如何在 Spring LDAP 中添加 LDAP 缓存?


How to add LDAP cache in Spring LDAP?

我想在本地缓存 LDAP 用户数据以加快查询速度。 Spring LDAP 是否提供这样的功能?我该怎么做?

我正在使用 Spring Security 3.1 和 Spring LDAP 1.3.1 进行身份验证和授权。如果存在的话,使用内置机制为 LDAP 提供缓存会很好..

Spring LDAP 配置:

applicationContext-ldap.xml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?xml  version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:jee="http://www.springframework.org/schema/jee"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/jee
        http://www.springframework.org/schema/jee/spring-jee.xsd
   ">

    <!-- Ldap -->
    <jee:jndi-lookup id="ldapUrl" jndi-name="appName/ldapUrl" expected-type="java.lang.String" />
    <jee:jndi-lookup id="ldapUser" jndi-name="appName/ldapUser" expected-type="java.lang.String" />
    <jee:jndi-lookup id="ldapPassword" jndi-name="appName/ldapPassword" expected-type="java.lang.String" />

    <!-- for authentication and search purpose -->
    <bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="url" ref="ldapUrl" />
        <property name="userDn" ref="ldapUser" />
        <property name="password" ref="ldapPassword" />
        <property name="pooled" value="true" />
    </bean>

    <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
        <property name="contextSource" ref="ldapContextSource" />
    </bean>

    <!-- for pagination search purpose  -->
    <bean id="dirContext" factory-bean="ldapContextSource" factory-method="getReadOnlyContext" scope="session"/>

    <bean id="singleLdapContextSource" class="org.springframework.ldap.core.support.SingleContextSource" scope="session">
        <constructor-arg ref="dirContext"/>
    </bean>

    <bean id="singleLdapTemplate" class="org.springframework.ldap.core.LdapTemplate" scope="session">
        <property name="contextSource" ref="singleLdapContextSource" />
    </bean>

</beans>

弹簧安全配置:

spring-security.xml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!-- This is where we configure Spring-Security  -->
    <security:http
        auto-config="true"
        use-expressions="true"
        access-denied-page="/auth/denied"
    >
        <security:intercept-url pattern="/login" access="permitAll"/>
        <security:intercept-url pattern="/app/admin" access="permitAll"/>
        <security:intercept-url pattern="/app/common" access="hasRole('User')"/>
        <security:intercept-url pattern="/viol/home" access="permitAll"/>
        <security:intercept-url pattern="/app/users" access="permitAll"/>
        <security:intercept-url pattern="/admin/edit/*" access="hasRole('Administrator')"/>

        <security:form-login
                login-page="/auth/login"
                authentication-failure-url="/auth/loginFailure"
                default-target-url="/auth/authorize"/>

        <security:logout
                invalidate-session="true"
                logout-success-url="/auth/login"
                logout-url="/logout"/>
    </security:http>

    <security:authentication-manager>
        <security:ldap-authentication-provider
            server-ref="ldapContextSource"
            user-search-filter="(sAMAccountName={0})"
            user-search-base="dc=myDomain,dc=com"
         />
    </security:authentication-manager>
</beans>

非常感谢您的帮助!

如果您配置 EhCacheBasedUserCache 并使用 ldap-user-service 那么您可以将缓存用作:

1
2
3
4
    <ldap-user-service
       user-search-filter="(sAMAccountName={0})" user-search-base="dc=myDomain,dc=com" cache-ref="userCache" />
   </authentication-provider>
</authentication-manager>

我不认为 Spring 提供开箱即用的客户端 LDAP 缓存,因为在客户端缓存 LDAP 查询结果会带来安全风险。缓存肯定会在某个时候保存陈旧的数据,如果它是例如,这不是一个大问题。用户的电子邮件/家庭地址,但更糟糕的是,例如角色分配和其他身份验证/授权相关数据。通过扩展服务器端,您会变得更好,以便它能够处理负载。

也就是说,从 Spring 3.1 开始引入缓存非常容易,因为它为它提供了出色的支持。在您的情况下,使用自定义 LdapContextSource 就足够了,如下所示:

1
2
3
4
5
6
7
8
9
10
public class CachingLdapContextSource extends AbstractContextSource {

    @Override
    protected DirContext getDirContextInstance(Hashtable environment)
        throws NamingException
    {
        InitialLdapContext context = new InitialLdapContext(environment, null);
        return new CachingDirContextWrapper(context);
    }
}

package类只是将所有 DirContext 方法委托给底层实现,并用 @Cacheable 装饰要缓存的方法。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
class CachingDirContextWrapper implements DirContext {

    private final DirContext delegate;

    CachingDirContextWrapper(DirContext delegate) {
        this.delegate = delegate;
    }

    @Override
    @Cacheable(value ="search")
    public NamingEnumeration<SearchResult> search(...)
    {
        return delegate.search(name, matchingAttributes, attributesToReturn);
    }

    ...
}

参考官方文档,本教程详细介绍如何配置Spring使用的缓存存储。

但我认为,你最好不要这样做。