How to map Ldap groups to Tomcat Roles (Java)(如何将 Ldap 组映射到 Tomcat 角色 (Java))
问题描述
我正在使用 Servlets/JSP 等编写一个 Web 项目.目前该程序使用基本身份验证来确保安全性.但我的工作希望从我们的活动目录中获取安全角色.
I am writing a web project using Servlets/JSP etc.. At the moment the program uses basic authentication for security.. but my work want the security roles picked up from our active directory.
我修改了 apache 的 server.xml 如下:
I have modified apache's server.xml with the following:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://adclds001.mycompgroup.local:389"
connectionName="************.local:389"
connectionPassword="********"
userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
roleName="cn"
roleSearch="member={0}"
/>
身份验证工作正常,但我不知道如何映射 ldap 组到 Tomcat 角色.
The authentication works fine, but I do not know how to map ldap groups to Tomcat roles.
我尝试将组名之类的内容添加到部署描述符的条目,但无济于事.
I have tried adding things like group-name to the entries to the deployment descriptor but to no avail.
我还听说扩展 JNDIRealm 类并覆盖getRoles 方法可能会给我我想要的东西..但我找不到完整的可能需要的详细信息.
I have also heard that extending the JNDIRealm class and overriding the getRoles method might give me what I want..But I cant find full details on what might be required.
那么将 ldap 组映射到 tomcat 角色的最佳方法是什么?
So what is the best way to map ldap groups to tomcat roles?
应用程序仍然没有扮演角色.
The application is still not picking up the roles.
我的领域详情目前是:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://adclds001.mycomp.local:389"
connectionName="trainee1@mycomp.local:389"
connectionPassword="****"
userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
userRoleName="Domain Users"
roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
roleName="cn"
roleSearch="member={0}"
/>
我的部署描述符中有一个安全约束:
I have a security constaint in my deployment descriptor:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Domain Users</role-name>
<role-name>admin_user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
web.xml 中的安全角色:
security roles in web.xml:
<security-role>
<role-name>basic_user</role-name>
</security-role>
<security-role>
<role-name>admin_user</role-name>
</security-role>
<security-role>
<role-name>Domain Users</role-name>
</security-role>
我也有:
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
还有
我的 IT 部门告诉我,每个人都属于以下组:CN=域用户,CN=Users,DC=mycompgroup,DC=local
My IT dept are telling me that everybody is in the following group: CN=Domain Users,CN=Users,DC=mycompgroup,DC=local
谁能建议我为什么不能使用域用户角色?
Can anybody suggest why I am not able to use the Domain Users role?
推荐答案
可以使用LDAPAdminExe浏览ldap结构.并找到哪个组"?你找到了吗?
You can use LDAPAdminExe to browse the ldap structure. And find which "group" are you locate.
例如,您的组是 CN=Domain Users,CN=Users,DC=mycompgroup,DC=local.
步骤 1.您应该在角色库中检查该组(使用 LDAPAdminExe 进行检查):
Step1. You should check is this group in the role base (Use LDAPAdminExe to check):
OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local
如果不是,您应该更改此 roleBase 设置.我认为它可能可以将此配置设置为
If not you should changed this roleBase setting. I think it's may can set this config to
DC=mycompgroup,DC=local
所以你将在 server.xml 中设置配置:
So you will set the config in server.xml:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://adclds001.mycomp.local:389"
connectionName="trainee1@mycomp.local:389"
connectionPassword="****"
userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
userRoleName="Domain Users"
roleBase="DC=mycompgroup,DC=local"
roleName="cn"
roleSearch="member={0}"
/>
第 2 步.您应该在 web.xml 中添加组名称:
Step 2. You should add the groups name in your web.xml:
<security-constraint>
....
<auth-constraint>
<role-name>Domain Users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>Domain Users</role-name>
</security-role>
步骤 3. 重启这个 tomcat 服务器
Step 3. Restart this tomcat server
好好享受吧!!!
这篇关于如何将 Ldap 组映射到 Tomcat 角色 (Java)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:如何将 Ldap 组映射到 Tomcat 角色 (Java)
- 如何使用WebFilter实现授权头检查 2022-01-01
- 从 finally 块返回时 Java 的奇怪行为 2022-01-01
- Spring Boot连接到使用仲裁器运行的MongoDB副本集 2022-01-01
- Safepoint+stats 日志,输出 JDK12 中没有 vmop 操作 2022-01-01
- Jersey REST 客户端:发布多部分数据 2022-01-01
- C++ 和 Java 进程之间的共享内存 2022-01-01
- 将log4j 1.2配置转换为log4j 2配置 2022-01-01
- value & 是什么意思?0xff 在 Java 中做什么? 2022-01-01
- Eclipse 插件更新错误日志在哪里? 2022-01-01
- Java包名称中单词分隔符的约定是什么? 2022-01-01
