更新时间:2022-10-23 14:20:08
So I got it working, and it really isn't that bad, but I wish I had seen @cantoni's example first. It would have made this really easy. My setup is a little more simple than his, so I'll add it here.
Install the Spring Security Core, CAS, and LDAP plugins. IMPORTANT: Until spring-security-cas:1.0.5
is updated, I wouldn't try to use the new spring-security-core:2.0-RC2
and spring-security-ldap:2.0-RC2
. The CAS plugin doesn't seem to work with them.
plugins {
....
//security
compile ":spring-security-core:1.2.7.3"
compile ":spring-security-cas:1.0.5"
compile ":spring-security-ldap:1.0.6"
...
}
You don't need to run the quickstart command if you're not also using daoAuthenticationProvider, which I am not.
Configure the core and cas plugins in Config.groovy
//Spring Security Core Config
grails.plugins.springsecurity.providerNames = ['casAuthenticationProvider']
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/**': ['hasAnyRole("ROLE_OPERATOR","ROLE_ADMIN")']
]
//Spring Security CAS Config
grails.plugins.springsecurity.cas.loginUri = '/login'
grails.plugins.springsecurity.cas.serviceUrl = 'http://server.company.com:8080/app-name/j_spring_cas_security_check'
grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://sso.company.com/cas'
grails.plugins.springsecurity.cas.proxyCallbackUrl = 'http://server.company.com:8080/app-name/secure/receptor'
grails.plugins.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'
You can leave off rejectIfNoRule
, securityConfigType
, and interceptUrlMap
if you want to use annotations instead of the interceptor map.
Configure your userDetailsService to delegate to LDAP in resources.groovy
// load ldap roles from spring security
initialDirContextFactory(org.springframework.security.ldap.DefaultSpringSecurityContextSource,
"ldap://123.45.67.89:389"){
userDn = "myLdapUser"
password = "myLdapPwd"
}
ldapUserSearch(org.springframework.security.ldap.search.FilterBasedLdapUserSearch,
"DC=foo,DC=company,DC=com", "sAMAccountName={0}", initialDirContextFactory){
}
ldapAuthoritiesPopulator(org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator,
initialDirContextFactory,"OU=foo,DC=bar,DC=company,DC=com"){
groupRoleAttribute = "cn"
groupSearchFilter = "member={0}"
searchSubtree = true
rolePrefix = "ROLE_"
convertToUpperCase = true
ignorePartialResultException = true
}
userDetailsService(org.springframework.security.ldap.userdetails.LdapUserDetailsService,ldapUserSearch,ldapAuthoritiesPopulator){
}