使用Apache Shiro进行身份认证-Active Directory认证

时间:2022-09-23 22:33:48

Apache Shiro 支持基于活动目录的用户认证。

其配置文件shiro.ini配置如下:

activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.url = ldap://192.168.131.111:389
activeDirectoryRealm.principalSuffix = @example.com

使用的认证类为ActiveDirectoryRealm。具体调研的方法是queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory)

这里需要一个ldapContextFactory类。系统在初始化时会默认创建一个缺省DefaultLdapContextFactory类。

具体调用是在AbstractLdapRealm中:

 protected void onInit() {
        super.onInit();
        ensureContextFactory();
    }

    private LdapContextFactory ensureContextFactory() {
        if (this.ldapContextFactory == null) {

            if (log.isDebugEnabled()) {
                log.debug("No LdapContextFactory specified - creating a default instance.");
            }

            DefaultLdapContextFactory defaultFactory = new DefaultLdapContextFactory();
            defaultFactory.setPrincipalSuffix(this.principalSuffix);
            defaultFactory.setSearchBase(this.searchBase);
            defaultFactory.setUrl(this.url);
            defaultFactory.setSystemUsername(this.systemUsername);
            defaultFactory.setSystemPassword(this.systemPassword);

            this.ldapContextFactory = defaultFactory;
        }
        return this.ldapContextFactory;
    }

用户的认证实现是在DefaultLdapContextFactory类中实现,这部分可以改进一下采用两次绑定会更好 
public LdapContext getLdapContext(Object principal, Object credentials) throws NamingException {
        if (url == null) {
            throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
        }

        Hashtable<String, Object> env = new Hashtable<String, Object>();

        env.put(Context.SECURITY_AUTHENTICATION, authentication);
        if (principal != null) {
            env.put(Context.SECURITY_PRINCIPAL, principal);
        }
        if (credentials!= null) {
            env.put(Context.SECURITY_CREDENTIALS, credentials);
        }
        env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactoryClassName);
        env.put(Context.PROVIDER_URL, url);
        env.put(Context.REFERRAL, referral);

        // Only pool connections for system contexts
        if (usePooling && principal != null && principal.equals(systemUsername)) {
            // Enable connection pooling
            env.put(SUN_CONNECTION_POOLING_PROPERTY, "true");
        }

        if (additionalEnvironment != null) {
            env.putAll(additionalEnvironment);
        }

        if (log.isDebugEnabled()) {
            log.debug("Initializing LDAP context using URL [" + url + "] and username [" + systemUsername + "] " +
                    "with pooling [" + (usePooling ? "enabled" : "disabled") + "]");
        }

        return new InitialLdapContext(env, null);
    }

基本上活动目录的认证方式同LDAP认证方式是一样的。因为ad(活动目录)本身就是基于ldap协议的一个微软产品。

标签:

相关文章