使用Apache Shiro进行身份认证-Active Directory认证

来源：互联网发布：安卓手机网络打印机编辑：程序博客网时间：2024/05/12 20:57

Apache Shiro 支持基于活动目录的用户认证。

其配置文件shiro.ini配置如下：

activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealmactiveDirectoryRealm.url = ldap://192.168.131.111:389activeDirectoryRealm.principalSuffix = @example.com

使用的认证类为ActiveDirectoryRealm。具体调研的方法是queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory)

这里需要一个ldapContextFactory类。系统在初始化时会默认创建一个缺省DefaultLdapContextFactory类。

具体调用是在AbstractLdapRealm中：

 protected void onInit() {        super.onInit();        ensureContextFactory();    }    private LdapContextFactory ensureContextFactory() {        if (this.ldapContextFactory == null) {            if (log.isDebugEnabled()) {                log.debug("No LdapContextFactory specified - creating a default instance.");            }            DefaultLdapContextFactory defaultFactory = new DefaultLdapContextFactory();            defaultFactory.setPrincipalSuffix(this.principalSuffix);            defaultFactory.setSearchBase(this.searchBase);            defaultFactory.setUrl(this.url);            defaultFactory.setSystemUsername(this.systemUsername);            defaultFactory.setSystemPassword(this.systemPassword);            this.ldapContextFactory = defaultFactory;        }        return this.ldapContextFactory;    }

用户的认证实现是在DefaultLdapContextFactory类中实现，这部分可以改进一下采用两次绑定会更好

public LdapContext getLdapContext(Object principal, Object credentials) throws NamingException {        if (url == null) {            throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");        }        Hashtable<String, Object> env = new Hashtable<String, Object>();        env.put(Context.SECURITY_AUTHENTICATION, authentication);        if (principal != null) {            env.put(Context.SECURITY_PRINCIPAL, principal);        }        if (credentials!= null) {            env.put(Context.SECURITY_CREDENTIALS, credentials);        }        env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactoryClassName);        env.put(Context.PROVIDER_URL, url);        env.put(Context.REFERRAL, referral);        // Only pool connections for system contexts        if (usePooling && principal != null && principal.equals(systemUsername)) {            // Enable connection pooling            env.put(SUN_CONNECTION_POOLING_PROPERTY, "true");        }        if (additionalEnvironment != null) {            env.putAll(additionalEnvironment);        }        if (log.isDebugEnabled()) {            log.debug("Initializing LDAP context using URL [" + url + "] and username [" + systemUsername + "] " +                    "with pooling [" + (usePooling ? "enabled" : "disabled") + "]");        }        return new InitialLdapContext(env, null);    }

基本上活动目录的认证方式同LDAP认证方式是一样的。因为ad(活动目录)本身就是基于ldap协议的一个微软产品。