Spring Security 3.1：Active Directory 身份验证和本地 DB 授权

Question

我正在使用 Spring Security 3.1 进行 Active Directory 身份验证，并使用本地数据库来加载权限。我看过类似的例子，但我仍然不清楚我应该使用什么。我在 spring-security.xml 中的当前设置是：

  <!-- LDAP server details -->
  <security:authentication-manager>
    <security:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
  </security:authentication-manager>


  <beans:bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <beans:constructor-arg value="${ldap.domain}" />
    <beans:constructor-arg value="${ldap.url}" />
    <beans:property name="useAuthenticationRequestCredentials" value="true" />
    <beans:property name="convertSubErrorCodesToExceptions" value="true" />
  </beans:bean>

我有一个类，我们称之为：“BookStoreDbAuthPopulator.java”。在这个类中，我调用了这个方法：

    // Load additional authorities and create an Authentication object
    final List<GrantedAuthority> authorities = loadRolesFromDatabaseHere();

我还不清楚什么：“BookStoreDbAuthPopulator.java”应该实现哪个接口，以便将加载的权限从 db 添加到 UserDetails？ “UserDetailsContextMapper”还是“GrantedAuthoritiesMapper”还是“AuthenticationProvider”？

基于此解决方案：Spring Security 3 Active Directory Authentication, Database Authorization “BookStoreDbAuthPopulator.java”应该实现“AuthenticationProvider”。我的疑问是我是否应该使用“BookStoreDbAuthPopulator.java”作为“ldapActiveDirectoryAuthProvider”bean 的属性？

非常感谢。

Answer 1

我的最终解决方案是“BookStoreDbAuthPopulator.java”实现“UserDetailsContextMapper”。

public class BookStoreDbAuthPopulator implements UserDetailsContextMapper {

   // populating roles assigned to the user from AUTHORITIES table in DB
   private List<SimpleGrantedAuthority> loadRolesFromDatabase(String username) {

      //"SELECT ROLE FROM AUTHORITIES WHERE LCASE(USERNAME) LIKE ?"
      ...
   }

   @Override
   public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
      List<SimpleGrantedAuthority> allAuthorities = new ArrayList<SimpleGrantedAuthority>();
      for (GrantedAuthority auth : authorities) {
        if (auth != null && !auth.getAuthority().isEmpty()) {
           allAuthorities.add((SimpleGrantedAuthority) auth);
        }
      }
      // add additional roles from the database table
      allAuthorities.addAll(loadRolesFromDatabase(username));
      return new User(username, "", true, true, true, true, allAuthorities);
   }

   @Override
   public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
   }

}

然后在spring-security.xml中

  <!-- AuthenticationManager: AuthenticationProvider, LDAP server details -->
     <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
     </security:authentication-manager>

  <beans:bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
     <!-- the domain name (may be null or empty). If no domain name is configured, it is assumed that the username will always contain the domain name. -->
     <beans:constructor-arg value="${ldap.domain}" />
     <!-- an LDAP url (or multiple URLs) -->
     <beans:constructor-arg value="${ldap.url}" />
     <!-- Determines whether the supplied password will be used as the credentials in the successful authentication token. -->
     <beans:property name="useAuthenticationRequestCredentials" value="true" />
     <!-- by setting this property to true, when the authentication fails the error codes will also be used to control the exception raised. -->
     <beans:property name="convertSubErrorCodesToExceptions" value="true" />
     <!-- for customizing user authorities -->
     <beans:property name="userDetailsContextMapper" ref="myUserDetailsContextMapper" />
  </beans:bean>
     <!-- Customizing UserDetail -->
  <beans:bean id="myUserDetailsContextMapper" class="com.mybookstore.mywebcomp.w.BookStoreDbAuthPopulator">
  </beans:bean>