如何解决带有弹簧安全性的LDAP身份验证,无需指定组
我想在所有组(ou)的ldap服务器下对用户进行身份验证。我无法为ldap服务器下的所有组配置它。我想允许所有用户登录我的spring mvc应用程序。目前,我正在对两个组(OU)下的用户进行身份验证,它对我来说效果很好。现在,我想要一个通用的解决方案来对用户进行身份验证并获取其组。
@Configuration
@EnableWebSecurity
@EnableGlobalAuthentication
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// Session management 10 minutes
http.sessionManagement().maximumSessions(10);
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication().userDnPatterns("cn={0},ou=people,ou=gruops,dc=ABC,dc=COM").userSearchBase("cn={0}").contextSource()
.url("ldap://abc.com:389");
}
@Bean
public LdapContextSource contextSource() {
// DefaultSpringSecurityContextSource
LdapContextSource contextSource = new LdapContextSource();
contextSource.setUrl("ldap://abc.com:389");
contextSource.setBase("dc=ABC,dc=COM");
return contextSource;
}
@Bean
public LdapTemplate ldapTemplate() {
LdapTemplate ldapTemplate = new LdapTemplate(contextSource());
ldapTemplate.setIgnorePartialResultException(true);
return ldapTemplate;
}
**Then i am authenticating users using ldapContextSource in Controller Class**
------------------------------------------------------------------------
@Autowired
LdapContextSource contextSource;
private boolean validateUser(String userName,Stirng password) {
String userDn = "cn=" + userName.toLowerCase() + "ou=people,ou=groups,dc=COM";
System.out.println("Inside Utility.Authenticate method");
DirContext ctx = null;
try {
ctx = contextSource.getContext(userDn,password);
return true;
} catch (Exception e) {
// Context creation Failed - authentication did not succeed
System.out.println("Login Failed" + e);
// logger.error();
return false;
} finally {
// It is imperative that the created DirContext instance is always closed
LdapUtils.closeContext(ctx);
}
}
**This works well for two groups(ou=people,ou=groups). I have other organizational units under ldap://abc.com:389. I want to allow all the groups under ldap server without specifying them all.**
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。