如何从 Spring 安全获取 Spring Boot Actuator LdapHealthIndicator 运行 Ldap?
How to get Spring Boot Actuator LdapHealthIndicator running with Ldap from Spring Security?
我正在使用 spring 安全性开发 spring 引导 2.3 应用程序。身份验证和授权是通过针对 AD 的 spring 安全性完成的。所以我正在使用 spring-security-ldap 和以下代码。
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
...
public AuthenticationProvider adAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider adProvider =
new ActiveDirectoryLdapAuthenticationProvider(ldapDomain, ldapUrl);
adProvider.setSearchFilter(ldapSearchFilter);
adProvider.setAuthoritiesMapper(authorities -> {
Collection<GrantedAuthority> gaCollection = new ArrayList<>();
for (GrantedAuthority authority : authorities) {
if ("admin".equals(authority.getAuthority())) {
gaCollection.add(new SimpleGrantedAuthority(Role.ADMIN));
}
}
return gaCollection;
});
return adProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(adAuthenticationProvider());
auth.eraseCredentials(false);
}
}
相关的依赖应该是这样的:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
...
</dependencyManagement>
<dependencies>
<!-- Spring -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-autoconfigure</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-juli</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-jdbc</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<!-- End Spring -->
...
</dependencies>
这很好用。
现在我决定通过 spring-boot-starter-actuator 依赖项使用 Spring Boot Actuator 进行应用程序监控。
通过自动配置,它会检测我的数据源和 LdapHealthIndicator 的执行器。虽然数据源没问题,但 LdapHealthIndicator 总是报告以下错误。
CONDITIONS EVALUATION REPORT (only LDAP lines)
positive matches:
LdapAutoConfiguration matched:
- @ConditionalOnClass found required class 'org.springframework.ldap.core.ContextSource' (OnClassCondition)
LdapAutoConfiguration#ldapContextSource matched:
- @ConditionalOnMissingBean (types: org.springframework.ldap.core.support.LdapContextSource; SearchStrategy: all) did not find any beans (OnBeanCondition)
LdapAutoConfiguration#ldapTemplate matched:
- @ConditionalOnMissingBean (types: org.springframework.ldap.core.LdapOperations; SearchStrategy: all) did not find any beans (OnBeanCondition)
LdapHealthContributorAutoConfiguration matched:
- @ConditionalOnClass found required class 'org.springframework.ldap.core.LdapOperations' (OnClassCondition)
- @ConditionalOnEnabledHealthIndicator management.health.ldap.enabled is true (OnEnabledHealthIndicatorCondition)
- @ConditionalOnBean (types: org.springframework.ldap.core.LdapOperations; SearchStrategy: all) found bean 'ldapTemplate' (OnBeanCondition)
LdapHealthContributorAutoConfiguration#ldapHealthContributor matched:
- @ConditionalOnMissingBean (names: ldapHealthIndicator,ldapHealthContributor; SearchStrategy: all) did not find any beans (OnBeanCondition)
negative matches:
EmbeddedLdapAutoConfiguration:
Did not match:
- @ConditionalOnClass did not find required class 'com.unboundid.ldap.listener.InMemoryDirectoryServer' (OnClassCondition)
LdapRepositoriesAutoConfiguration:
Did not match:
- @ConditionalOnClass did not find required class 'org.springframework.data.ldap.repository.LdapRepository' (OnClassCondition)
o.s.b.actuate.ldap.LdapHealthIndicator : LDAP health check failed
org.springframework.ldap.CommunicationException: localhost:389; nested exception is
javax.naming.CommunicationException: localhost:389
[Root exception is java.net.ConnectException: Connection refused: connect]
我的 AD 在远程服务器上 运行 而不是本地主机。 Spring 安全工作正常。
那么,为什么 LdapHealthIndicator 会尝试验证本地主机上的 ldap 服务器?让 LdapHealthIndicator 从我的 SecurityConfiguration 使用我的 AuthenticationProvider 的设计方法是什么?
