前面介绍过基于本地数据库验证的方式,参考http://hanqunfeng.iteye.com/blog/1155226,这里说一下如何修改为使用AD进行身份验证【只对用户名和密码进行验证,权限依旧存储在本地数据库中】。
将配置文件中的如下部分删除:
<!-- 认证管理器,使用自定义的UserDetailsService,并对密码采用md5加密--> <authentication-manager> <authentication-provider user-service-ref="userService"> <password-encoder hash="md5" /> </authentication-provider> </authentication-manager> <beans:bean id="userService" class="com.piaoyi.common.security.UserService" />
并添加如下内容:
<!-- ldap contextSource ldap服务器 --> <!-- 继承于org.springframework.ldap.core.support.LdapContextSource --> <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <beans:constructor-arg value="ldap://192.168.159.xxx:389" /> <beans:property name="userDn" value="cn=admin,cn=Users,dc=piaoyi,dc=local" /> <beans:property name="password" value="xxxxxxx" /> </beans:bean> <!-- ldap 认证代理 --> <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <beans:constructor-arg ref="ldapBindAuthenticator" /> <beans:constructor-arg ref="ldapAuthoritiesPopulator" /> </beans:bean> <!-- 用户认证:凭证绑定 --> <beans:bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator"> <beans:constructor-arg ref="contextSource" /> <beans:property name="userSearch" ref="userSearch" /> </beans:bean> <!-- 用户查询规则 --> <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <beans:constructor-arg index="0" value="cn=Users,dc=piaoyi,dc=local" /> <beans:constructor-arg index="1" value="(sAMAccountName={0})" /> <beans:constructor-arg index="2" ref="contextSource" /> </beans:bean> <!-- 角色控制,这里授予所有AD验证通过的用户HODLE角色 --> <beans:bean class="com.netqin.common.security.SimpleRoleGrantingLdapAuthoritiesPopulator" id="ldapAuthoritiesPopulator" /> <!-- 认证管理器,如果使用基于cookie的<remember-me/>,需要声明LdapUserDetailsService --> <authentication-manager> <authentication-provider ref="ldapAuthProvider" /> </authentication-manager> <!-- ldapUserDetailsService 用于<remember-me user-service-ref="ldapUserDetailsService"/> --> <beans:bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> <beans:constructor-arg index="0" ref="userSearch" /> <beans:constructor-arg index="1" ref="ldapAuthoritiesPopulator" /> </beans:bean>
这里仅使用到一个自定义类,它只有一个作用,就是授予所有用户HODLE角色,而真正的权限验证还是交给投票器处理。
SimpleRoleGrantingLdapAuthoritiesPopulator:
package com.netqin.common.security;
import java.util.Arrays;
import java.util.Collection;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
public class SimpleRoleGrantingLdapAuthoritiesPopulator implements
LdapAuthoritiesPopulator {
protected String role = "HODLE";
public Collection<GrantedAuthority> getGrantedAuthorities(
DirContextOperations userData, String username) {
GrantedAuthority ga = new SimpleGrantedAuthority(role);
return Arrays.asList(ga);
}
public String getRole() {
return role;
}
public void setRole(String role) {
this.role = role;
}
}
参考资料:
http://lengyun3566.iteye.com/blog/1358310