有些系統(tǒng)需要使用公司內(nèi)部的域帳號登錄，那么就需要連接LDAP進(jìn)行驗證，Spring Secutiry提供了使用LDAP驗證的方式（就相比登錄驗證來說，Spring提供的LDAP驗證，比自己實現(xiàn)LDAP驗證真是麻煩了不少），能完美契合Spring Secutiry的可參考這篇文章：https://www.ibm.com/developerworks/cn/java/j-lo-springsecurity/

我主要遇到的問題是：大概SpringSecurityLdapTemplate認(rèn)為使用匿名登錄LDAP就能獲取或驗證用戶信息（也可能是我沒找到），所以在使用LdapUserSearch.searchForUser(username)之前，并沒用提供輸入用戶名與密碼的地方，因為它是通過獲取ContextSource.getReadOnlyContext()方法來獲取ContextSource的，而不是使用ContextSource.getContext(String principal, String credentials)方法，這就導(dǎo)致了使用匿名方式會獲取不到用戶信息。這個問題可以通過擴(kuò)展LdapContextSource的實現(xiàn)類來自定義環(huán)境變量實現(xiàn)實名登錄，如下(所有*大多為隱去的部分，可能需要替換)：

package com.***.config.auth;import java.util.Hashtable;import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;import org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource;/*** 登錄環(huán)境變量的設(shè)置*/
public class LoginContextSource extends PasswordPolicyAwareContextSource {private static final String LDAP_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";public LoginContextSource(String providerUrl) {super(providerUrl);this.afterPropertiesSet();}@Overrideprotected DirContext getDirContextInstance(Hashtable<String, Object> environment) throws NamingException {environment.put(Context.INITIAL_CONTEXT_FACTORY, LDAP_FACTORY);// LDAP server//environment.put(Context.PROVIDER_URL, ladpUrl);environment.put(Context.SECURITY_AUTHENTICATION, "simple");// 這里只是做一個演示，后面其實并不需要公用的帳號登錄environment.put(Context.SECURITY_PRINCIPAL, "username");environment.put(Context.SECURITY_CREDENTIALS, "password");environment.put("java.naming.referral", "follow");return super.getDirContextInstance(environment);}
}

同時由于Spring Secutiry自帶的驗證方式并不適合自己的需求，最主要的原因是Spring Secutiry使用匿名登錄進(jìn)行搜索，可能導(dǎo)致無法搜索到用戶，而又不可能提供公用賬戶（涉及到改密碼就會比較麻煩），所以只能使用用戶自己的域帳戶登錄后，再使用這個DirContext獲取他自己的資料，那么就需要自己實現(xiàn)AbstractLdapAuthenticator類，并實現(xiàn)自己的驗證邏輯，如下：

package com.***.config.auth;import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.SearchControls;
import javax.naming.ldap.LdapContext;import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.ldap.core.ContextSource;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticator;/*** 自定義的LDAP登錄認(rèn)證器*/
public class LoginAuthenticator extends AbstractLdapAuthenticator {private static final Log logger = LogFactory.getLog(LoginAuthenticator.class);/*** The filter expression used in the user search. This is an LDAP search filter (as* defined in 'RFC 2254') with optional arguments. See the documentation for the* <tt>search</tt> methods in {@link javax.naming.directory.DirContext DirContext} for* more information.** <p>* In this case, the username is the only parameter.* </p>* Possible examples are:* <ul>* <li>(uid={0}) - this would search for a username match on the uid attribute.</li>* </ul>*/private final String searchFilter;/** Context name to search in, relative to the base of the configured ContextSource. */private String searchBase = "";/** Default search controls */private SearchControls searchControls = new SearchControls();public LoginAuthenticator(ContextSource contextSource, String searchBase, String searchFilter) {super(contextSource);this.searchFilter = searchFilter;this.searchBase = searchBase;if (searchBase.length() == 0) {logger.info("SearchBase not set. Searches will be performed from the root: ---");}}@Overridepublic DirContextOperations authenticate(Authentication authentication) {DirContextOperations user = null;String username = authentication.getName();String password = (String) authentication.getCredentials();ContextSource contextSource = getContextSource();LdapContext context = (LdapContext) contextSource.getReadOnlyContext();try {// 嘗試使用用戶的域賬號登陸LDAP，如果連接成功那么就算是通過context.addToEnvironment(Context.SECURITY_PRINCIPAL, username + "@buyabs.corp");context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);context.reconnect(null);} catch (NamingException e) {if (logger.isDebugEnabled()) {logger.debug("Username or password does not match: " + e.getLocalizedMessage());}// 如果重新連接不上，則斷定為登陸失敗throw new UsernameNotFoundException("Username or password does not match: " + e.getLocalizedMessage());}// 使用用戶自己的域賬號登陸LDAP，并獲取信息。避免使用公用賬號獲取信息（因為我們壓根沒有公用賬號0_0）if (user == null && getUserSearch() != null) {try {searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);user = SpringSecurityLdapTemplate.searchForSingleEntryInternal(context, searchControls, searchBase, searchFilter, new String[] { username });} catch (NamingException e) {if (logger.isDebugEnabled()) {logger.debug("Username or password does not match: " + e.getLocalizedMessage());}}}if (user == null) {throw new UsernameNotFoundException("User not found: " + username);}return user;}}