可能还有其他问题;但是,主要问题似乎是您的 pom:
中缺少 the spring-ldap-core dependency
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
</dependency>
包括它会将它放在类路径中。结合正确的属性,Spring Boot 的 LDAP 自动配置将启动。
此外,the reference docs 指出 属性 是 spring.ldap.urls,所以我认为应该改为那个。
我正在使用 spring 安全性开发 spring 引导 2.3 应用程序。身份验证和授权是通过针对 AD 的 spring 安全性完成的。所以我正在使用 spring-security-ldap 和以下代码。
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
...
public AuthenticationProvider adAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider adProvider =
new ActiveDirectoryLdapAuthenticationProvider(ldapDomain, ldapUrl);
adProvider.setSearchFilter(ldapSearchFilter);
adProvider.setAuthoritiesMapper(authorities -> {
Collection<GrantedAuthority> gaCollection = new ArrayList<>();
for (GrantedAuthority authority : authorities) {
if ("admin".equals(authority.getAuthority())) {
gaCollection.add(new SimpleGrantedAuthority(Role.ADMIN));
}
}
return gaCollection;
});
return adProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(adAuthenticationProvider());
auth.eraseCredentials(false);
}
}
相关的依赖应该是这样的:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
...
</dependencyManagement>
<dependencies>
<!-- Spring -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-autoconfigure</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-juli</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-jdbc</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<!-- End Spring -->
...
</dependencies>
这很好用。
现在我决定通过 spring-boot-starter-actuator 依赖项使用 Spring Boot Actuator 进行应用程序监控。
通过自动配置,它会检测我的数据源和 LdapHealthIndicator 的执行器。虽然数据源没问题,但 LdapHealthIndicator 总是报告以下错误。
CONDITIONS EVALUATION REPORT (only LDAP lines)
positive matches:
LdapAutoConfiguration matched:
- @ConditionalOnClass found required class 'org.springframework.ldap.core.ContextSource' (OnClassCondition)
LdapAutoConfiguration#ldapContextSource matched:
- @ConditionalOnMissingBean (types: org.springframework.ldap.core.support.LdapContextSource; SearchStrategy: all) did not find any beans (OnBeanCondition)
LdapAutoConfiguration#ldapTemplate matched:
- @ConditionalOnMissingBean (types: org.springframework.ldap.core.LdapOperations; SearchStrategy: all) did not find any beans (OnBeanCondition)
LdapHealthContributorAutoConfiguration matched:
- @ConditionalOnClass found required class 'org.springframework.ldap.core.LdapOperations' (OnClassCondition)
- @ConditionalOnEnabledHealthIndicator management.health.ldap.enabled is true (OnEnabledHealthIndicatorCondition)
- @ConditionalOnBean (types: org.springframework.ldap.core.LdapOperations; SearchStrategy: all) found bean 'ldapTemplate' (OnBeanCondition)
LdapHealthContributorAutoConfiguration#ldapHealthContributor matched:
- @ConditionalOnMissingBean (names: ldapHealthIndicator,ldapHealthContributor; SearchStrategy: all) did not find any beans (OnBeanCondition)
negative matches:
EmbeddedLdapAutoConfiguration:
Did not match:
- @ConditionalOnClass did not find required class 'com.unboundid.ldap.listener.InMemoryDirectoryServer' (OnClassCondition)
LdapRepositoriesAutoConfiguration:
Did not match:
- @ConditionalOnClass did not find required class 'org.springframework.data.ldap.repository.LdapRepository' (OnClassCondition)
o.s.b.actuate.ldap.LdapHealthIndicator : LDAP health check failed
org.springframework.ldap.CommunicationException: localhost:389; nested exception is
javax.naming.CommunicationException: localhost:389
[Root exception is java.net.ConnectException: Connection refused: connect]
我的 AD 在远程服务器上 运行 而不是本地主机。 Spring 安全工作正常。
那么,为什么 LdapHealthIndicator 会尝试验证本地主机上的 ldap 服务器?让 LdapHealthIndicator 从我的 SecurityConfiguration 使用我的 AuthenticationProvider 的设计方法是什么?
可能还有其他问题;但是,主要问题似乎是您的 pom:
中缺少 thespring-ldap-core dependency
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
</dependency>
包括它会将它放在类路径中。结合正确的属性,Spring Boot 的 LDAP 自动配置将启动。
此外,the reference docs 指出 属性 是 spring.ldap.urls,所以我认为应该改为那个。