Spring Security , authenticate use LDAP& DataBase.

最新推荐文章于 2025-12-02 21:20:38 发布

原创最新推荐文章于 2025-12-02 21:20:38 发布 · 204 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#spring security #java #ldap

java 专栏收录该内容

6 篇文章

订阅专栏

本文介绍了一种结合LDAP和数据库的用户认证方案。该方案首先判断是否启用LDAP认证，若未启用，则通过数据库进行用户验证；若启用LDAP认证且认证成功，将从数据库中获取用户的权限信息。

基础部分参见:
http://suene.iteye.com/blog/1829807


	<authentication-manager>
		<authentication-provider ref="authenticationProvider" />
	</authentication-manager>

	<beans:bean id="authenticationProvider" class="org.e.simple.authtication.LdapAndDbAuthenticationProvider">
		<beans:property name="authenticateByLdap" value="false" />
		<beans:property name="url" value="ldap://localhost:10389/dc=example,dc=com" /> 
		<beans:property name="userSearchBase" value="ou=Users" />
		<beans:property name="hash" value="{sha}" />
	</beans:bean>


/** 先根据属性 {@link #authenticateByLdap }, 是否使用 LDAP 验证 用户信息. 否则使用数据库查询验证用户.<br/>
 * 
 * 如果验证成功,则以数据库获取用户的权限. */
public class LdapAndDbAuthenticationProvider implements AuthenticationProvider
{

	private static final Logger logger = LoggerFactory.getLogger(LdapAndDbAuthenticationProvider.class);

	@Autowired
	private UserRepository userRepository;

	/** LDAP server */
	private DefaultSpringSecurityContextSource contextSource;

	/** LdapAuthenticator */
	private LdapAuthenticator authenticator;

	/** 是否使用 LDAP 验证用户. */
	private boolean authenticateByLdap;

	// ldap url
	private String url;

	// <user-dn-pattern/>
	private String userDnPattern;

	// <user-search-filter/>
	private String userSearchFilter = "(uid={0})";

	// <user-search-base/>
	private String userSearchBase = "";

	// <password-compare />
	// 是否验证密码.
	private boolean passwordCompar = true;

	// <password-attribute/>
	private String passwordAttribute = "userPassword";

	// password-compare : hash
	// default = plaintext
	// 参考 org.springframework.security.config.authentication.PasswordEncoderParser.ENCODER_CLASSES
	private String hash = "plaintext";

	// password-encoder : base64
	private boolean useBase64;

	// 获取对应的 pwEncoder
	private PasswordEncoder pwEncoder;

	@PostConstruct
	public void init() throws Exception
	{

		if (passwordCompar)
		{

			AbstractBeanDefinition def = (AbstractBeanDefinition) PasswordEncoderParser.createPasswordEncoderBeanDefinition(hash, useBase64);
			Object pwEncoderObj = def.getBeanClass().newInstance();

			if (pwEncoderObj instanceof BaseDigestPasswordEncoder)
			{
				((BaseDigestPasswordEncoder) pwEncoderObj).setEncodeHashAsBase64(useBase64);
			}

			if (pwEncoderObj instanceof PasswordEncoder)
			{
				this.pwEncoder = (PasswordEncoder) pwEncoderObj;
			}
		}

		if (authenticateByLdap)
		{
			contextSource = new DefaultSpringSecurityContextSource(url);
			contextSource.afterPropertiesSet();

			LdapUserSearch userSearch = new FilterBasedLdapUserSearch(this.userSearchBase, this.userSearchFilter, contextSource);

			String[] userDnPatternArray = new String[0];

			if (StringUtils.hasText(userDnPattern))
			{
				userDnPatternArray = new String[]
				{ userDnPattern };
			}

			if (passwordCompar)
			{
				authenticator = new PasswordComparisonAuthenticator(contextSource);
				((PasswordComparisonAuthenticator) authenticator).setPasswordAttributeName(passwordAttribute);
				((PasswordComparisonAuthenticator) authenticator).setPasswordEncoder((PasswordEncoder) pwEncoder);
				((PasswordComparisonAuthenticator) authenticator).setUserDnPatterns(userDnPatternArray);
				((PasswordComparisonAuthenticator) authenticator).setUserSearch(userSearch);

			} else
			{
				authenticator = new BindAuthenticator(contextSource);
				((BindAuthenticator) authenticator).setUserDnPatterns(userDnPatternArray);
				((BindAuthenticator) authenticator).setUserSearch(userSearch);
			}
		}
	}

	@Override
	public Authentication authenticate(Authentication authentication) throws AuthenticationException
	{
		final UsernamePasswordAuthenticationToken userToken = (UsernamePasswordAuthenticationToken) authentication;

		String username = userToken.getName();
		String password = (String) authentication.getCredentials();

		if (!StringUtils.hasLength(username))
		{
			throw new BadCredentialsException("Empty Username");
		}

		if (!StringUtils.hasLength(password))
		{
			throw new BadCredentialsException("Empty Password");
		}

		List<User> users = userRepository.findByUsername(username);

		if (CollectionUtils.isEmpty(users))
		{
			throw new BadCredentialsException("Bad credentials");
		}

		UserDetails user = users.get(0);

		if (authenticateByLdap)
		{
			doLdapAuthentication(userToken);
		} else
		{
			if (passwordCompar)
			{
				String encodePassword = pwEncoder.encodePassword(password, null);
				if (!encodePassword.equals(user.getPassword()))
				{
					throw new BadCredentialsException("Bad credentials");
				}
			}
		}

		return createSuccessfulAuthentication(userToken, user);
	}

	protected DirContextOperations doLdapAuthentication(UsernamePasswordAuthenticationToken authentication)
	{
		try
		{
			return authenticator.authenticate(authentication);
		} catch (Exception e)
		{
			logger.error(e.getMessage(), e);
			throw new BadCredentialsException("Bad credentials");
		}
	}

	@Override
	public boolean supports(Class<?> authentication)
	{
		return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
	}

	protected Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication, UserDetails user)
	{
		Object password = authentication.getCredentials();

		UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());
		result.setDetails(authentication.getDetails());

		return result;
	}

	// set method...

}