一、SpringLDAP单点登录
在企业级应用中,单点登录(Single Sign-On,SSO)是非常重要的。SpringLDAP提供了良好的支持,使得我们可以轻松地实现SSO。
我们可以使用LDAP存储用户信息,比如用户名和密码等。一旦用户通过认证,我们可以在Web应用中启动一个会话来保存用户的状态。这样,当用户访问其他应用时,这些应用就可以从会话中获取用户信息,而不需要再次进行认证。
下面是使用SpringLDAP实现SSO的示例代码:
<bean id="contextSourceTarget" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldap.example.org:389/dc=example,dc=org" />
<property name="base" value="cn=users,dc=example,dc=org" />
<property name="userDn" value="uid=admin,cn=users,dc=example,dc=org" />
<property name="password" value="secret" />
</bean>
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSourceTarget" />
</bean>
<bean id="ldapAuthenticationProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSourceTarget" />
<property name="userSearch">
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="cn=users" />
<constructor-arg index="1" value="(uid={0})" />
<constructor-arg index="2" ref="contextSourceTarget" />
</bean>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSourceTarget" />
<constructor-arg value="cn=groups" />
<property name="groupRoleAttribute" value="cn" />
<property name="searchSubtree" value="true" />
<property name="defaultRole" value="ROLE_USER" />
</bean>
</constructor-arg>
</bean>
<security:authentication-manager>
<security:authentication-provider ref="ldapAuthenticationProvider" />
</security:authentication-manager>
<security:http>
<security:intercept-url pattern="/secure/**" access="ROLE_USER" />
<security:form-login login-page="/login.html"
authentication-failure-url="/login.html?error=true"
default-target-url="/secure/index.html" />
</security:http>二、Spring LDAP Template
SpringLDAP提供了LdapTemplate类,可以极大地简化访问LDAP的代码编写过程。对于LDAP的读、写、修改、删除等操作,LdapTemplate都提供了相应的方法,让我们省去了自己编写相应代码的繁琐工作,并且它还自带对象映射功能,将LDAP中的数据转换为Java对象。
下面是使用LdapTemplate读取LDAP中的数据的示例:
<bean id="contextSourceTarget" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldap.example.org:389/dc=example,dc=org" />
<property name="userDn" value="uid=admin,cn=users,dc=example,dc=org" />
<property name="password" value="secret" />
</bean>
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSourceTarget" />
</bean>
<bean id="personDao" class="com.example.PersonDao">
<property name="ldapTemplate" ref="ldapTemplate" />
</bean>
public class PersonDao {
private LdapTemplate ldapTemplate;
public List<Person> getAllPersons() {
return ldapTemplate.search(
"", "(objectClass=person)", new PersonAttributesMapper());
}
private static final class PersonAttributesMapper implements AttributesMapper {
public Object mapFromAttributes(Attributes attributes) throws NamingException {
Person person = new Person();
person.setFullname((String)attributes.get("fullName").get());
person.setLastname((String)attributes.get("sn").get());
person.setDescription((String)attributes.get("description").get());
return person;
}
}
}三、SpringLDAP只读
有时候我们只是需要从LDAP中读取数据而不需要进行任何的修改。SpringLDAP提供的LdapTemplateReadOnly类可以让我们只读取LDAP数据而不增加任何的负担。
下面是使用LdapTemplateReadOnly读取LDAP中的数据的示例:
<bean id="contextSourceTarget" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldap.example.org:389/dc=example,dc=org" />
<property name="userDn" value="uid=admin,cn=users,dc=example,dc=org" />
<property name="password" value="secret" />
</bean>
<bean id="ldapTemplateReadOnly" class="org.springframework.ldap.core.LdapTemplateReadOnly">
<constructor-arg ref="contextSourceTarget" />
</bean>
<bean id="personDao" class="com.example.PersonDao">
<property name="ldapTemplate" ref="ldapTemplateReadOnly" />
</bean>
public class PersonDao {
private LdapTemplateReadOnly ldapTemplate;
public List<Person> getAllPersons() {
return ldapTemplate.search(
"", "(objectClass=person)",
new PersonAttributesMapper());
}
private static final class PersonAttributesMapper implements AttributesMapper {