同時，還需要擴(kuò)展LdapAuthoritiesPopulator（權(quán)限處理）類，如下：

package com.***.config.auth;import java.util.Collection;
import java.util.List;import javax.annotation.Resource;import org.springframework.context.annotation.Scope;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
import org.springframework.stereotype.Service;import com.newegg.dba.smartdatastack.db.dao.UserInfoDAO;
import com.newegg.dba.smartdatastack.db.vo.UserRoleVO;/*** Spring Secutity 登陸時，獲取權(quán)限的實現(xiàn)*/
@Service("ldapAuthoritiesPopulator")
@Scope("prototype")
public class PortalLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {@Resource(name="userInfoDAO")private UserInfoDAO userInfoDAO;@Overridepublic Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData,String username) {List<UserRoleVO> roleLs = userInfoDAO.findRoleByUserName(username);return roleLs;}
}

這樣，基本的擴(kuò)展類就已經(jīng)準(zhǔn)備好了，再建一個Builder類，如下：

package com.***.auth;import java.util.Properties;import javax.annotation.Resource;import org.springframework.context.annotation.Scope;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.stereotype.Service;@Service("authenticatorProviderBuilder")
@Scope("prototype")
public class AuthenticatorProviderBuilder {@Resource(name="ldapAuthoritiesPopulator")PortalLdapAuthoritiesPopulator ldapAuthoritiesPopulator; @Resource(name="profileSetting")Properties setting;public AuthenticationProvider getAuthenticationProvider() {String ladpDomain = setting.getProperty("ladp.domain");String ladpuserSearch = setting.getProperty("ladp.userSearch");String ladpUrl = setting.getProperty("ladp.url");BaseLdapPathContextSource contenxSource = new LoginContextSource(ladpUrl);FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch(ladpDomain, ladpuserSearch, contenxSource);LoginAuthenticator bindAuth = new LoginAuthenticator(contenxSource, ladpDomain, ladpuserSearch);bindAuth.setUserSearch(userSearch);LdapAuthenticationProvider ldapAuth = new LdapAuthenticationProvider(bindAuth, ldapAuthoritiesPopulator);return ldapAuth;}
}

最后，就是配置了，因為使用的代碼配置，所以其代碼如下：

package com.***.config;import javax.annotation.Resource;import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;import com.***.config.auth.AuthenticatorProviderBuilder;@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {@Resource(name="authenticatorProviderBuilder")private AuthenticatorProviderBuilder authenticatorProviderBuilder; @Autowiredpublic void configureGlobal(AuthenticationManagerBuilder auth)throws Exception {//  配置LDAP的驗證方式auth.authenticationProvider(authenticatorProviderBuilder.getAuthenticationProvider());}@Overridepublic void configure(WebSecurity web) throws Exception {...}@Overrideprotected void configure(HttpSecurity http) throws Exception {...}}

總結(jié)就是：由于自己所處的系統(tǒng)的原因，所以相比起來，Spring自帶的LDAP驗證登錄還不如自己使用javax.naming.*下的類來實現(xiàn)靈活，附上使用這種方式測試時的源碼吧：

