LDAP 域控控制

1 year ago · 7b88f578ff
8 changed files with 172 additions and 18 deletions
--- a/pom.xml
+++ b/pom.xml
@ -142,6 +142,11 @@
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-redis</artifactId>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-data-ldap</artifactId>
+            <version>2.2.4.RELEASE</version>
+        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-configuration-processor</artifactId>
--- a/src/main/java/com/spring/modules/sys/controller/SysLoginController.java
+++ b/src/main/java/com/spring/modules/sys/controller/SysLoginController.java
@ -11,10 +11,12 @@ import com.spring.modules.sys.form.SysLoginForm;
 import com.spring.modules.sys.service.SysCaptchaService;
 import com.spring.modules.sys.service.SysUserService;
 import com.spring.modules.sys.service.SysUserTokenService;
+import com.spring.modules.sys.utils.CustomerLdapUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.shiro.crypto.hash.Sha256Hash;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@ -43,6 +45,11 @@ public class SysLoginController extends AbstractController {
 	private SysUserTokenService sysUserTokenService;
 	@Autowired
 	private SysCaptchaService sysCaptchaService;
+	// OA接口控制
+	@Value("${ldap-control.control-flag}")
+	private Boolean ldapFlag;
+	@Autowired
+	private CustomerLdapUtils customerLdapUtils;

 	/**
 	 * 验证码
@ -66,29 +73,54 @@ public class SysLoginController extends AbstractController {
 	@PostMapping("/sys/login")
 	public Map<String, Object> login(@RequestBody SysLoginForm form , HttpServletRequest request)throws IOException {
 		HttpSession session = request.getSession();
-	/*	boolean captcha = sysCaptchaService.validate(form.getUuid(), form.getCaptcha());
-		if(!captcha){
-			return R.error("验证码不正确");
+		/*boolean captcha = sysCaptchaService.validate(form.getUuid(), form.getCaptcha());
+			if(!captcha){
+				return R.error("验证码不正确");
 		}*/

 		//用户信息
-		SysUserEntity user = sysUserService.queryByUserName(form.getUsername());
+		SysUserEntity user = null;

-		//账号不存在、密码错误
-		if(user == null || !user.getPassword().equals(new Sha256Hash(form.getPassword(), user.getSalt()).toHex())) {
-			return R.error(getLanguageMsg(SysMsgConstant.OBJECT_ID_200207));
-		}

-		//账号锁定
-		if(user.getStatus() == 0){
-			return R.error(getLanguageMsg(SysMsgConstant.OBJECT_ID_200208));
-		}
-		if(StringUtils.isEmpty(form.getType())) {
-			List<AccessSiteData> accessSiteDataList = sysUserService.checkAccessSite(form.getSite(), form.getUsername());
-			if (accessSiteDataList.size() == 0) {
-				return R.error("账号没有所选工厂的权限，请联系管理员！");
+		//是否启用域控账号登录
+		if(ldapFlag){
+			user = sysUserService.queryByDomainControlAccount(form.getUsername());
+			//判断账号是否存在
+			if(null == user){
+				return R.error(getLanguageMsg(SysMsgConstant.OBJECT_ID_200207));
+			}
+			//启用域控校验账号和密码
+			customerLdapUtils.CheckLdapAccountAndPassword(form.getUsername(), form.getPassword());
+			//账号锁定
+			if(user.getStatus() == 0){
+				return R.error(getLanguageMsg(SysMsgConstant.OBJECT_ID_200208));
+			}
+			if(StringUtils.isEmpty(form.getType())) {
+				List<AccessSiteData> accessSiteDataList = sysUserService.checkAccessSite(form.getSite(), user.getUsername());
+				if (accessSiteDataList.size() == 0) {
+					return R.error("账号没有所选工厂的权限，请联系管理员！");
+				}
+			}
+		}else{
+			user = sysUserService.queryByUserName(form.getUsername());
+			//账号不存在、密码错误
+			if(user == null || !user.getPassword().equals(new Sha256Hash(form.getPassword(), user.getSalt()).toHex())) {
+				return R.error(getLanguageMsg(SysMsgConstant.OBJECT_ID_200207));
+			}
+			//账号锁定
+			if(user.getStatus() == 0){
+				return R.error(getLanguageMsg(SysMsgConstant.OBJECT_ID_200208));
+			}
+			if(StringUtils.isEmpty(form.getType())) {
+				List<AccessSiteData> accessSiteDataList = sysUserService.checkAccessSite(form.getSite(), form.getUsername());
+				if (accessSiteDataList.size() == 0) {
+					return R.error("账号没有所选工厂的权限，请联系管理员！");
+				}
 			}
 		}
+
+
+
 		session.setAttribute("user", user);

