|
|
Apache Shiro 支持基于活动目录的用户认证。
其配置文件shiro.ini配置如下:
activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.url = ldap://192.168.131.111:389
activeDirectoryRealm.principalSuffix = @example.com
使用的认证类为ActiveDirectoryRealm。具体调研的方法是queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) 这里需要一个ldapContextFactory类。系统在初始化时会默认创建一个缺省DefaultLdapContextFactory类。
具体调用是在AbstractLdapRealm中:
protected void onInit() {
super.onInit();
ensureContextFactory();
}
private LdapContextFactory ensureContextFactory() {
if (this.ldapContextFactory == null) {
if (log.isDebugEnabled()) {
log.debug("No LdapContextFactory specified - creating a default instance.");
}
DefaultLdapContextFactory defaultFactory = new DefaultLdapContextFactory();
defaultFactory.setPrincipalSuffix(this.principalSuffix);
defaultFactory.setSearchBase(this.searchBase);
defaultFactory.setUrl(this.url);
defaultFactory.setSystemUsername(this.systemUsername);
defaultFactory.setSystemPassword(this.systemPassword);
this.ldapContextFactory = defaultFactory;
}
return this.ldapContextFactory;
}
用户的认证实现是在DefaultLdapContextFactory类中实现,这部分可以改进一下采用两次绑定会更好public LdapContext getLdapContext(Object principal, Object credentials) throws NamingException {
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.SECURITY_AUTHENTICATION, authentication);
if (principal != null) {
env.put(Context.SECURITY_PRINCIPAL, principal);
}
if (credentials!= null) {
env.put(Context.SECURITY_CREDENTIALS, credentials);
}
env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactoryClassName);
env.put(Context.PROVIDER_URL, url);
env.put(Context.REFERRAL, referral);
// Only pool connections for system contexts
if (usePooling && principal != null && principal.equals(systemUsername)) {
// Enable connection pooling
env.put(SUN_CONNECTION_POOLING_PROPERTY, "true");
}
if (additionalEnvironment != null) {
env.putAll(additionalEnvironment);
}
if (log.isDebugEnabled()) {
log.debug("Initializing LDAP context using URL [" + url + "] and username [" + systemUsername + "] " +
"with pooling [" + (usePooling ? "enabled" : "disabled") + "]");
}
return new InitialLdapContext(env, null);
}
基本上活动目录的认证方式同LDAP认证方式是一样的。因为ad(活动目录)本身就是基于ldap协议的一个微软产品。 |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2017-1-10 11:33:32
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