使用 Spring Boot/Spring Security 对 LDAP 进行证书身份验证
Posted
技术标签:
【中文标题】使用 Spring Boot/Spring Security 对 LDAP 进行证书身份验证【英文标题】:Certificate Authentication against LDAP with Spring Boot/ Spring Secruity 【发布时间】:2015-11-22 20:30:16 【问题描述】:我目前正在尝试实现一个带有相互身份验证的 Spring Boot web 服务,该服务需要一个用户证书,并使用它包含的针对 ldap 服务器的详细信息对用户进行身份验证和授权。
到目前为止,相互身份验证有效,服务器向用户表明自己的身份并要求提供用户证书。以内存用户为例,整个身份验证和授权过程都可以正常工作。然而,一旦我实现了 LDAP 连接,我就会得到一个“java.lang.IllegalStateException:需要 UserDetailsService”。例外。有趣的是,当我使用用户必须手动提示其凭据的登录页面时,LDAP 配置本身运行良好。简而言之:
登录页面 + LDAP 工作,
CERT + 内存中的用户作品,
CERT + LDAP 不起作用。
到目前为止,这是我的代码:
web/config/Application.java
@SpringBootApplication
@ComponentScan( "web.*" )
public class Application extends SpringBootServletInitializer
@Bean
public InternalResourceViewResolver viewResolver()
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/WEB-INF/jsp/");
viewResolver.setSuffix(".jsp");
return viewResolver;
public static void main(String[] args) throws Exception
SpringApplication.run(Application.class, args);
@Bean
public EmbeddedServletContainerFactory servletContainer()
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory();
tomcat.addAdditionalTomcatConnectors(createSslConnector());
return tomcat;
// *************************************************************************************************
// Mutual Cert Authentication
// *************************************************************************************************
private Connector createSslConnector()
Connector connector = new Connector(
"org.apache.coyote.http11.Http11NioProtocol");
Http11NioProtocol protocol = (Http11NioProtocol) connector
.getProtocolHandler();
try
File keystore = new ClassPathResource("server.jks").getFile();
File truststore = new ClassPathResource("cacerts.jks").getFile();
connector.setScheme("https");
connector.setSecure(true);
connector.setPort(8443);
protocol.setSSLEnabled(true);
protocol.setKeystoreFile(keystore.getAbsolutePath());
protocol.setKeystorePass("toor"); //example password
protocol.setTruststoreFile(truststore.getAbsolutePath());
protocol.setTruststorePass("toor"); //example passsword
protocol.setKeyAlias("server");
protocol.setClientAuth("want");
protocol.setSslProtocol("TLS");
return connector;
catch (IOException ex)
throw new IllegalStateException("can't access keystore: ["
+ "keystore" + "] or truststore: [" + "keystore" + "]", ex);
// *************************************************************************************************
// The Authentication Manager Bean provides the source that userdata gets
// authenticated against. In this Scenario a ldap server is used.
// *************************************************************************************************
@Bean
public DefaultSpringSecurityContextSource getSource() throws Exception
String address = "ldap://lokalhost:389/dc=ldap"; //example url
String ldapUser = "cn=admin,dc=ldap"; //example login
String ldapPassword = "toor"; //example password
DefaultSpringSecurityContextSource source = new DefaultSpringSecurityContextSource(
address);
source.setUserDn(ldapUser);
source.setPassword(ldapPassword);
source.afterPropertiesSet();
return source;
web/config/WebSecurity.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
@Autowired
private DefaultSpringSecurityContextSource source;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
auth.ldapAuthentication().contextSource(source)
.userSearchBase("dc=users,dc=ldap")
.userDnPatterns("cn=0,dc=users")
.groupSearchBase("ou=groups")
;
@Override
protected void configure(HttpSecurity http) throws Exception
// *************************************************************************************************
// Insert pages that need propper authentication/authorization here
// *************************************************************************************************
http
.x509().subjectPrincipalRegex("CN=(.*?),").and()
.authorizeRequests()
.antMatchers("/**")
.access("hasRole('ROLE_USER')")
.and()
.csrf().disable();
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>SpringCertAuth</groupId>
<artifactId>spring-cert-authentication</artifactId>
<version>0.1.0</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.2.5.RELEASE</version>
</parent>
<dependencies>
<!-- ldap -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>org.apache.directory.server</groupId>
<artifactId>apacheds-server-jndi</artifactId>
<version>1.5.5</version>
</dependency>
<!-- end ldap -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<properties>
<main.basedir>$basedir/../..</main.basedir>
<java.version>1.8</java.version>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
web/controller/HomeController.java
@Controller
public class HomeController
@RequestMapping("/welcome")
public ModelAndView index()
ModelAndView model = new ModelAndView();
model.addObject("title","Secure Web Application");
model.addObject("message", "this is the welcome page");
model.setViewName("welcome");
return model;
还有 webapp/WEB-INF/jsp/welcome.jsp
<%@page session="false"%>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<h1>Title : $title</h1>
<h1>Message : $message</h1>
</body>
</html>
PS:我使用的证书是自签名的,位于 src/main/resources 文件夹中。
我希望有人可以帮助我。
最好的问候 多米尼克
【问题讨论】:
【参考方案1】:好的,我找到了解决方案。我将 Application 类重写为:
.
