当前位置：首页 > ds >正文

springboot 集成kerberos 用户认证获取域账号

ds 2025/9/5 3:57:58

springboot 集成kerberos 用户认证获取域账号

只能在linux环境获取

MyWebSecurityConfiguration 需要改这个两行代码

        ticketValidator.setServicePrincipal("设置名字一般是COM结尾");ticketValidator.setKeyTabLocation(new FileSystemResource("kerbtest05文件地址"));

1.springboot 启动类上添加

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class})

2. DummyUserDetailsService.java

import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;public class DummyUserDetailsService implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {return new User(username, "notUsed", true, true, true, true,AuthorityUtils.createAuthorityList("ROLE_USER", "ROLE_ADMIN"));}
}

3. MyWebSecurityConfiguration


import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.core.io.FileSystemResource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider;
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;@Configuration
@EnableWebSecurity
@Order(Ordered.HIGHEST_PRECEDENCE)//可以加 可以不加看自己代码是否报错
public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().disable().exceptionHandling().authenticationEntryPoint(spnegoEntryPoint())//.accessDeniedPage("/login").and().headers().frameOptions().sameOrigin().and().authorizeRequests().antMatchers("/resources/**","/test2/**").permitAll().anyRequest().authenticated().and().formLogin()//.loginPage("/login").permitAll().and().logout().permitAll().and().addFilterBefore(spnegoAuthenticationProcessingFilter(), BasicAuthenticationFilter.class);}@Overridepublic void configure(AuthenticationManagerBuilder auth) throws Exception {auth.authenticationProvider(kerberosAuthenticationProvider()).authenticationProvider(kerberosServiceAuthenticationProvider());}@Beanpublic KerberosAuthenticationProvider kerberosAuthenticationProvider() {KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();SunJaasKerberosClient client = new SunJaasKerberosClient();client.setDebug(true);provider.setKerberosClient(client);provider.setUserDetailsService(dummyUserDetailsService());return provider;}@Beanpublic SpnegoEntryPoint spnegoEntryPoint() {return new SpnegoEntryPoint();}@Beanpublic SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter() {SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();try {filter.setAuthenticationManager(authenticationManagerBean());} catch (Exception e) {}return filter;}@Beanpublic KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();provider.setTicketValidator(sunJaasKerberosTicketValidator());provider.setUserDetailsService(dummyUserDetailsService());return provider;}@Beanpublic SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();ticketValidator.setServicePrincipal("设置名字一般是COM结尾");ticketValidator.setKeyTabLocation(new FileSystemResource("kerbtest05文件地址"));ticketValidator.setDebug(true); //Turn off when it will works properly,return ticketValidator;}@Beanpublic DummyUserDetailsService dummyUserDetailsService() {return new DummyUserDetailsService();}}

获取域账号方法

    public static String getCurrentUserId(HttpServletRequest req) {String userId = "";String sessionUserId = (String) req.getSession().getAttribute("userId");if (StringUtils.isNotEmpty(sessionUserId)) {userId = sessionUserId;} else {userId = req.getRemoteUser();if (userId != null && userId.indexOf("\\") > 0) {userId = userId.substring(userId.indexOf("\\") + 1).trim();} else if (userId != null && userId.indexOf("@") > 0) {userId = userId.substring(0, userId.indexOf("@")).trim();}req.getSession().setAttribute("userId", userId);}return userId;}