使用Apache Shiro进行身份认证-Active Directory认证

时间:2021-12-07 07:05:24

Apache Shiro 支持基于活动目录的用户认证。

其配置文件shiro.ini配置如下:

activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.url = ldap://192.168.131.111:389
activeDirectoryRealm.principalSuffix = @example.com

使用的认证类为ActiveDirectoryRealm。具体调研的方法是queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory)

这里需要一个ldapContextFactory类。系统在初始化时会默认创建一个缺省DefaultLdapContextFactory类。

具体调用是在AbstractLdapRealm中:

 protected void onInit() {
super.onInit();
ensureContextFactory();
}

private LdapContextFactory ensureContextFactory() {
if (this.ldapContextFactory == null) {

if (log.isDebugEnabled()) {
log.debug("No LdapContextFactory specified - creating a default instance.");
}

DefaultLdapContextFactory defaultFactory = new DefaultLdapContextFactory();
defaultFactory.setPrincipalSuffix(this.principalSuffix);
defaultFactory.setSearchBase(this.searchBase);
defaultFactory.setUrl(this.url);
defaultFactory.setSystemUsername(this.systemUsername);
defaultFactory.setSystemPassword(this.systemPassword);

this.ldapContextFactory = defaultFactory;
}
return this.ldapContextFactory;
}

用户的认证实现是在DefaultLdapContextFactory类中实现,这部分可以改进一下采用两次绑定会更好
public LdapContext getLdapContext(Object principal, Object credentials) throws NamingException {
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}

Hashtable<String, Object> env = new Hashtable<String, Object>();

env.put(Context.SECURITY_AUTHENTICATION, authentication);
if (principal != null) {
env.put(Context.SECURITY_PRINCIPAL, principal);
}
if (credentials!= null) {
env.put(Context.SECURITY_CREDENTIALS, credentials);
}
env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactoryClassName);
env.put(Context.PROVIDER_URL, url);
env.put(Context.REFERRAL, referral);

// Only pool connections for system contexts
if (usePooling && principal != null && principal.equals(systemUsername)) {
// Enable connection pooling
env.put(SUN_CONNECTION_POOLING_PROPERTY, "true");
}

if (additionalEnvironment != null) {
env.putAll(additionalEnvironment);
}

if (log.isDebugEnabled()) {
log.debug("Initializing LDAP context using URL [" + url + "] and username [" + systemUsername + "] " +
"with pooling [" + (usePooling ? "enabled" : "disabled") + "]");
}

return new InitialLdapContext(env, null);
}

基本上活动目录的认证方式同LDAP认证方式是一样的。因为ad(活动目录)本身就是基于ldap协议的一个微软产品。