.
.
public static DefaultSpringSecurityContextSource getSource() throws Exception
String address = "ldap://lokalhost:389/dc=ldap"; //example url
String ldapUser = "cn=admin,dc=ldap"; //example login
String ldapPassword = "toor"; //example password
DefaultSpringSecurityContextSource source = new DefaultSpringSecurityContextSource(
address);
source.setUserDn(ldapUser);
source.setPassword(ldapPassword);
source.afterPropertiesSet();
return source;
@Bean
public static LdapAuthenticationProvider ldapAuthProvider() throws Exception
LdapAuthenticationProvider provider = new LdapAuthenticationProvider(authenticator(),authPopulator());
return provider;
@Bean
public static BindAuthenticator authenticator() throws Exception
String[] userDn = "cn=0,dc=users";
BindAuthenticator auth = new BindAuthenticator(getSource());
auth.setUserDnPatterns(userDn);
return auth;
//authenticator2 only neccessary if authentiction with passwordcompare instead of binduser is wanted.
@Bean
public static PasswordComparisonAuthenticator authenticator2() throws Exception
String[] userDn = "cn=0,dc=users";
PasswordComparisonAuthenticator auth = new PasswordComparisonAuthenticator(getSource());
auth.setUserDnPatterns(userDn);
auth.setPasswordAttributeName("userPassword");
auth.setPasswordEncoder(Md5Encoder());
return auth;
@Bean
public static DefaultLdapAuthoritiesPopulator authPopulator() throws Exception
DefaultLdapAuthoritiesPopulator authPop = new DefaultLdapAuthoritiesPopulator(getSource(),"dc=groups");
authPop.setGroupRoleAttribute("cn");
authPop.setGroupSearchFilter("(member=0)");
return authPop;
//Certificate Authentication
@Bean
public static LdapUserDetailsService CustomLdapUserDetailsService() throws Exception
LdapUserDetailsService userDetails = new LdapUserDetailsService(userSearch(),authPopulator());
return userDetails;
@Bean
public static FilterBasedLdapUserSearch userSearch() throws Exception
FilterBasedLdapUserSearch search = new FilterBasedLdapUserSearch("","cn=0",getSource());
return search;
我还稍微更改了 WebSecurityConfig 类。现在看起来像这样:
@Configuration
@EnableWebSecurity
@EnableAutoConfiguration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception
auth.authenticationProvider(Application.ldapAuthProvider());
@Override
public void configure(WebSecurity web) throws Exception
web
.ignoring()
.antMatchers("/resources/**");
@Override
protected void configure(HttpSecurity http) throws Exception
// *************************************************************************************************
// Insert pages that need proper authentication/authorization here
// *************************************************************************************************
http
.exceptionHandling().accessDeniedPage("/403")
.and()
.x509().subjectPrincipalRegex("CN=(.*?),").userDetailsService(Application.CustomLdapUserDetailsService())
.and()
.authorizeRequests()
.antMatchers("/profile/**").access("hasRole('ROLE_VIEW') or hasRole('ROLE_ADMINISTRATOR')")
.antMatchers("/welcome**").permitAll()
.antMatchers("/authenticate").access("hasRole('ROLE_VIEW') or hasRole('ROLE_ADMIN')")
.antMatchers("/admin").access("hasRole('ROLE_ADMINISTRATOR')")
.and()
.formLogin()
.and()
.logout().logoutSuccessUrl("/welcome?logout").logoutUrl("/logout")
.deleteCookies("JSESSIONID")
.and()
.csrf().disable()
;
最后一条线索在这里给了我这篇文章: spring-security : Using user's certificate to authenticate against LDAP
我希望我能帮助别人。
问候 多米尼克
【讨论】:
【参考方案2】:您必须在 web/config/WebSecurity.java 文件中添加 UserDetailService。
举个例子
@Override
protected void configure(HttpSecurity http) throws Exception
http.authorizeRequests().anyRequest().authenticated()
.and()
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(userDetailsService());
@Bean
public UserDetailsService userDetailsService()
return new UserDetailsService()
@Override
public UserDetails loadUserByUsername(String username)
if (username.equals("Bob"))
return new User(username, "",
AuthorityUtils
.commaSeparatedStringToAuthorityList("ROLE_USER"));
throw new UsernameNotFoundException("User not found!");
;
希望,这行得通。
【讨论】:
以上是关于使用 Spring Boot/Spring Security 对 LDAP 进行证书身份验证的主要内容,如果未能解决你的问题,请参考以下文章
spring boot: spring boot+jdbctemplate+sql server
spring boot:Spring Boot中Redis的使用