I've been wondering if there's a way to configure Spring Security LDAP plugin to perform the authentication not in the standard way but as follows:
If one is able to connect and login to the LDAP server then
the user is authenticated.
Read the authorization from this user's account on LDAP
(this is probably the default behavior)
So basically instead of having the master account configured one uses the user开发者_运维技巧/pass passed on by the user to actually perform the login (which if successfull allows the user to fetch the other data).
Thanks in advance!
Hope you're still looking for this. What it sounds like is a good step in the right direction is the BindAuthenticator. You'd have to change the authorities populator to not use the security context source though. I believe the default populator uses a connection pool with the appropriate admin account.
Here is a sample of a setup with a BindAuthenticator and a custom AuthoritiesPopulator.
<bean id="authPopulator" class="org.springframework.security.ldap.populator.CustomLdapAuthoritiesPopulator">
<constructor-arg ref="securityContextSource"/>
<constructor-arg value="ou=Roles,o=data"/>
<property name="groupRoleAttribute" value="resourceGroupType"/>
<property name="groupSearchFilter" value="member={0}" />
</bean>
<bean id="ldap-authentication-provider"
class="org.springframework.security.providers.ldap.LdapAuthenticationProvider" >
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="securityContextSource"/>
<property name="userDnPatterns">
<list><value>cn={0},ou=users,o=system</value>
<value>cn={0},ou=users,o=xyz</value>
<value>cn={0},ou=users,ou=external,o=xyz</value>
</list>
</property>
<property name="userSearch" ref="userSearch">
</property>
</bean>
</constructor-arg>
<constructor-arg ref="authPopulator"/>
<s:custom-authentication-provider />
</bean>
Here is my context source def:
<bean id="securityContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://192.168.254.254:389"/>
<property name="userDn" value="cn=admin,ou=users,o=xyz"/>
<property name="password" value="password"/>
</bean>
I decided to test the context source without a username or password and it appears to work partially. Here is my log output.
[java] - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER
[java] - Updated SecurityContextHolder to contain the following Authentication: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER'
I don't get any errors, but it doesn't populate all of the roles. That might be an eDirectory permissions issue or you might have to create your own authorities populator. The populator does get passed the user dirContext.
精彩评论