IO /guides/ GS /a…
However, in the actual attempt, there are a lot of doubts, including:
- What is LDAP?
- What are the four new dependencies?
- How to Set a Password
- , etc.
So it took some time before writing this document to understand what it is and how to do it!
First, let’s take a look at the new dependencies the website has us load:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>com.unboundid</groupId>
<artifactId>unboundid-ldapsdk</artifactId>
</dependency>
Copy the code
We start with these four dependencies, to understand how this is one thing ~~~
1. Dependency: spring-boot-starter-security
In our previous demo, we created web applications that could retrieve data directly from the API, which were very insecure.
So what is safe?
Simply put, it is necessary to use, have security verification, from each link of access, as much as possible to prevent some risks.
For example, when we use API, we need to bring the user name and password, or need to bring the token that expires after login to access and so on.
Here’s a good article that illustrates the first dependency we’ll use: spring-boot-starter-security
# spring-boot-starter-security and application security
Just add the required Controller implementation to the current project, and a Web application with basic security is born. Spring-boot-starter-security provides a security defense policy based on HTTP Basic authentication by default. The default user name is user, and the access password is printed to the console when the current Web application is started.
The 13:57:00 2017-01-01. 17966-596 the INFO [ost startStop - 1] B.A.S.A u - thenticationManagerConfiguration: Using default security password: 560ff91b-0ae7-492c-ad16-603e1adec54cCopy the code
If you want to customize the HTTP Basic authentication user name and password, you can use the following configuration items:
Security.user. name={the user name you want to set}\Copy the code
Security.user. password={the access password that the individual wishes to use}Copy the code
That said, spring-boot-starter-Security provides a very basic level of security that allows you to access the current web application using either a default password or a custom username and password.
2. Dependencies: spring-ldap-core and spring-security-ldap
1. Meet the LDAP
Searching for both of these dependencies leads to the concept of LDAP, so this section needs to be clear about what LDAP is.
First look at the official note:
LDAP, Lightweight Directory Access Protocol
No doubt there are new questions about what directory access protocols are and what these are!
According to a large number of various blogs and materials on the Internet, the final summary is as follows:
- LDAP is a special server that stores data
- Data is stored in the form of a directory, or tree structure (layer upon layer)
- Stores users, user authentication information, user groups, and user members for user authentication and authorization
As you can see in the figure above, LDAP can create a tree structure of user data by setting the O/OU/CN flag bits. It can also store the company, organization, department, and users in the same department of the user.
In this way, it is easy to define user categories and user permissions, as well as facilitate user queries
2. The flag bit of LDAP is described as follows: Dependent: unboundid
In the previous section, we saw some o/ou/cn/ DN flag bits, or fields, so what does that mean?
First, we need to introduce the Maven dependency unboundid:
<dependency>
<groupId>com.unboundid</groupId>
<artifactId>unboundid-ldapsdk</artifactId>
</dependency>
Copy the code
Here’s the official explanation:
The UnboundID LDAP SDK provides a set of fast, powerful, user-friendly, and open source Java apis for interacting with LDAP directory servers. It offers better performance, easier use, and more functionality than other Java-based LDAP APIs. It is also the only SDK that continues to be actively developed and enhanced.
Official website: www.ldap.com/unboundid-l…
In a nutshell, this is an SDK that provides a more ldAP-friendly interactive configuration, known as the LDAP flag bit. By configuring these things, you can simply set up a set of LDAP directory data from a configuration file.
