参照类org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider,用于执行在我们所有的Web应用程序Active Directory身份验证,我一直在问以下问题由我们的客户,这对我的疑问:
什么是身份验证过程中使用的安全协议 - LDAP SSL / NTLM / KERBEROS? 如果你只是使用LDAP,而不是LDAPS(安全LDAP),那么这将是一个问题,因为我们将被发射在Web服务器和Active Directory之间的明文凭证。配置示例:
< B:豆的id =adAuthenticationProvider
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
< B:构造带参数的值=$ {ldap.domain}/>
< B:构造带参数的值=$ {与ldap.URL}/>
< B:属性名=的UserDetailsContextMapperREF =adUserDetailsContextMapper/>
< B:属性名=convertSubError codesToExceptions值=FALSE/>
< / B:豆>
现在,我想,在我的开发团队没有人永远关心的AD密码的安全性(我们的大多数客户甚至不实施SSL)。
我找不到Spring文档的参考。 Spring Security的LDAP版本是3.2.5
是否有人知道如果和如何春季LDAP对Active Directory进行身份验证时保护密码?
解决方案Wireshark的说,密码发送< STRONG>明文与设置
![在Windows Server 2003中安装Active Directory](/d/file/2023/09-15/397f4c60e0b0d280b2eca51ebc33e16d.png)
With reference to class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider
, used to perform Active Directory authentication in all of our web applications, I have been asked the following question by our customer, which poses me a doubt:
Example configuration:
<b:bean id="adAuthenticationProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<b:constructor-arg value="${ldap.domain}" />
<b:constructor-arg value="${ldap.url}" />
<b:property name="userDetailsContextMapper" ref="adUserDetailsContextMapper" />
<b:property name="convertSubErrorCodesToExceptions" value="false" />
</b:bean>
Now that I think about it, none of us in my development team ever cared about the security of the AD password (most of our customers don't even enforce SSL).
I can't find reference on Spring documentation. Spring Security LDAP version is 3.2.5
Does somebody know if and how Spring LDAP protects password when authenticating against Active Directory?
解决方案Wireshark said the password is sent plaintext with those settings
相关推荐
最新文章