Spring随笔06 利用LDAP校验用户

本小节将一步步教会你建立一个项目并给它添加Spring Security LDAP 模块。

你将建立一个 通过 Spring Security 提供的服务 来加密的程序， 该服务嵌入了 java 基本的 LDAP 加密。 你会通过加载一个配置了用户名密码集合的配置文件 来启动该服务。

1、建立一个简单的Controller。
这个Controller向前端写回简单的一句话。
如下：

 1 package cn.tiny77.guide06;
 2
 3 import org.springframework.web.bind.annotation.GetMapping;
 4 import org.springframework.web.bind.annotation.RestController;
 5
 6 @RestController
 7 public class HomeController {
 8
 9     @GetMapping("/")
10     public String index() {
11         return "Welcome to the home page!";
12     }
13 }

启动程序如下：

 1 package cn.tiny77.guide06;
 2
 3 import org.springframework.boot.SpringApplication;
 4 import org.springframework.boot.autoconfigure.SpringBootApplication;
 5
 6 @SpringBootApplication
 7 public class App {
 8
 9     public static void main(String[] args) {
10         SpringApplication.run(App.class, args);
11     }
12
13 }

现在，我们可以在不验证身份的情况下访问这个Controller。
访问 http://localhost:8080 ， 你将看到简短的文字信息。

2、嵌入Spring Security

新建一个类，通过java代码配置Spring Security

 1 package cn.tiny77.guide06;
 2
 3 import java.util.Arrays;
 4
 5 import org.springframework.context.annotation.Bean;
 6 import org.springframework.context.annotation.Configuration;
 7 import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
 8 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 9 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
10 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
11 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
12
13 @Configuration
14 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
15
16     @Override
17     protected void configure(HttpSecurity http) throws Exception {
18         http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin();
19     }
20
21     @Override
22     public void configure(AuthenticationManagerBuilder auth) throws Exception {
23         auth.ldapAuthentication().userDnPatterns("uid={0},ou=people").groupSearchBase("ou=groups")
24                 .contextSource(contextSource()).passwordCompare().passwordEncoder(new LdapShaPasswordEncoder())
25                 .passwordAttribute("userPassword");
26     }
27
28     @Bean
29     public DefaultSpringSecurityContextSource contextSource() {
30         return new DefaultSpringSecurityContextSource(Arrays.asList("ldap://localhost:8389/"),
31                 "dc=springframework,dc=org");
32     }
33
34 }

@EnableWebSecurity 注解作用是 打开校验开关。

你同时需要一个LDAP服务，SpringBoot能自动化配置一个纯粹由java代码书写的服务，在本例中我们将会用到。
ldapAuthentication方法的作用是把表单中的username插入到字符串的"{0}"中，LDAP服务根据它查询uid={0},ou=people,dc=springframework,dc=org。
同时，passwordCompare方法配置译码器和密码的名称，获取密码并校验。

3、建立用户数据
LDAP服务可以用LDIF(LDAP Data Interchange Format)来代替用户数据。
application.properties中的spring.ldap.embedded.ldif属性允许SpringBoot引入一个LDIF文件，这使得加载用户数据很容易。

dn: dc=springframework,dc=org
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: springframework

dn: ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: groups

dn: ou=subgroups,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: subgroups

dn: ou=people,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: people

dn: ou=space cadets,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: space cadets

dn: ou=\"quoted people\",dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: "quoted people"

dn: ou=otherpeople,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: otherpeople

dn: uid=ben,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alex
sn: Alex
uid: ben
userPassword: {SHA}nFCebWjxfaLbHHG1Qk5UU4trbvQ=

dn: uid=bob,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Bob Hamilton
sn: Hamilton
uid: bob
userPassword: bobspassword

dn: uid=joe,ou=otherpeople,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Joe Smeth
sn: Smeth
uid: joe
userPassword: joespassword

dn: cn=mouse\, jerry,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Mouse, Jerry
sn: Mouse
uid: jerry
userPassword: jerryspassword

dn: cn=slash/guy,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: slash/guy
sn: Slash
uid: slashguy
userPassword: slashguyspassword

dn: cn=quote\"guy,ou=\"quoted people\",dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: quote\"guy
sn: Quote
uid: quoteguy
userPassword: quoteguyspassword

dn: uid=space cadet,ou=space cadets,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Space Cadet
sn: Cadet
uid: space cadet
userPassword: spacecadetspassword

dn: cn=developers,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: developers
ou: developer
uniqueMember: uid=ben,ou=people,dc=springframework,dc=org
uniqueMember: uid=bob,ou=people,dc=springframework,dc=org

dn: cn=managers,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: managers
ou: manager
uniqueMember: uid=ben,ou=people,dc=springframework,dc=org
uniqueMember: cn=mouse\, jerry,ou=people,dc=springframework,dc=org

dn: cn=submanagers,ou=subgroups,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: submanagers
ou: submanager
uniqueMember: uid=ben,ou=people,dc=springframework,dc=org

如果你访问 localhost:8080 ，你就会被重定向到Spring Security 的提供的登录页。
输入用户名ben 密码 benspassword ，你就能看到如下页面。

4、Demo下载