Spring Security 自定义 ldapAuthenticationProvider + 自定义 ldapAuthoritiesPopulator

Question

是否可以同时使用自定义 ldap 身份验证提供程序和自定义 ldap 权限填充器？

我不想每次 ldap 服务器在短时间内无法访问时重新启动我的应用程序（因此我需要自定义提供程序，以创建新的上下文并在每次登录时覆盖身份验证方法）。

另一方面，我需要为 ldap 用户的每个成员创建自定义角色（需要覆盖 getGrantedAuthorities）

Answer 1

要实现自定义 ldap 身份验证提供程序，您需要创建从 AbstractLdapAuthenticator 扩展的类

public class BindPasswordAuthentificator extends AbstractLdapAuthenticator {

    public BindPasswordAuthentificator(BaseLdapPathContextSource contextSource) {
        super(contextSource);
    }

    @Override
    public DirContextOperations authenticate(Authentication authentication) {
        DirContextOperations user;

        String username = authentication.getName();
        String password = (String)authentication.getCredentials();

        user = authenticateByLdap(username, password); // authenticate user here

        if (user == null) {
            throw new BadCredentialsException(
                    messages.getMessage("BindAuthenticator.badCredentials", "Bad credentials"));
        }

        return user;
    }
}

为了实现 ldap 权限填充器，您需要创建从 LdapAuthoritiesPopulator 扩展的类

public class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
 
    @Override
    public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
        Collection<GrantedAuthority> gauth = new HashSet<>();
        //you need to place logic for populating user authorities here
        return gauth;
    }
}

之后你需要在你的配置中配置这两个类

@Configuration
@PropertySource("classpath:application.properties")
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${life.ldap.server}")
    private String ldapServer;

    @Autowired
    public void globalUserDetails(final AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(ldapAuthenticationProvider());
    }

    @Bean
    public LdapAuthenticationProvider ldapAuthenticationProvider() {
        return new LdapAuthenticationProvider(authentificator(), authPopulator());
    }

    @Bean
    public BindPasswordAuthentificator authentificator() {
        return new BindPasswordAuthentificator(contextSource());
    }

    @Bean
    public DefaultSpringSecurityContextSource contextSource() {
        return new DefaultSpringSecurityContextSource(ldapServer);
    }

    @Bean
    public CustomLdapAuthoritiesPopulator authPopulator() {
        CustomLdapAuthoritiesPopulator result = new CustomLdapAuthoritiesPopulator();
        return result;
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/login").permitAll()
                .antMatchers("/oauth/token/revokeById/**").permitAll()
                .antMatchers("/tokens/**").permitAll()
                .anyRequest().authenticated()
                .and().formLogin().permitAll()
                .and().csrf().disable();
    }
}