From d5db028f57225a03da8c3e19f8c0415629f60e65 Mon Sep 17 00:00:00 2001 From: zengqiao Date: Tue, 9 Mar 2021 15:13:55 +0800 Subject: [PATCH 1/2] optimize ldap --- .../manager/common/entity/ResultStatus.java | 2 +- .../component/ldap/LdapAuthentication.java | 74 ++++++++++--------- .../component/sso/BaseSessionSignOn.java | 37 ++-------- .../src/main/resources/application.yml | 23 +++--- 4 files changed, 56 insertions(+), 80 deletions(-) rename kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/utils/ldap/LDAPAuthentication.java => kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/ldap/LdapAuthentication.java (58%) diff --git a/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/entity/ResultStatus.java b/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/entity/ResultStatus.java index 8f0f229b..454a687f 100644 --- a/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/entity/ResultStatus.java +++ b/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/entity/ResultStatus.java @@ -106,7 +106,7 @@ public enum ResultStatus { STORAGE_UPLOAD_FILE_FAILED(8050, "upload file failed"), STORAGE_FILE_TYPE_NOT_SUPPORT(8051, "File type not support"), STORAGE_DOWNLOAD_FILE_FAILED(8052, "download file failed"), - LDAP_AUTHENTICATION_FAILED(8053, "LDAP authentication failed"), + LDAP_AUTHENTICATION_FAILED(8053, "ldap authentication failed"), ; diff --git a/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/utils/ldap/LDAPAuthentication.java b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/ldap/LdapAuthentication.java similarity index 58% rename from kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/utils/ldap/LDAPAuthentication.java rename to kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/ldap/LdapAuthentication.java index eff3bc25..f456c916 100644 --- a/kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/utils/ldap/LDAPAuthentication.java +++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/ldap/LdapAuthentication.java @@ -1,6 +1,8 @@ -package com.xiaojukeji.kafka.manager.common.utils.ldap; +package com.xiaojukeji.kafka.manager.account.component.ldap; import com.xiaojukeji.kafka.manager.common.utils.ValidateUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Component; @@ -15,33 +17,31 @@ import javax.naming.ldap.LdapContext; import java.util.Hashtable; @Component -public class LDAPAuthentication { +public class LdapAuthentication { + private static final Logger LOGGER = LoggerFactory.getLogger(LdapAuthentication.class); - @Value(value = "${ldap.url}") + @Value(value = "${account.ldap.url:}") private String ldapUrl; - @Value(value = "${ldap.basedn}") + @Value(value = "${account.ldap.basedn:}") private String ldapBasedn; - @Value(value = "${ldap.factory}") + @Value(value = "${account.ldap.factory:}") private String ldapFactory; - @Value(value = "${ldap.filter}") - private String ldapfilter; + @Value(value = "${account.ldap.filter:}") + private String ldapFilter; - @Value(value = "${ldap.auth-user-registration-role}") - private String authUserRegistrationRole; - - @Value(value = "${ldap.security.authentication}") + @Value(value = "${account.ldap.security.authentication:}") private String securityAuthentication; - @Value(value = "${ldap.security.principal}") + @Value(value = "${account.ldap.security.principal:}") private String securityPrincipal; - @Value(value = "${ldap.security.credentials}") + @Value(value = "${account.ldap.security.credentials:}") private String securityCredentials; - private LdapContext getConnect() { + private LdapContext getLdapContext() { Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, ldapFactory); env.put(Context.PROVIDER_URL, ldapUrl + ldapBasedn); @@ -53,19 +53,19 @@ public class LDAPAuthentication { try { return new InitialLdapContext(env, null); } catch (AuthenticationException e) { - e.printStackTrace(); + LOGGER.warn("class=LdapAuthentication||method=getLdapContext||errMsg={}", e); } catch (Exception e) { - e.printStackTrace(); + LOGGER.error("class=LdapAuthentication||method=getLdapContext||errMsg={}", e); } return null; } - private String getUserDN(String account,LdapContext ctx) { + private String getUserDN(String account, LdapContext ctx) { String userDN = ""; try { SearchControls constraints = new SearchControls(); constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); - String filter = "(&(objectClass=*)("+ldapfilter+"=" + account + "))"; + String filter = "(&(objectClass=*)("+ldapFilter+"=" + account + "))"; NamingEnumeration en = ctx.search("", filter, constraints); if (en == null || !en.hasMoreElements()) { @@ -82,9 +82,8 @@ public class LDAPAuthentication { } } } catch (Exception e) { - e.printStackTrace(); + LOGGER.error("class=LdapAuthentication||method=getUserDN||account={}||errMsg={}", account, e); } - return userDN; } @@ -94,35 +93,38 @@ public class LDAPAuthentication { * @param password * @return */ - public boolean authenricate(String account, String password) { - LdapContext ctx = getConnect(); - - boolean valide = false; + public boolean authenticate(String account, String password) { + LdapContext ctx = getLdapContext(); + if (ValidateUtils.isNull(ctx)) { + return false; + } try { - String userDN = getUserDN(account,ctx); + String userDN = getUserDN(account, ctx); if(ValidateUtils.isBlank(userDN)){ - return valide; + return false; } + ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN); ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); ctx.reconnect(null); - valide = true; - } catch (AuthenticationException e) { - System.out.println(e.toString()); + + return true; + } catch (AuthenticationException e) { + LOGGER.warn("class=LdapAuthentication||method=authenticate||account={}||errMsg={}", account, e); } catch (NamingException e) { - e.printStackTrace(); - }finally { - if(ctx!=null) { + LOGGER.warn("class=LdapAuthentication||method=authenticate||account={}||errMsg={}", account, e); + } catch (Exception e) { + LOGGER.error("class=LdapAuthentication||method=authenticate||account={}||errMsg={}", account, e); + } finally { + if(ctx != null) { try { ctx.close(); } catch (NamingException e) { - e.printStackTrace(); + LOGGER.error("class=LdapAuthentication||method=authenticate||account={}||errMsg={}", account, e); } } } - - return valide; + return false; } - } diff --git a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/sso/BaseSessionSignOn.java b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/sso/BaseSessionSignOn.java index c67cca08..f3206255 100644 --- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/sso/BaseSessionSignOn.java +++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/sso/BaseSessionSignOn.java @@ -2,7 +2,6 @@ package com.xiaojukeji.kafka.manager.account.component.sso; import com.xiaojukeji.kafka.manager.account.AccountService; import com.xiaojukeji.kafka.manager.account.component.AbstractSingleSignOn; -import com.xiaojukeji.kafka.manager.common.bizenum.AccountRoleEnum; import com.xiaojukeji.kafka.manager.common.constant.LoginConstant; import com.xiaojukeji.kafka.manager.common.entity.Result; import com.xiaojukeji.kafka.manager.common.entity.ResultStatus; @@ -10,7 +9,7 @@ import com.xiaojukeji.kafka.manager.common.entity.dto.normal.LoginDTO; import com.xiaojukeji.kafka.manager.common.entity.pojo.AccountDO; import com.xiaojukeji.kafka.manager.common.utils.EncryptUtil; import com.xiaojukeji.kafka.manager.common.utils.ValidateUtils; -import com.xiaojukeji.kafka.manager.common.utils.ldap.LDAPAuthentication; +import com.xiaojukeji.kafka.manager.account.component.ldap.LdapAuthentication; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Service; @@ -28,19 +27,11 @@ public class BaseSessionSignOn extends AbstractSingleSignOn { private AccountService accountService; @Autowired - private LDAPAuthentication ldapAuthentication; + private LdapAuthentication ldapAuthentication; //是否开启ldap验证 - @Value(value = "${ldap.enabled}") - private boolean ldapEnabled; - - //ldap自动注册的默认角色。请注意:它通常来说都是低权限角色 - @Value(value = "${ldap.auth-user-registration-role}") - private String authUserRegistrationRole; - - //ldap自动注册是否开启 - @Value(value = "${ldap.auth-user-registration}") - private boolean authUserRegistration; + @Value(value = "${account.ldap.enabled:}") + private Boolean accountLdapEnabled; @Override public Result loginAndGetLdap(HttpServletRequest request, HttpServletResponse response, LoginDTO dto) { @@ -50,27 +41,15 @@ public class BaseSessionSignOn extends AbstractSingleSignOn { Result accountResult = accountService.getAccountDO(dto.getUsername()); - //modifier limin - //判断是否激活了LDAP验证。