The general summary is as follows:
Identify a | English full name | English description |
---|---|---|
cn | common name | Common name |
ou | organization unit | Organizational units |
o | organization | Organization name |
uid | userid | The object id |
dc | domain component | Each element in DNS, such as com and cn, is a DC |
dn | distiguished name | It can be regarded as DNS, but each value of dn has its own attribute. For example, dn is dc=com,dc=cn. At the same time, DN can also represent a directory or an object in a directory, such as a user name |
Let’s understand the configuration information in the example on the official website :(a lot, but it helps to understand)
## This is the level 1 location of the LDAP directory
## DNS is springframework.org
## the current DNS element location is springframework
dn: dc=springframework,dc=org
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: springframework
Copy the code
## This is the LDAP level 2 location, under the directory above, resulting in an organization called Groups
# # the DNS is: groups.springframework.org
## Organization unit is: groups
dn: ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: groups
Copy the code
## This is LDAP level 3, which is the subgroup of groups
# # the DNS is: subgroups.groups.springframework.org
## Organization unit: subgroups
dn: ou=subgroups,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: subgroups
Copy the code
The first level of directories has two subsets of organizations: people and groups
# # the DNS is: people.springframework.org
## Organizational unit: People
dn: ou=people,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: people
Copy the code
The first level of directories has three subsets: space cadets, people, and groups
# # the DNS is: the space at cadets.springframework.org
## Space cadets
dn: ou=space cadets,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: space cadets
Copy the code
\" letter of letter from 'letter' (letter of 'letter' from 'letter of' letter ') \" (letter of 'letter' from 'letter of' letter '(letter of' letter 'from' letter of 'letter') \" (letter of 'letter' from 'letter of' letter ') \" (letter of 'letter' from 'letter of' letter ') \" (letter of 'letter' from 'letter of' letter ') \
Letter of "letter from letter of letter" (letter of "letter from letter of letter")
"Letter of letter from letter of letter"
dn: ou=\"quoted people\",dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: "quoted people"
Copy the code
\"quoted people\", space cadets, people, and groups
# # the DNS is: otherpeople.springframework.org
## Organization unit: Otherpeople
dn: ou=otherpeople,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: otherpeople
Copy the code
It belongs to the organization people and has its own user name and password
# # the DNS is: ben.people.springframework.org
## Common name: Ben Alex
# # userid: Ben
# # password: $2 a $10 $98 hnr2mhioist36 c6bSeWPhg06xB1lvmaWNNe4NROmZiSpYhlocU/encryption (string)
dn: uid=ben,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alex
sn: Alex
uid: ben
userPassword: $2a$10$c6bSeWPhg06xB1lvmaWNNe4NROmZiSpYhlocU/98HNr2MhIOiSt36
Copy the code
It belongs to the organization people and has its own user name and password
# # the DNS is: bob.people.springframework.org
## Generic name: Bob Hamilton
# # userid: Bob
## Password: Bobspassword
dn: uid=bob,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Bob Hamilton
sn: Hamilton
uid: bob
userPassword: bobspassword
Copy the code
User information: belongs to the organization otherPeople, has its own user name and password
# # the DNS is: joe.otherpeople.springframework.org
## Generic name: Joe Smeth
# # userid: Joe
## JoesPassword
dn: uid=joe,ou=otherpeople,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Joe Smeth
sn: Smeth
uid: joe
userPassword: joespassword
Copy the code
In addition, there are several users of the same type, which we will not repeat:
Jerry, Slashguy, Quoteguy, Space CadetCopy the code
Finally, some user permissions in groups are listed
This is an organization affiliated to groups: Developers
# # the DNS is: developers.groups.springframework.org
## Organizational unit: Developer
## There are two unique users: Ben and Bob
dn: cn=developers,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: developers
ou: developer
uniqueMember: uid=ben,ou=people,dc=springframework,dc=org
uniqueMember: uid=bob,ou=people,dc=springframework,dc=org
Copy the code
## This is an organization of groups: Managers
# # the DNS is: managers.groups.springframework.org
## Organizational Units: Managers
## There are two unique users: Ben and Jerry
dn: cn=managers,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: managers
ou: manager
uniqueMember: uid=ben,ou=people,dc=springframework,dc=org
uniqueMember: cn=mouse, jerry,ou=people,dc=springframework,dc=org
Copy the code
## This is an organization belonging to subgroups: Submanagers
# # the DNS is: submanagers.subgroups.groups.springframework.org
## Organizational Units: Managers
## There is a single user: Ben
dn: cn=submanagers,ou=subgroups,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: submanagers
ou: submanager
uniqueMember: uid=ben,ou=people,dc=springframework,dc=org
Copy the code
Organization Chart:
To sum up, LDAP configuration allows you to create various organizational structures at a custom level, add various users, and set role permissions for them. It can be said that this basically implements the basic functions of a standard user role permissions and organizational architecture.
