Kerb4j - 如何从 SPNEGO 令牌中获取角色名称?
Kerb4j - How to get role name from SPNEGO Token?
我正在尝试从 Active Directory 返回的 SPNEGO 令牌中获取角色名称,以便与 Spring 安全授权一起使用。我正在使用 kerb4j to authenticate since my understanding is that it can get group (i.e. role) information from the token (instead of a subsequent LDAP query) by using this code.
在我的 Spring 网络安全配置中,我有以下内容:
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${app.service-principal}")
private String servicePrincipal;
@Value("${app.keytab-location}")
private String keytabLocation;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling()
.authenticationEntryPoint(spnegoEntryPoint())
.and()
.authorizeRequests().antMatchers("/", "/home").permitAll()
.antMatchers("/hello").access("hasRole('ROLE_ADMIN')")
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll().and() //spring
.addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
BasicAuthenticationFilter.class);
}
@Bean
public SpnegoAuthenticationProvider kerberosServiceAuthenticationProvider() {
SpnegoAuthenticationProvider provider = new SpnegoAuthenticationProvider();
provider.setTicketValidator(sunJaasKerberosTicketValidator());
provider.setExtractGroupsUserDetailsService(new ExtractGroupsUserDetailsService());
provider.setServerSpn(servicePrincipal);
return provider;
}
ExtractGroupsUserDetailsService only gets a SID 例如 (S-1-2-20-132925241-12333....) 而不是 AD 组名称,例如 ADMIN。 ExtractGroupsUserDetailsService怎么写才能提取组名呢?此信息在 SPNEGO 令牌中可用吗?
更新
简单地将 hasRole SpEL 中的 ROLE_ADMIN 替换为 SID 是行不通的。
更新 2
给定的 SID 字符串与传入 hasRole 的 SID 字符串不匹配,因为 hasRole 附加了 ROLE_ 传入的字符串。一旦我将 ExtractGroupsUserDetailsService 更改为 SID 的前缀“ROLE_”(例如 ROLE_S-1-2-20-132925241-12333...),匹配就成功了。
不过...我怎样才能在 ExtractGroupsUserDetailsService 中获取组名(例如 ADMIN)而不是 SID?
ExtractGroupsUserDetailsService only gets a SID such as (S-1-2-20-132925241-12333....) rather than an AD group name such as ADMIN. How can ExtractGroupsUserDetailsService be written to extract the name of the group? Is this information available in the SPNEGO token?
不,Kerberos PAC 仅包含 SID,不包含名称。 (Windows 访问控制永远不会基于名称。)您仍然需要 LDAP 搜索这些名称。
我正在尝试从 Active Directory 返回的 SPNEGO 令牌中获取角色名称,以便与 Spring 安全授权一起使用。我正在使用 kerb4j to authenticate since my understanding is that it can get group (i.e. role) information from the token (instead of a subsequent LDAP query) by using this code.
在我的 Spring 网络安全配置中,我有以下内容:
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${app.service-principal}")
private String servicePrincipal;
@Value("${app.keytab-location}")
private String keytabLocation;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling()
.authenticationEntryPoint(spnegoEntryPoint())
.and()
.authorizeRequests().antMatchers("/", "/home").permitAll()
.antMatchers("/hello").access("hasRole('ROLE_ADMIN')")
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll().and() //spring
.addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
BasicAuthenticationFilter.class);
}
@Bean
public SpnegoAuthenticationProvider kerberosServiceAuthenticationProvider() {
SpnegoAuthenticationProvider provider = new SpnegoAuthenticationProvider();
provider.setTicketValidator(sunJaasKerberosTicketValidator());
provider.setExtractGroupsUserDetailsService(new ExtractGroupsUserDetailsService());
provider.setServerSpn(servicePrincipal);
return provider;
}
ExtractGroupsUserDetailsService only gets a SID 例如 (S-1-2-20-132925241-12333....) 而不是 AD 组名称,例如 ADMIN。 ExtractGroupsUserDetailsService怎么写才能提取组名呢?此信息在 SPNEGO 令牌中可用吗?
更新
简单地将 hasRole SpEL 中的 ROLE_ADMIN 替换为 SID 是行不通的。
更新 2
给定的 SID 字符串与传入 hasRole 的 SID 字符串不匹配,因为 hasRole 附加了 ROLE_ 传入的字符串。一旦我将 ExtractGroupsUserDetailsService 更改为 SID 的前缀“ROLE_”(例如 ROLE_S-1-2-20-132925241-12333...),匹配就成功了。
不过...我怎样才能在 ExtractGroupsUserDetailsService 中获取组名(例如 ADMIN)而不是 SID?
ExtractGroupsUserDetailsService only gets a SID such as (S-1-2-20-132925241-12333....) rather than an AD group name such as ADMIN. How can ExtractGroupsUserDetailsService be written to extract the name of the group? Is this information available in the SPNEGO token?
不,Kerberos PAC 仅包含 SID,不包含名称。 (Windows 访问控制永远不会基于名称。)您仍然需要 LDAP 搜索这些名称。