摘要:通常在根據(jù)進(jìn)行身份驗(yàn)證時(shí)一般進(jìn)行以下三步利用一個(gè)用戶(hù)的用戶(hù)名和密碼綁定到服務(wù)器�����。這里使用來(lái)簡(jiǎn)化操作用戶(hù)名不存在拋出異常用戶(hù)被管理員鎖定拋出異常角色加入認(rèn)證對(duì)象權(quán)限加入認(rèn)證對(duì)象關(guān)鍵的代碼如下�,驗(yàn)證用戶(hù)和獲取用戶(hù)信息的配置如下
通常在根據(jù)LDAP進(jìn)行身份驗(yàn)證時(shí)一般進(jìn)行以下三步:
利用一個(gè)LDAP用戶(hù)的用戶(hù)名和密碼綁定到LDAP服務(wù)器��。
在LDAP中檢索一個(gè)用戶(hù)的條目�,然后將提供的密碼和檢索到的LDAP記錄中進(jìn)行驗(yàn)證��。
根據(jù)LDAP提供的記錄��,再去本系統(tǒng)中查找授權(quán)信息�����。
Shiro 提供了DefaultLdapRealm��,只做了第二步����,根據(jù)用戶(hù)的條目和密碼來(lái)驗(yàn)證。并不能滿(mǎn)足我們的需求���,所以肯定是要定制化LdapRealm����。
這里使用Spring Ldap 來(lái)簡(jiǎn)化Ldap操作
public class LdapRealm extends AuthorizingRealm {
private static final Logger logger = LoggerFactory.getLogger(LdapRealm.class);
private LdapTemplate ldapTemplate;
@Autowired
private UserService userService;
@Autowired
private RoleService roleService;
@Autowired
private MenuService menuService;
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username = (String) token.getPrincipal();
String password = new String((char[]) token.getCredentials());
try {
LdapQuery ldapQuery = LdapQueryBuilder.query().base("DC=example,DC=com").searchScope(SearchScope.SUBTREE)
.filter("(sAMAccountName={0})", username);
boolean authResult = ldapTemplate.authenticate(ldapQuery.base(), ldapQuery.filter().encode(), password);
if (!authResult) {
logger.debug("ldap authentication for {} failed", username);
return null;
}
User ldapUser = (User) ldapTemplate.searchForObject(ldapQuery, new LdapUserAttrMapper());
User user = userService.selectUserById(ldapUser.getUserId());
if (user == null) {
// 用戶(hù)名不存在拋出異常
throw new UnknownAccountException();
}
if (user.getRemoveFlag()) {
// 用戶(hù)被管理員鎖定拋出異常
throw new LockedAccountException();
}
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user, token.getCredentials(),
"LdapRealm");
return authenticationInfo;
} catch (Exception e) {
logger.error("ldap authentication failed", e.toString());
return null;
}
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
Long userId = ShiroUtils.getUserId();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 角色加入AuthorizationInfo認(rèn)證對(duì)象
info.setRoles(roleService.selectRoleKeys(userId));
// 權(quán)限加入AuthorizationInfo認(rèn)證對(duì)象
info.setStringPermissions(menuService.selectPermsByUserId(userId));
return info;
}
public LdapTemplate getLdapTemplate() {
return ldapTemplate;
}
public void setLdapTemplate(LdapTemplate ldapTemplate) {
this.ldapTemplate = ldapTemplate;
}
}
關(guān)鍵的代碼如下�,驗(yàn)證用戶(hù)和獲取LDAP用戶(hù)信息
LdapQuery ldapQuery = LdapQueryBuilder.query().base("DC=example,DC=com").searchScope(SearchScope.SUBTREE)
.filter("(sAMAccountName={0})", username);
boolean authResult = ldapTemplate.authenticate(ldapQuery.base(), ldapQuery.filter().encode(), password);
User ldapUser = (User) ldapTemplate.searchForObject(ldapQuery, new LdapUserAttrMapper());
Spring 的 ldap 配置如下:
文章版權(quán)歸作者所有,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除����。
轉(zhuǎn)載請(qǐng)注明本文地址:http://systransis.cn/yun/74274.html
