Pokud je nastavené přihlašování proti LDAP nebo Active Directory, tak
lze omezit přihlašování do aplikace pouze na uživatele (z AD nebo LDAP), ktří jsou členy nastavené skupiny.
This commit is contained in:
@@ -26,6 +26,7 @@ public class AdUserCtxMapper implements UserDetailsContextMapper {
|
||||
|
||||
private UserService userService;
|
||||
private RoleService roleService;
|
||||
private String allowedGroup;
|
||||
|
||||
private final static Logger logger = LoggerFactory.getLogger(AdUserCtxMapper.class);
|
||||
|
||||
@@ -43,7 +44,7 @@ public class AdUserCtxMapper implements UserDetailsContextMapper {
|
||||
return user;
|
||||
} catch (UsernameNotFoundException e) {
|
||||
logger.info("Importing user from Active Directory");
|
||||
LdapUserImporter importer = new LdapUserImporter(userService);
|
||||
LdapUserImporter importer = new LdapUserImporter(userService, allowedGroup);
|
||||
importer.importUser(username, userData, roleService.getRoleByAuthority(Constants.ROLE_USER));
|
||||
|
||||
return userService.loadUserByUsername(username);
|
||||
@@ -56,4 +57,8 @@ public class AdUserCtxMapper implements UserDetailsContextMapper {
|
||||
"use a subclass if mapUserToContext() is required.");
|
||||
}
|
||||
|
||||
public void setAllowedGroup(String allowedGroup) {
|
||||
this.allowedGroup = allowedGroup;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -9,6 +9,7 @@ import javax.naming.NamingException;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.ldap.core.DirContextOperations;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
|
||||
/**
|
||||
* Pomocná třída pro import uživatele z LDAP serveru (nebo Active Directory) do databáze aplikace
|
||||
@@ -19,12 +20,18 @@ import org.springframework.ldap.core.DirContextOperations;
|
||||
public class LdapUserImporter {
|
||||
|
||||
private UserService userService;
|
||||
private String allowedGroup;
|
||||
private final static Logger logger = LoggerFactory.getLogger(LdapUserImporter.class);
|
||||
|
||||
public LdapUserImporter(UserService userService) {
|
||||
this.userService = userService;
|
||||
}
|
||||
|
||||
public LdapUserImporter(UserService userService, String group) {
|
||||
this.userService = userService;
|
||||
this.allowedGroup = group;
|
||||
}
|
||||
|
||||
/**
|
||||
* Provede import uživatele z LDAP do aplikační databáze
|
||||
*
|
||||
@@ -37,6 +44,21 @@ public class LdapUserImporter {
|
||||
user.setUsername(login);
|
||||
user.addAuthority(defaultRole);
|
||||
|
||||
if (allowedGroup != null && !allowedGroup.isEmpty()) {
|
||||
boolean isAllowed = false;
|
||||
|
||||
for (Object atr : userData.getObjectAttributes("memberOf")) {
|
||||
if (atr.toString().startsWith("CN="+allowedGroup)) {
|
||||
isAllowed = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!isAllowed) {
|
||||
throw new UsernameNotFoundException("User is not member of group '" + allowedGroup + "'");
|
||||
}
|
||||
}
|
||||
|
||||
if (userData.attributeExists("givenName")) {
|
||||
try {
|
||||
user.setFirstName(userData.getAttributes().get("givenName").get().toString());
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
ad.domain=bukova.net
|
||||
ad.ldapUrl=ldap://192.168.25.110/
|
||||
ad.ldapUrl=ldap://192.168.25.110/
|
||||
ad.allowedGroup=ucitele
|
||||
@@ -18,6 +18,7 @@
|
||||
<bean id="adUserMapper" class="info.bukova.isspst.services.users.AdUserCtxMapper">
|
||||
<constructor-arg name="userService" ref="userService"/>
|
||||
<constructor-arg name="roleService" ref="roleService"/>
|
||||
<property name="allowedGroup" value="${ad.allowedGroup}"/>
|
||||
</bean>
|
||||
|
||||
</beans>
|
||||
|
||||
Reference in New Issue
Block a user