28 Mayıs 2019 Salı

SpringSecurity ActiveDirectoryLdapAuthenticationProvider Sınıfı

Giriş
Bazı kavramlar şöyle
Security Account Manager (SAM) Name
Açıklaması şöyle.
 The networkID you use to login to the network.
User Principal Name (UPN)
Açıklaması şöyle.
It may be Implicit UPN (iUPN) or Explicit UPN (eUPN).

 An example for iUPN would be: networkID@internalDomain.com

 An example for eUPN would be: employee_name@companyName.com

 eUPN may be defined by network administrator.

 In my case, the UPN we're using in our AD is actually an eUPN.
Ben şimdiye kadar hep eUPN kullanan şirketler gördüm. Yani e-posta adresleri şöyleydi
employee_name@companyName.com

Örnek
Kullandığımız filtre şöyle olsun. Bu filtre ile employee_name@companyName.com şeklinde e-postalar bulunabilir.
(&(objectClass=user)(userPrincipalName={0}))
Açıklaması şöyle.
if it's the domain used in email address, this filter will find the user with and without the domain name.
Örnek
Kullandığımız filtre şöyle olsun. Bu filtre ile employee_AD_username@internaldomain.com şeklinde e-postalar bulunabilir.
(&(objectClass=user)(sAMAccountName={1}))
Açıklaması şöyle.
will find the user if the username provided is networkID with no doamin.
Search Filter Syntax
Açıklaması şöyle.
This is query language for AD.

 We used it to define the filter while searching for objects in AD.

 {0}-occurrence means full username with domain in it. If the domain is defined in LDAP
 configuration then Spring Security checks if it's present in the entered username to
 login. If not, then it'll be added.

 {1}-occurrence means whatever entered as username. So, Spring won't do any modification
 on the provided username.

constructor
İlk parametre domain adıdır. Açıklaması şöyle.
If you want to be able to login without providing domain name, you need to define the domain in LDAP configuration
Açıklaması şöyle.
If you don't define the domain for LDAP configuration and leave it null while instantiating the object, then you should be able to search for both UPN and sam -account with {1} occurrence but you have to provide the domain for both networkID and email-username while on login.
Örnek
Şöyle yaparız.
ActiveDirectoryLdapAuthenticationProvider provider = 
 new ActiveDirectoryLdapAuthenticationProvider("domain",...);
Örnek
Şöyle yaparız.
ActiveDirectoryLdapAuthenticationProvider provider =
  new ActiveDirectoryLdapAuthenticationProvider(...,...);
setUserDetailsContextMapper metodu
Örnek
Elimizde şöyle bir kod olsun.
@Slf4j
public class LdapUserDetailsContextMapper implements UserDetailsContextMapper {
  @Override
  public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
  Collection<? extends GrantedAuthority> collection) {
    ...  
  }

  @Override
  public void mapUserToContext(UserDetails userDetails,
  DirContextAdapter dirContextAdapter) {
    ...
  }
}
Şöyle yaparız.
provider.setUserDetailsContextMapper(new LdapUserDetailsContextMapper());

Hiç yorum yok:

Yorum Gönder