我目前正致力于将我的应用程序与公司ldap集成 . 虽然我能够让应用程序实际检查ldap上的用户进行身份验证,但用户无法克服Spring安全性ROLES配置 . 我得到:“拒绝抱歉,您无权查看此页面 . ”每次我尝试输入@Secured(['ROLE_USER'])的页面 . 我想知道如何在LDAP上添加每个用户以获得ROLE_USER,以便他能够完全使用应用程序 .
我的ldap配置非常简单:
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider','anonymousAuthenticationProvider','rememberMeAuthenticationProvider']
grails.plugin.springsecurity.ldap.context.anonymousReadOnly = true
grails.plugin.springsecurity.ldap.context.server = "SOME LDAP ADRESS"
grails.plugin.springsecurity.ldap.authorities.groupSearchBase = 'ou=Employees,O=*****,C=****'
grails.plugin.springsecurity.ldap.search.base = 'O=****,C=****'
grails.plugin.springsecurity.ldap.authorities.retrieveGroupRoles = true
grails.plugin.springsecurity.ldap.authorities.retrieveDatabaseRoles = true
grails.plugin.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'
grails.plugin.springsecurity.ldap.search.attributesToReturn = null
Spring安全核心是默认核心:
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'amelinium1.grails.SecUser'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'amelinium1.grails.SecUserSecRole'
grails.plugin.springsecurity.authority.className = 'amelinium1.grails.SecRole'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/**': ['permitAll'],
'/**/systeminfo': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll']]
grails.plugin.springsecurity.logout.postOnly = false
http://grails-plugins.github.io/grails-spring-security-core/docs/manual/guide/single.pdf上提供的文档似乎不是最新的,即使它是针对2.0版本的spring安全核心 . 我试图实现Custom GrailsUser和GrailsUserDetailsService,但它们似乎与插件的其余部分混合在一起 . (基于文档的实现) .
任何人都可以向我指出正确的方向,并提供有关如何在最新版本2.0-RC2中实施LDAP的一些信息?
EDIT
我的CustomUserDetailsService类,但我不确定它是否正确配置LDAP:
class CustomUserDetailsService implements GrailsUserDetailsService{
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User.withTransaction { status ->
User user = User.findByUsername(username)
if (!user) throw new UsernameNotFoundException('User not found', username)
def authorities = user.authorities.collect {new GrantedAuthorityImpl(it.authority)}
return new CustomUserDetails(user.username, user.password, user.enabled,
!user.accountExpired, !user.passwordExpired,
!user.accountLocked, authorities ?: NO_ROLES, user.id,
user.firstName, user.lastName)
} as UserDetails
}
@Override
public UserDetails loadUserByUsername(String username, boolean loadRoles)
throws UsernameNotFoundException, DataAccessException {
return loadUserByUsername(username);
}
}
和CustomUserDetails类:
class CustomUserDetails extends GrailsUser{
final String firstName
final String lastName
CustomUserDetails(String username, String password, boolean enabled,
boolean accountNonExpired, boolean credentialsNonExpired,
boolean accountNonLocked,
Collection<GrantedAuthority> authorities,
long id, String firstName, String lastName) {
super(username, password, enabled, accountNonExpired,
credentialsNonExpired, accountNonLocked, authorities, id)
this.firstName = firstName
this.lastName = lastName
}
}
问题是我无法从LDAP获取其他信息而不是ldap登录用户名 . 非常感谢这里的帮助 . 在重新编写应用程序后,我会得到以下错误,例如:没有方法签名:static org.springframework.security.core.userdetails.User.findByUsername()适用于参数类型:(java.lang.String)values:[海杜克]
1 回答
默认情况下,Spring Security插件从数据库中获取用户和角色数据 . 负责读取用户和角色数据的Spring bean名为
userDetailsService. 如果您想从其他地方获取用户和角色数据 - 例如LDAP - 你只需要用你自己的bean替换它,例如不要忘记在
resources.groovy中将此类注册为Spring bean有一些插件可以将Spring Security与LDAP集成,但我更愿意自己动手,因为它非常简单 . 文档提供自定义
UserDetailsService的an example . 请注意,在编写自己的UserDetailsService/UserDetails实现时,没有必要扩展任何特定的类,并且为了调试它可能更容易直接实现接口 .