 		//生成token，并保存到数据库
@ -97,6 +129,8 @@ public class SysLoginController extends AbstractController {
 		return r;
 	}

+
+
 	/**
 	 * 登录-token
 	 */
--- a/src/main/java/com/spring/modules/sys/dao/SysUserDao.java
+++ b/src/main/java/com/spring/modules/sys/dao/SysUserDao.java
@ -41,6 +41,14 @@ public interface SysUserDao extends BaseMapper<SysUserEntity> {
 	 */
 	SysUserEntity queryByUserName(String username);

+	/**
+	 * @description: 按照域控账号查询
+	 * @author LR
+	 * @date 2024/9/29 12:03
+	 * @version 1.0
+	 */
+	SysUserEntity queryByDomainControlAccount(String username);
+
 	/**
 	 * @Description 检查权限
 	 * @Title checkAccessSite
@ -91,4 +99,5 @@ public interface SysUserDao extends BaseMapper<SysUserEntity> {
 	List<OaUserData> selectOaIdByAccount(@Param("account") String account);

 	List<OaUserData> selectAccountByOaId(@Param("userId") String userid);
+
 }
--- a/src/main/java/com/spring/modules/sys/service/SysUserService.java
+++ b/src/main/java/com/spring/modules/sys/service/SysUserService.java
@ -86,4 +86,12 @@ public interface SysUserService extends IService<SysUserEntity> {
 	 * @throw
 	 */
 	List<AccessSiteData> checkAccessSite(String site, String username);
+
+	/**
+	* @description: 按照域控账号查询
+	* @author LR
+	* @date 2024/9/29 12:00
+	* @version 1.0
+	*/
+    SysUserEntity queryByDomainControlAccount(String username);
 }
--- a/src/main/java/com/spring/modules/sys/service/impl/SysUserServiceImpl.java
+++ b/src/main/java/com/spring/modules/sys/service/impl/SysUserServiceImpl.java
@ -98,7 +98,7 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserDao, SysUserEntity> i
 		this.save(user);
 		
 		//检查角色是否越权
-		checkRole(user);
+		//checkRole(user);
 		//添加工厂权限
 		List<AccessSiteData> checkList=baseMapper.checkAccessSite( user.getSite(),  user.getUsername());
 		if(checkList.isEmpty()){
@ -132,7 +132,7 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserDao, SysUserEntity> i
 		this.updateById(user);
 		
 		//检查角色是否越权
-		checkRole(user);
+		//checkRole(user);
 		
