diff --git a/src/main/java/info/bukova/isspst/services/users/AdUserCtxMapper.java b/src/main/java/info/bukova/isspst/services/users/AdUserCtxMapper.java index b0450f09..96cd9b1f 100644 --- a/src/main/java/info/bukova/isspst/services/users/AdUserCtxMapper.java +++ b/src/main/java/info/bukova/isspst/services/users/AdUserCtxMapper.java @@ -26,6 +26,7 @@ public class AdUserCtxMapper implements UserDetailsContextMapper { private UserService userService; private RoleService roleService; + private String allowedGroup; private final static Logger logger = LoggerFactory.getLogger(AdUserCtxMapper.class); @@ -43,7 +44,7 @@ public class AdUserCtxMapper implements UserDetailsContextMapper { return user; } catch (UsernameNotFoundException e) { logger.info("Importing user from Active Directory"); - LdapUserImporter importer = new LdapUserImporter(userService); + LdapUserImporter importer = new LdapUserImporter(userService, allowedGroup); importer.importUser(username, userData, roleService.getRoleByAuthority(Constants.ROLE_USER)); return userService.loadUserByUsername(username); @@ -56,4 +57,8 @@ public class AdUserCtxMapper implements UserDetailsContextMapper { "use a subclass if mapUserToContext() is required."); } + public void setAllowedGroup(String allowedGroup) { + this.allowedGroup = allowedGroup; + } + } diff --git a/src/main/java/info/bukova/isspst/services/users/LdapUserImporter.java b/src/main/java/info/bukova/isspst/services/users/LdapUserImporter.java index 7da73858..b618f89b 100644 --- a/src/main/java/info/bukova/isspst/services/users/LdapUserImporter.java +++ b/src/main/java/info/bukova/isspst/services/users/LdapUserImporter.java @@ -9,6 +9,7 @@ import javax.naming.NamingException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.ldap.core.DirContextOperations; +import org.springframework.security.core.userdetails.UsernameNotFoundException; /** * Pomocná třída pro import uživatele z LDAP serveru (nebo Active Directory) do databáze aplikace @@ -19,12 +20,18 @@ import org.springframework.ldap.core.DirContextOperations; public class LdapUserImporter { private UserService userService; + private String allowedGroup; private final static Logger logger = LoggerFactory.getLogger(LdapUserImporter.class); public LdapUserImporter(UserService userService) { this.userService = userService; } + public LdapUserImporter(UserService userService, String group) { + this.userService = userService; + this.allowedGroup = group; + } + /** * Provede import uživatele z LDAP do aplikační databáze * @@ -37,6 +44,21 @@ public class LdapUserImporter { user.setUsername(login); user.addAuthority(defaultRole); + if (allowedGroup != null && !allowedGroup.isEmpty()) { + boolean isAllowed = false; + + for (Object atr : userData.getObjectAttributes("memberOf")) { + if (atr.toString().startsWith("CN="+allowedGroup)) { + isAllowed = true; + break; + } + } + + if (!isAllowed) { + throw new UsernameNotFoundException("User is not member of group '" + allowedGroup + "'"); + } + } + if (userData.attributeExists("givenName")) { try { user.setFirstName(userData.getAttributes().get("givenName").get().toString()); diff --git a/src/main/webapp/WEB-INF/ad.properties b/src/main/webapp/WEB-INF/ad.properties index ca41b75a..37d835c5 100644 --- a/src/main/webapp/WEB-INF/ad.properties +++ b/src/main/webapp/WEB-INF/ad.properties @@ -1,2 +1,3 @@ ad.domain=bukova.net -ad.ldapUrl=ldap://192.168.25.110/ \ No newline at end of file +ad.ldapUrl=ldap://192.168.25.110/ +ad.allowedGroup=ucitele \ No newline at end of file diff --git a/src/main/webapp/WEB-INF/spring/ad-auth.xml b/src/main/webapp/WEB-INF/spring/ad-auth.xml index d476b509..3d43206a 100644 --- a/src/main/webapp/WEB-INF/spring/ad-auth.xml +++ b/src/main/webapp/WEB-INF/spring/ad-auth.xml @@ -18,6 +18,7 @@ +