问题
All,
Our IT dept has decided to change the suffix of our users in AD by adding a different suffix to the userPrincipalName in AD to the actual domain being used.
e.g. our domain is xxx.com but userPrincipalName is now "usera@zzz.tech" whereas before it was "usera@xxx.com".
The Spring LDAP AD authentication no longer works with this because of this reason I think: userPrincipalName is built up using name + domain when it tries to authenticate.
I need to override this somehow - but keep with Spring security version 3.1 (ideally !)
This is the security bean we use
<bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="$websec{authentication.base}" />
<constructor-arg value="$websec{ldap.providerUrl}" />
<property name="authoritiesMapper" ref="dataAutomationGrantedAuthoritiesMapper" />
<property name="useAuthenticationRequestCredentials" value="true" />
</bean>
How can I override this behaviour?
Thank you
回答1:
We ended up modifying the original Spring code for the class : ActiveDirectoryLdapAuthenticationProvider and changing the method createBindPrincipal to allow a userPrincipalName that has a different domain to the security root domain to be authorised.
/**
* Create bind principal by appending configured user domain to username if it doesn't already contain a domain.
*
* @param username User name for which to create bind principal.
*
* @return username, if configured domain is null or the username already contains a domain; otherwise username
* appended with the configured user domain.
*/
String createBindPrincipal(final String username) {
if (domain == null || username.contains("@")) {
return username;
}
return username + "@" + userDomain;
}
来源:https://stackoverflow.com/questions/58232159/spring-security-version-3-1-need-to-match-user-using-either-userprincipalname