若激活并且数据库无此用户则自动注册 - if(ldapEnabled){ + //判断是否激活了LDAP验证, 若激活则也可使用ldap进行认证 + if(!ValidateUtils.isNull(accountLdapEnabled) && accountLdapEnabled){ //去LDAP验证账密 - if(!ldapAuthentication.authenricate(dto.getUsername(),dto.getPassword())){ + if(!ldapAuthentication.authenticate(dto.getUsername(),dto.getPassword())){ return Result.buildFrom(ResultStatus.LDAP_AUTHENTICATION_FAILED); } - - if((ValidateUtils.isNull(accountResult) || ValidateUtils.isNull(accountResult.getData())) && authUserRegistration){ - //自动注册 - AccountDO accountDO = new AccountDO(); - accountDO.setUsername(dto.getUsername()); - accountDO.setRole(AccountRoleEnum.getUserRoleEnum(authUserRegistrationRole).getRole()); - accountDO.setPassword(EncryptUtil.md5(dto.getPassword())); - accountService.createAccount(accountDO); - } - return Result.buildSuc(dto.getUsername()); - } - + if (ValidateUtils.isNull(accountResult) || accountResult.failed()) { return new Result<>(accountResult.getCode(), accountResult.getMessage()); } diff --git a/kafka-manager-web/src/main/resources/application.yml b/kafka-manager-web/src/main/resources/application.yml index 89fca91c..9529dda1 100644 --- a/kafka-manager-web/src/main/resources/application.yml +++ b/kafka-manager-web/src/main/resources/application.yml @@ -11,7 +11,6 @@ spring: name: kafkamanager datasource: kafka-manager: - jdbc-url: jdbc:mysql://127.0.0.1:3306/logi_kafka_manager?characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8 username: admin password: admin @@ -50,6 +49,15 @@ task: account: ldap: + enabled: false + url: ldap://127.0.0.1:389/ + basedn: dc=tsign,dc=cn + factory: com.sun.jndi.ldap.LdapCtxFactory + filter: sAMAccountName + security: + authentication: simple + principal: cn=admin,dc=tsign,dc=cn + credentials: admin kcm: enabled: false @@ -83,16 +91,3 @@ notify: topic-name: didi-kafka-notify order: detail-url: http://127.0.0.1 - -ldap: - enabled: false - url: ldap://127.0.0.1:389/ - basedn: dc=tsign,dc=cn - factory: com.sun.jndi.ldap.LdapCtxFactory - filter: sAMAccountName - security: - authentication: simple - principal: cn=admin,dc=tsign,dc=cn - credentials: admin - auth-user-registration-role: normal - auth-user-registration: true From 67c37a098414c44008936924de59fe1b9355c072 Mon Sep 17 00:00:00 2001 From: zengqiao Date: Wed, 10 Mar 2021 13:52:09 +0800 Subject: [PATCH 2/2] optimize ldap --- .../component/sso/BaseSessionSignOn.java | 19 +++++++++++++++++++ .../src/main/resources/application.yml | 2 ++ 2 files changed, 21 insertions(+) diff --git a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/sso/BaseSessionSignOn.java b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/sso/BaseSessionSignOn.java index f3206255..1ff36964 100644 --- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/sso/BaseSessionSignOn.java +++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/sso/BaseSessionSignOn.java @@ -2,6 +2,7 @@ package com.xiaojukeji.kafka.manager.account.component.sso; import com.xiaojukeji.kafka.manager.account.AccountService; import com.xiaojukeji.kafka.manager.account.component.AbstractSingleSignOn; +import com.xiaojukeji.kafka.manager.common.bizenum.AccountRoleEnum; import com.xiaojukeji.kafka.manager.common.constant.LoginConstant; import com.xiaojukeji.kafka.manager.common.entity.Result; import com.xiaojukeji.kafka.manager.common.entity.ResultStatus; @@ -33,6 +34,14 @@ public class BaseSessionSignOn extends AbstractSingleSignOn { @Value(value = "${account.ldap.enabled:}") private Boolean accountLdapEnabled; + //ldap自动注册的默认角色。请注意:它通常来说都是低权限角色 + @Value(value = "${account.ldap.auth-user-registration-role:}") + private String authUserRegistrationRole; + + //ldap自动注册是否开启 + @Value(value = "${account.ldap.auth-user-registration:}") + private boolean authUserRegistration; + @Override public Result loginAndGetLdap(HttpServletRequest request, HttpServletResponse response, LoginDTO dto) { if (ValidateUtils.isBlank(dto.getUsername()) || ValidateUtils.isNull(dto.getPassword())) { @@ -47,6 +56,16 @@ public class BaseSessionSignOn extends AbstractSingleSignOn { if(!ldapAuthentication.authenticate(dto.getUsername(),dto.getPassword())){ return Result.buildFrom(ResultStatus.LDAP_AUTHENTICATION_FAILED); } + + if((ValidateUtils.isNull(accountResult) || ValidateUtils.isNull(accountResult.getData())) && authUserRegistration){ + //自动注册 + AccountDO accountDO = new AccountDO(); + accountDO.setUsername(dto.getUsername()); + accountDO.setRole(AccountRoleEnum.getUserRoleEnum(authUserRegistrationRole).getRole()); + accountDO.setPassword(dto.getPassword()); + accountService.createAccount(accountDO); + } + return Result.buildSuc(dto.getUsername()); } diff --git a/kafka-manager-web/src/main/resources/application.yml b/kafka-manager-web/src/main/resources/application.yml index 9529dda1..1c6614e2 100644 --- a/kafka-manager-web/src/main/resources/application.yml +++ b/kafka-manager-web/src/main/resources/application.yml @@ -58,6 +58,8 @@ account: authentication: simple principal: cn=admin,dc=tsign,dc=cn credentials: admin + auth-user-registration: true + auth-user-registration-role: normal kcm: enabled: false