package com.***.ldap;import java.util.Hashtable;import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;/*** User AD * <p>*  用于連接LDAP管理用戶信息等操作* </p>* @author kt94**/
public class UserAD {private static final String LDAP_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";private static final String LDAP_URL = "ldap://127.0.0.1:389/";private static final String LDAP_DOMAIN = "dc=***,dc=***";private static final String PUBLIC_ACCOUNT = "username";private static final String PUBLIC_PASSWORD = "password";public static void main(String[] args) throws NamingException {UserAD userAD = new UserAD();NamingEnumeration<SearchResult> en = userAD.searchBySortName("kt94", "name", "***", "***", "***", "***", "***", "***", "***");// NamingEnumeration<SearchResult> en = userAD.searchBySortName("kt94");if (en == null) {System.out.println("Have no NamingEnumeration.");}if (!en.hasMoreElements()) {System.out.println("Have no element.");} else {// 輸出查到的數(shù)據(jù)while (en.hasMoreElements()) {SearchResult result = en.next();NamingEnumeration<? extends Attribute> attrs = result.getAttributes().getAll();while (attrs.hasMore()) {Attribute attr = attrs.next();if ("manager".equals(attr.getID())) {String[] manArr = attr.get().toString().split(",");if (manArr.length > 0) {String[] manAttrArr = manArr[0].split("=");if (manAttrArr.length > 1) {System.out.println(attr.getID() + "=" + manAttrArr[1]);}}} else {System.out.println(attr.getID() + "=" + attr.get());}}System.out.println("======================");}}boolean authenticate = userAD.authenticate("kttt", "111");System.out.println("authenticate: " + authenticate);}/*** 登陸認(rèn)證* @param sortName* @param password* @return*/public boolean authenticate(String sortName, String password) {if (sortName == null || "".equals(sortName)) {return false;}String account = sortName + "@***.***";LdapContext ladpContent = connectLdap("", "");try {ladpContent.addToEnvironment(Context.SECURITY_PRINCIPAL, account);ladpContent.addToEnvironment(Context.SECURITY_CREDENTIALS, password);ladpContent.reconnect(null);} catch (NamingException e) {return  false;}return true;}/*** 根據(jù)短名搜索用戶* @param sortName* @param attributes* @return*/public NamingEnumeration<SearchResult> searchBySortName(String sortName, String... attributes) {String filter = "(&(objectclass=user)(objectcategory=user)(sAMAccountName=" + sortName + "))";return search(filter, attributes);}/*** 根據(jù)英文名稱搜索用戶* @param name* @param attributes* @return*/public NamingEnumeration<SearchResult> searchByName(String name, String... attributes) {String filter = "(&(objectclass=user)(objectcategory=user)(name=" + name + "))";return search(filter, attributes);}/*** 根據(jù)搜索條件搜索* @param filter - Filter, @see <a href="http://go.microsoft.com/fwlink/?LinkID=143553">LDAP syntax help</a>* @param attributes - Returning attributes* @return*/public NamingEnumeration<SearchResult> search(String filter, String... attributes) {SearchControls searchControls = new SearchControls();searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);if (attributes != null && attributes.length > 0) {searchControls.setReturningAttributes(attributes);}LdapContext ladpContent = connectLdap(PUBLIC_ACCOUNT, PUBLIC_PASSWORD);NamingEnumeration<SearchResult> en = null;try {// 三個參數(shù)分別為：1.上下文；2.要搜索的屬性，如果為空或 null，則返回目標(biāo)上下文中的所有對象；3.控制搜索的搜索控件，如果為 null，則使用默認(rèn)的搜索控件en = ladpContent.search(LDAP_DOMAIN, filter, searchControls);} catch (NamingException e) {// TODO Auto-generated catch blocke.printStackTrace();}return en;}/*** 連接LDAP* @param account - [Short name]@buyabs.corp* @param password - Your windows password* @return*/public LdapContext connectLdap(String account, String password) {Hashtable<String, String> env = getLdapEnvironmentConfig(account, password);LdapContext context = null;try {context = new InitialLdapContext(env, null);} catch (NamingException e) {// TODO Auto-generated catch block// 連接失敗日志打印e.printStackTrace();}return context;}/*** 獲取LDAP環(huán)境配置* @param account* @param password* @return*/private Hashtable<String, String> getLdapEnvironmentConfig(String account, String password) {Hashtable<String, String> env = new Hashtable<String, String>();env.put(Context.INITIAL_CONTEXT_FACTORY, LDAP_FACTORY);// LDAP serverenv.put(Context.PROVIDER_URL, LDAP_URL);env.put(Context.SECURITY_AUTHENTICATION, "simple");env.put(Context.SECURITY_PRINCIPAL, account);env.put(Context.SECURITY_CREDENTIALS, password);env.put("java.naming.referral", "follow");return env;}
}

著重說明：用戶名不只是登錄Windows的帳號，而是要加上@…