springboot 集成kerberos 用户认证 获取域账号
1. 只能在linux环境获取
MyWebSecurityConfiguration 需要改这个两行代码
java
ticketValidator.setServicePrincipal("设置名字一般是COM结尾");
ticketValidator.setKeyTabLocation(new FileSystemResource("kerbtest05文件地址"));2. DummyUserDetailsService.java
java
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class DummyUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new User(username, "notUsed", true, true, true, true,
AuthorityUtils.createAuthorityList("ROLE_USER", "ROLE_ADMIN"));
}
}3. MyWebSecurityConfiguration
java
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.core.io.FileSystemResource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider;
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@Configuration
@EnableWebSecurity
@Order(Ordered.HIGHEST_PRECEDENCE)//可以加 可以不加看自己代码是否报错
public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(spnegoEntryPoint())
//.accessDeniedPage("/login")
.and()
.headers().frameOptions().sameOrigin()
.and()
.authorizeRequests()
.antMatchers("/resources/**","/test2/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
//.loginPage("/login").permitAll()
.and()
.logout()
.permitAll()
.and()
.addFilterBefore(spnegoAuthenticationProcessingFilter(), BasicAuthenticationFilter.class);
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(kerberosAuthenticationProvider())
.authenticationProvider(kerberosServiceAuthenticationProvider());
}
@Bean
public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
SunJaasKerberosClient client = new SunJaasKerberosClient();
client.setDebug(true);
provider.setKerberosClient(client);
provider.setUserDetailsService(dummyUserDetailsService());
return provider;
}
@Bean
public SpnegoEntryPoint spnegoEntryPoint() {
return new SpnegoEntryPoint();
}
@Bean
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter() {
SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
try {
filter.setAuthenticationManager(authenticationManagerBean());
} catch (Exception e) {
}
return filter;
}
@Bean
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
provider.setTicketValidator(sunJaasKerberosTicketValidator());
provider.setUserDetailsService(dummyUserDetailsService());
return provider;
}
@Bean
public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
ticketValidator.setServicePrincipal("设置名字一般是COM结尾");
ticketValidator.setKeyTabLocation(new FileSystemResource("kerbtest05文件地址"));
ticketValidator.setDebug(true); //Turn off when it will works properly,
return ticketValidator;
}
@Bean
public DummyUserDetailsService dummyUserDetailsService() {
return new DummyUserDetailsService();
}
}3.获取域账号 方法
java
public static String getCurrentUserId(HttpServletRequest req) {
String userId = "";
String sessionUserId = (String) req.getSession().getAttribute("userId");
if (StringUtils.isNotEmpty(sessionUserId)) {
userId = sessionUserId;
} else {
userId = req.getRemoteUser();
if (userId != null && userId.indexOf("\\") > 0) {
userId = userId.substring(userId.indexOf("\\") + 1).trim();
} else if (userId != null && userId.indexOf("@") > 0) {
userId = userId.substring(0, userId.indexOf("@")).trim();
}
req.getSession().setAttribute("userId", userId);
}
return userId;
}4. 将kerbtest05.keytab 打包到镜像中