3. LDAP engineering practice
Now let’s add LDAP Settings to the RESTful application we created earlier:
1. Add dependencies
Start by adding maven dependencies to pom.xml and updating them
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>com.unboundid</groupId>
<artifactId>unboundid-ldapsdk</artifactId>
</dependency>
Copy the code
2. Create an LDAP role configuration file.test-server.ldif
Create a new file in resource and place the role permissions and organization configuration information in it
dn: dc=springframework,dc=org
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: springframework
dn: ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: groups
dn: ou=subgroups,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: subgroups
dn: ou=people,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: people
dn: ou=space cadets,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: space cadets
dn: ou="quoted people",dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: "quoted people"
dn: ou=otherpeople,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: otherpeople
dn: uid=ben,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alex
sn: Alex
uid: ben
userPassword: $2a$10$c6bSeWPhg06xB1lvmaWNNe4NROmZiSpYhlocU/98HNr2MhIOiSt36
dn: uid=bob,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Bob Hamilton
sn: Hamilton
uid: bob
userPassword: bobspassword
dn: uid=joe,ou=otherpeople,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Joe Smeth
sn: Smeth
uid: joe
userPassword: joespassword
dn: cn=mouse, jerry,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Mouse, Jerry
sn: Mouse
uid: jerry
userPassword: jerryspassword
dn: cn=slash/guy,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: slash/guy
sn: Slash
uid: slashguy
userPassword: slashguyspassword
dn: cn=quote"guy,ou="quoted people",dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: quote"guy
sn: Quote
uid: quoteguy
userPassword: quoteguyspassword
dn: uid=space cadet,ou=space cadets,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Space Cadet
sn: Cadet
uid: space cadet
userPassword: spacecadetspassword
dn: cn=developers,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: developers
ou: developer
uniqueMember: uid=ben,ou=people,dc=springframework,dc=org
uniqueMember: uid=bob,ou=people,dc=springframework,dc=org
dn: cn=managers,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: managers
ou: manager
uniqueMember: uid=ben,ou=people,dc=springframework,dc=org
uniqueMember: cn=mouse, jerry,ou=people,dc=springframework,dc=org
dn: cn=submanagers,ou=subgroups,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: submanagers
ou: submanager
uniqueMember: uid=ben,ou=people,dc=springframework,dc=org
Copy the code
In 3.application.properties
Specifies that the LDAP server uses the above configuration file
- Ldif specifies the use of the test-server.ldif file contents
- Specify the root directory of the LDAP directory as springframework.org
- (Optional) Specify port 8388 for the LDAP server.
# Spring-LDAP user authentication
spring.ldap.embedded.ldif=classpath:test-server.ldif
spring.ldap.embedded.base-dn=dc=springframework,dc=org
spring.ldap.embedded.port=8388
Copy the code
4. Create a Java configuration file to use the LDAP service
package shenling.example.springbootJDBC.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.formLogin();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource()
.url("ldap://localhost:8388/dc=springframework,dc=org") // The LDAP server path is specified and the port number is 8388
.and()
.passwordCompare()
.passwordEncoder(new BCryptPasswordEncoder()) // The password version of the encrypted that can be used is specified here, which is related to our user information configuration
.passwordAttribute("userPassword"); }}Copy the code
4. Running result
After you enter localhost, the login page is displayed:
Enter the user name and password: Ben /benspassword. The login succeeds
5. Failed to log in using the non-encrypted password
We found that login failure occurred when using Bob and other users whose passwords are stored in plain text:
The console prompts that the password is not Encrypted’s
The 2021-12-14 11:01:54. 57415-879 WARN [nio - 8080 - exec - 3] O.S.S.C.B crypt. BCryptPasswordEncoder: Encoded password does not look like BCryptCopy the code
So, we commented out this line in the Java file about this password:
// .passwordEncoder(new BCryptPasswordEncoder())
Copy the code
Login successful
6. Extended Learning: Single sign-on
LDAP is actually a form of single sign-on (SSO or OAuth), of course, which is more common in enterprise applications, allowing you to log in to multiple external services from a single site.
So what are the main differences between LDAP and OAuth?
Describes the process and application of single sign-on (SSO), OAuth, LDAP and CAS
- OAuth protocol can be widely used in the Internet. Based on the huge number of users of large enterprises, it can reduce the registration and promotion cost of small websites and achieve more convenient resource sharing.
- Lightweight Directory Access Protocol (LDAP) is applicable to enterprise users and can be used to manage employee authorization and access between enterprise systems.
- CAS model, as a system developed by authoritative institutions, has good compatibility and security, and is widely used in universities and other large organizations. It can well complete the docking of a large number of systems and the use of a large number of personnel.
Reference 7.
- # LDAP website
- LDAP DN description
- What is cn, ou, o, dc, uid, DN in ldap? What is the role of each?
- # Introduction to LDAP(1)
- # Use of Spring LDAP
- # the LDAP entry
- # UnboundID
- The process and application of single sign-on (SSO), OAuth, LDAP and CAS are introduced