200
Set-Cookie: JSESSIONID=COOKIE-VALUE; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 01 Jan 1970 00:00:00 GMT
{
  "authorities": [],
  "details": {
    "remoteAddress": "127.0.0.1",
    "sessionId": null
  },
  "authenticated": true,
  "principal": {
    "dn": "cn=USERNAME",
    "password": null,
    "username": "USERNAME",
    "authorities": [],
    "accountNonExpired": true,
    "accountNonLocked": true,
    "credentialsNonExpired": true,
    "enabled": true,
    "timeBeforeExpiration": 2147483647,
    "graceLoginsRemaining": 2147483647
  },
  "credentials": null,
  "name": "USERNAME"
}

尽情享受吧!