问题
If we need to get User attributes from ActiveDirectory like name, sn etc. can't we configure using Specialized LDAP authentication provider which uses Active Directory configuration conventions like "springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider"
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests().antMatchers("/", "logout").permitAll().and().httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
}
@Bean
public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider adProvider = new ActiveDirectoryLdapAuthenticationProvider(domain, url);
adProvider.setConvertSubErrorCodesToExceptions(true);
adProvider.setUseAuthenticationRequestCredentials(true);
return adProvider;
}
and then use AuthenticationManager like shown below.
Authentication auth = new UsernamePasswordAuthenticationToken(userName, password);
Authentication a = authenticationManager.authenticate(auth);
But, I get a.isAuthenticated() as true for correct username and password, I also get a.getName() as my username. But, how to retrieve sn, dispalyname, name and other attributes. Do we need to write a CustomActiveDirectoryLdapAuthenticationProvider as mentioned here http://code-addict.pl/active-directory-spring-security/
回答1:
You do not. Spring Security comes with an UserDetailsContextMapper interface
/**
* Creates a fully populated UserDetails object for use by the security framework.
*
* @param ctx the context object which contains the user information.
* @param username the user's supplied login name.
* @param authorities
* @return the user object.
*/
UserDetails mapUserFromContext(DirContextOperations ctx, String username,
Collection<? extends GrantedAuthority> authorities);
The default implementation, LdapUserDetailsMapper
Currently only maps the groups returned by the search.
// Map the roles
for (int i = 0; (this.roleAttributes != null)
&& (i < this.roleAttributes.length); i++) {
String[] rolesForAttribute = ctx.getStringAttributes(this.roleAttributes[i]);
if (rolesForAttribute == null) {
this.logger.debug("Couldn't read role attribute '"
+ this.roleAttributes[i] + "' for user " + dn);
continue;
}
for (String role : rolesForAttribute) {
GrantedAuthority authority = createAuthority(role);
if (authority != null) {
essence.addAuthority(authority);
}
}
}
However, implementing your own UserDetailsMapper you can retrieve any and all records that come back from LDAP.
You just decide what attribute you wish to fetch
Object attribute = ctx.getObjectAttribute("some-ldap-attribute");
This is how you would fetch custom values during an authentication event.
If you want to just query and search and fetch data from the LDAP directory you can leverage the SpringSecurityLdapTemplate
It aims to mimic what RestTemplate does for HTTP but for LDAP.
来源:https://stackoverflow.com/questions/54242165/do-we-need-to-write-customactivedirectoryldapauthenticationprovider-if-we-want-t