public Object mapFromAttributes(Attributes attributes) throws NamingException {
Person person = new Person();
person.setFullname((String)attributes.get("fullName").get());
person.setLastname((String)attributes.get("sn").get());
person.setDescription((String)attributes.get("description").get());
return person;
}
}
}四、SpringLDAP测试
SpringLDAP提供了非常便利的测试框架,可以帮助我们在没有真实的LDAP服务器的情况下进行单元测试。
下面是使用SpringLDAP测试框架对LDAP操作进行单元测试的示例:
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration("classpath:test-context.xml")
public class PersonDaoTest {
@Autowired
private PersonDao personDao;
@Test
public void testFindAll() {
List<Person> personList = personDao.getAllPersons();
assertEquals(personList.size(), 2);
}
}
<bean id="contextSourceTarget" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://localhost:8389/dc=example,dc=org" />
<property name="userDn" value="uid=admin,cn=users,dc=example,dc=org" />
<property name="password" value="secret" />
<property name="pooled" value="false" />
<property name="baseEnvironmentProperties">
<props>
<prop key="java.naming.security.principal">cn=admin,dc=example,dc=org</prop>
<prop key="java.naming.security.credentials">password</prop>
</props>
</property>
</bean>
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSourceTarget" />
</bean>
<bean id="personDao" class="com.example.PersonDao">
<property name="ldapTemplate" ref="ldapTemplate" />
</bean>五、SpringLDAP创建用户
使用SpringLDAP,我们可以很方便地实现LDAP用户的添加、删除、修改等操作,下面是使用LdapTemplate添加LDAP用户的示例代码:
public void addUser(User user) {
Name dn = buildDn(user);
ldapTemplate.bind(dn, null, buildAttributes(user));
}
private Name buildDn(User user) {
return LdapNameBuilder.newInstance()
.add("ou", "users")
.add("uid", user.getUsername())
.build();
}
private Attributes buildAttributes(User user) {
BasicAttributes basicAttributes = new BasicAttributes();
BasicAttribute objectClass = new BasicAttribute("objectClass");
objectClass.add("top");
objectClass.add("person");
basicAttributes.put(objectClass);
basicAttributes.put("cn", user.getUsername());
basicAttributes.put("sn", user.getLastName());
basicAttributes.put("userPassword", user.getPassword());
return basicAttributes;
}六、SpringLDAP配置详解
在使用SpringLDAP时,我们需要进行相应的配置,下面是一份常用的SpringLDAP配置:
<bean id="contextSourceTarget" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldap.example.org:389/dc=example,dc=org" />
<property name="userDn" value="uid=admin,cn=users,dc=example,dc=org" />
<property name="password" value="secret" />
<property name="pooled" value="false" />
<property name="baseEnvironmentProperties">
<props>
<prop key="java.naming.security.principal">cn=admin,dc=example,dc=org</prop>
<prop key="java.naming.security.credentials">password</prop>
</props>
</property>
</bean>
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSourceTarget" />
</bean>
<context:annotation-config />
<context:component-scan base-package="com.example" />七、SpringLDAP Token
在SpringLDAP中,我们可以使用DirContextOperations对象来获取当前的用户信息。
下面是使用DirContextOperations对象获取用户信息的示例代码:
@Autowired
private LdapTemplate ldapTemplate;
public void printCurrentUser() {
DirContextOperations ctx = (DirContextOperations) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String username = ctx.getStringAttribute("uid");
System.out.println("Current user: " + username);
}八、SpringLDAP验证用户名和密码
在SpringLDAP中,我们可以使用LdapTemplate类中的authenticate()方法验证用户名和密码是否正确。
下面是使用LdapTemplate类验证用户名和密码的示例代码:
@Autowired
private LdapTemplate ldapTemplate;
public boolean authenticate(String username, String password) {
AndFilter filter = new AndFilter();
filter.and(new EqualsFilter("objectclass", "person")).and(new EqualsFilter("uid", username));
return ldapTemplate.authenticate("", filter.toString(), password);
}原创文章,作者:GNFJ,如若转载,请注明出处:https://www.506064.com/n/146359.html
微信扫一扫 
支付宝扫一扫 