spring - 如何使用 LDAP 和基于角色的数据库授予权限来实现 Spring Security？

问题描述

我在 Spring MVC Thymeleaf 项目中工作，其中具有数据库和基于角色的授予权限的 LDAP 安全性是最终用户的必备要求。

我需要的

主要身份验证应由 LDAP 执行
必须在数据库中配置用户角色和授予权限以及 LDAP 用户名

example: 
LDAP user: nahid@test.com
Role: Admin
Granted Authorities for "Admin" role: permission_x,permission_y etc
将在网页中用作“hasAuthority(“permission_x”)”

LDAP认证后，系统会检查数据库中是否存在用户为白名单用户
白名单检查后，为用户加载角色和权限，对加载的权限（非角色）进行授权

我发现的是这里：

具有 LDAP 和数据库角色的 Spring Security，这有点过时了
https://spring.io/guides/gs/authenticating-ldap/仅显示 LDAP 身份验证。
https://www.baeldung.com/role-and-privilege-for-spring-security-registration授予权限示例

现在我的问题是：

我需要用 LDAP 用户名存储 LDAP 密码吗？如果是，它安全吗？
上述场景是否存在任何示例？
细粒度的授予权限是否适用于 LDAP 用户？

LDAP 身份验证和基于 jdbc 的授权如何协同工作？有人可以帮忙吗？

提前致谢

标签： springspring-bootspring-mvcspring-securityldap

Since I have found a solution, I am sharing my own answer here. Hope it will help others:

My Answers are:

No Password needs to be stored in the database.
Not exactly
Yes, fine-grained granted authority works perfectly for LDAP users

How I solved my problem:

Step 1:

The trick is using a UserDetailsContextMapper with UserDetails provided by regular UserDetailsService.

example:

 @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .ldapAuthentication()
                .userDetailsContextMapper(userDetailsContextMapper())
                .userDnPatterns("uid={0},ou=people")
                .groupSearchBase("ou=groups")
                .contextSource()
                .url("ldap://localhost:8389/dc=springframework,dc=org")
                .and()
                .passwordCompare()
                .passwordEncoder(new BCryptPasswordEncoder())
                .passwordAttribute("userPassword");
    }


 @Bean
    public UserDetailsContextMapper userDetailsContextMapper() {
        return new LdapUserDetailsMapper() {
            @Override
            public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
                UserDetails details= userDetailsService.loadUserByUsername(username+"@test.com");
                return  details;
            }
        };
    }

After successful LDAP authentication, it will try to load valid registered user to the context with all granted authorities.

Step 2

hasAuthority didn't work for me. I have used something like below:

<div sec:authorize="hasRole('SOME_PRIVILEGE')">
            <div class="alert alert-success" role="alert">
                This is secret DIV
            </div>
        </div>

For a quick check, you can use below:

<span sec:authentication="principal.authorities"></span>

I hope it will help somebody someday.

Happy Coding!

Edit: For LDAP over SSL and Spring Boot

spring - 如何使用 LDAP 和基于角色的数据库授予权限来实现 Spring Security？

问题描述

解决方案

推荐阅读