 		//保存用户与角色关系
 		sysUserRoleService.saveOrUpdate(user.getUserId(), user.getRoleIdList());
@ -217,4 +217,10 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserDao, SysUserEntity> i
 	public List<AccessSiteData> checkAccessSite(String site, String username){
 		return accessSiteMapper.checkAccessSite( site,  username);
 	}
+
+	@Override
+	public SysUserEntity queryByDomainControlAccount(String username) {
+		return baseMapper.queryByDomainControlAccount(username);
+	}
+
 }
--- a/src/main/java/com/spring/modules/sys/utils/CustomerLdapUtils.java
+++ b/src/main/java/com/spring/modules/sys/utils/CustomerLdapUtils.java
@ -0,0 +1,74 @@
+package com.spring.modules.sys.utils;
+
+import java.util.HashMap;
+import java.util.Hashtable;
+import java.util.List;
+import java.util.Map;
+
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.ldap.core.AttributesMapper;
+import org.springframework.ldap.core.LdapTemplate;
+import org.springframework.ldap.query.LdapQueryBuilder;
+import org.springframework.stereotype.Component;
+
+@Component
+public class CustomerLdapUtils {
+	
+	@Autowired
+	private LdapTemplate ldapTemplate;
+	
+	/**
+	 * 
+	 * @param ldapUrls
+	 * @param username
+	 * @param password
+	 * @return
+	 */
+	public Map<String, String> CheckLdapAccountAndPassword(String username, String password) {
+		//设置映射
+	    AttributesMapper<Map<String, String>> mapper = new AttributesMapper<Map<String, String>>() {
+
+			@Override
+			public Map<String, String> mapFromAttributes(Attributes attributes) throws NamingException {
+				Map<String, String> resultMap = new HashMap<>();
+                String username = attributes.get("sAMAccountName").get().toString();
+                resultMap.put("username", username);
+                // 打印所有属性及其值
+                NamingEnumeration<? extends Attribute> attrs = attributes.getAll();
+                while (attrs.hasMore()) {
+                    Attribute attr = attrs.next();
+                    String attrName = attr.getID();
+                    String attrValue = attr.get().toString();
+                    resultMap.put(attrName, attrValue);
+                }
+                // 添加其他你需要映射的属性
+                return resultMap;
+			}
+		};
+		
+		//查询用户信息
+		List<Map<String, String>> resultList = ldapTemplate.search(
+				LdapQueryBuilder.query().where("objectClass").isPresent()
+				.and("sAMAccountName").is(username),
+				mapper);
+		//判断用户是否能找到
+		if(resultList.size() > 0) {
+			try {
+				ldapTemplate.authenticate(LdapQueryBuilder.query().where("objectClass").isPresent()
+						.and("sAMAccountName").is(username),  password);
+			} catch (Exception e) {
+				e.printStackTrace();
+				throw new RuntimeException("账号或者密码有误!");
+			}
+		}else {
+			throw new RuntimeException("查无此账号!");
+		}
+		return resultList.get(0);
+	}
+
+}
--- a/src/main/resources/application-dev.yml
+++ b/src/main/resources/application-dev.yml
@ -40,6 +40,15 @@ spring:
        url-pattern: /*
        exclusions: "*.js,*.gif,*.jpg,*.bmp,*.png,*.css,*.ico,/druid/*"
        session-stat-enable: true
+ #ldap的配置参数
+  ldap:
+    urls: ldap://172.19.1.5:389
+    base: OU=China,OU=Asia,DC=worldmark,DC=local  # 根据实际的域控制器基础DN进行调整
+    username: Worldmark1\PLM_LDAP  # 使用UPN格式
+    password: P@ssw0rd99
+    base-environment:
+      java.naming.factory.initial: com.sun.jndi.ldap.LdapCtxFactory
+      java.naming.security.authentication: simple

 #文件的存放的路径
 sys-file:
@ -61,6 +70,10 @@ oa-api:
 oa-control:
  control-flag: false

+#是否启用域控登录
+ldap-control:
+  control-flag: false
+
 # 消息来源（OA）
 oa-code:
  code: "553"
--- a/src/main/resources/mapper/sys/SysUserDao.xml
+++ b/src/main/resources/mapper/sys/SysUserDao.xml
@ -21,6 +21,11 @@
 		select * from sys_user where username = #{username}
 	</select>

+	<!--按照域控账号查询-->
+	<select id="queryByDomainControlAccount" resultType="com.spring.modules.sys.entity.SysUserEntity">
+		select * from sys_user where domain_control_account = #{username}
+	</select>
+
 	<select id="checkAccessSite" resultType="com.spring.modules.base.entity.AccessSiteData">
        select Site,userID from AccessSite where site=#{site} and userID=#{username}
    </select>