From 6737d44d629c32db558ebdda29668d94e37c82d8 Mon Sep 17 00:00:00 2001 From: Josef Rokos Date: Fri, 14 Nov 2014 14:21:41 +0100 Subject: [PATCH] =?UTF-8?q?Pokud=20je=20nastaven=C3=A9=20p=C5=99ihla=C5=A1?= =?UTF-8?q?ov=C3=A1n=C3=AD=20proti=20LDAP=20nebo=20Active=20Directory,=20t?= =?UTF-8?q?ak=20lze=20omezit=20p=C5=99ihla=C5=A1ov=C3=A1n=C3=AD=20do=20apl?= =?UTF-8?q?ikace=20pouze=20na=20u=C5=BEivatele=20(z=20AD=20nebo=20LDAP),?= =?UTF-8?q?=20kt=C5=99=C3=AD=20jsou=20=C4=8Dleny=20nastaven=C3=A9=20skupin?= =?UTF-8?q?y.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../services/users/AdUserCtxMapper.java | 7 +++++- .../services/users/LdapUserImporter.java | 22 +++++++++++++++++++ src/main/webapp/WEB-INF/ad.properties | 3 ++- src/main/webapp/WEB-INF/spring/ad-auth.xml | 1 + 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/main/java/info/bukova/isspst/services/users/AdUserCtxMapper.java b/src/main/java/info/bukova/isspst/services/users/AdUserCtxMapper.java index b0450f09..96cd9b1f 100644 --- a/src/main/java/info/bukova/isspst/services/users/AdUserCtxMapper.java +++ b/src/main/java/info/bukova/isspst/services/users/AdUserCtxMapper.java @@ -26,6 +26,7 @@ public class AdUserCtxMapper implements UserDetailsContextMapper { private UserService userService; private RoleService roleService; + private String allowedGroup; private final static Logger logger = LoggerFactory.getLogger(AdUserCtxMapper.class); @@ -43,7 +44,7 @@ public class AdUserCtxMapper implements UserDetailsContextMapper { return user; } catch (UsernameNotFoundException e) { logger.info("Importing user from Active Directory"); - LdapUserImporter importer = new LdapUserImporter(userService); + LdapUserImporter importer = new LdapUserImporter(userService, allowedGroup); importer.importUser(username, userData, roleService.getRoleByAuthority(Constants.ROLE_USER)); return userService.loadUserByUsername(username); @@ -56,4 +57,8 @@ public class AdUserCtxMapper implements UserDetailsContextMapper { "use a subclass if mapUserToContext() is required."); } + public void setAllowedGroup(String allowedGroup) { + this.allowedGroup = allowedGroup; + } + } diff --git a/src/main/java/info/bukova/isspst/services/users/LdapUserImporter.java b/src/main/java/info/bukova/isspst/services/users/LdapUserImporter.java index 7da73858..b618f89b 100644 --- a/src/main/java/info/bukova/isspst/services/users/LdapUserImporter.java +++ b/src/main/java/info/bukova/isspst/services/users/LdapUserImporter.java @@ -9,6 +9,7 @@ import javax.naming.NamingException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.ldap.core.DirContextOperations; +import org.springframework.security.core.userdetails.UsernameNotFoundException; /** * Pomocná třída pro import uživatele z LDAP serveru (nebo Active Directory) do databáze aplikace @@ -19,12 +20,18 @@ import org.springframework.ldap.core.DirContextOperations; public class LdapUserImporter { private UserService userService; + private String allowedGroup; private final static Logger logger = LoggerFactory.getLogger(LdapUserImporter.class); public LdapUserImporter(UserService userService) { this.userService = userService; } + public LdapUserImporter(UserService userService, String group) { + this.userService = userService; + this.allowedGroup = group; + } + /** * Provede import uživatele z LDAP do aplikační databáze * @@ -37,6 +44,21 @@ public class LdapUserImporter { user.setUsername(login); user.addAuthority(defaultRole); + if (allowedGroup != null && !allowedGroup.isEmpty()) { + boolean isAllowed = false; + + for (Object atr : userData.getObjectAttributes("memberOf")) { + if (atr.toString().startsWith("CN="+allowedGroup)) { + isAllowed = true; + break; + } + } + + if (!isAllowed) { + throw new UsernameNotFoundException("User is not member of group '" + allowedGroup + "'"); + } + } + if (userData.attributeExists("givenName")) { try { user.setFirstName(userData.getAttributes().get("givenName").get().toString()); diff --git a/src/main/webapp/WEB-INF/ad.properties b/src/main/webapp/WEB-INF/ad.properties index ca41b75a..37d835c5 100644 --- a/src/main/webapp/WEB-INF/ad.properties +++ b/src/main/webapp/WEB-INF/ad.properties @@ -1,2 +1,3 @@ ad.domain=bukova.net -ad.ldapUrl=ldap://192.168.25.110/ \ No newline at end of file +ad.ldapUrl=ldap://192.168.25.110/ +ad.allowedGroup=ucitele \ No newline at end of file diff --git a/src/main/webapp/WEB-INF/spring/ad-auth.xml b/src/main/webapp/WEB-INF/spring/ad-auth.xml index d476b509..3d43206a 100644 --- a/src/main/webapp/WEB-INF/spring/ad-auth.xml +++ b/src/main/webapp/WEB-INF/spring/ad-auth.xml @@ -18,6 +18,7 @@ +