[英]Unable to authenticate LDAP account using Spring 3.1 with correct credentials
I am trying to configure spring security with LDAP. 我正在尝试使用LDAP配置Spring安全性。 It works fine with the default user-service but I am unable to authenticate user when I configure LDAP in security context. 在默认的用户服务下,它可以正常工作,但是在安全上下文中配置LDAP时,我无法对用户进行身份验证。 Following is my security configiration: 以下是我的安全配置:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<beans:bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://authserver:389/dc=mydomain,dc=net"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="ldapContextSource"/>
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>uid={0},ou=people</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="ldapContextSource"/>
<beans:constructor-arg value="ou=Groups"/>
<beans:property name="groupRoleAttribute" value="cn"/>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<authentication-manager>
<authentication-provider ref="ldapAuthProvider" />
</authentication-manager>
<http use-expressions="true">
<intercept-url pattern="/index" access="permitAll" />
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/loginfailed" access="permitAll" />
<intercept-url pattern ="/failure" access="permitAll"/>
<intercept-url pattern="/home" access="permitAll"/>
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')" />
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<!-- intercept-url pattern="/**" access="denyAll" / -->
<form-login login-page="/login" default-target-url="/secure"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/index" />
</http>
</beans:beans>
When I provide the username and password using the login form, I see following lines in the log: 当我使用登录表单提供用户名和密码时,我在日志中看到以下几行:
07:37:47 [http-bio-8181-exec-57] FilterChainProxy - /j_spring_security_check at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
07:37:47 [http-bio-8181-exec-57] HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
07:37:47 [http-bio-8181-exec-57] HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@d3b8dae. A new one will be created.
07:37:47 [http-bio-8181-exec-57] FilterChainProxy - /j_spring_security_check at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
07:37:47 [http-bio-8181-exec-57] FilterChainProxy - /j_spring_security_check at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
07:37:47 [http-bio-8181-exec-57] UsernamePasswordAuthenticationFilter - Request is to process authentication
07:37:47 [http-bio-8181-exec-57] ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
07:37:47 [http-bio-8181-exec-57] LdapAuthenticationProvider - Processing authentication request for user: testuser
07:37:47 [http-bio-8181-exec-57] BindAuthenticator - Attempting to bind as uid=testuser,ou=people,dc=mydomain
07:37:47 [http-bio-8181-exec-57] DefaultSpringSecurityContextSource - Removing pooling flag for user uid=testuser,ou=people,dc=mydomain
07:37:48 [http-bio-8181-exec-57] BindAuthenticator - Failed to bind as uid=testuser,ou=people: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
07:37:48 [http-bio-8181-exec-57] UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
07:37:48 [http-bio-8181-exec-57] UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
07:37:48 [http-bio-8181-exec-57] UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@23ec84dc
07:37:48 [http-bio-8181-exec-57] SimpleUrlAuthenticationFailureHandler - Redirecting to /loginfailed
07:37:48 [http-bio-8181-exec-57] DefaultRedirectStrategy - Redirecting to '/skweb/loginfailed'
I have tried various combinations after using earch on this and othe sites but obviously I am missing something very basic. 在此站点和其他站点上使用earch之后,我尝试了各种组合,但是显然我缺少一些非常基本的东西。
**** Update I tried using a simple java program using UnboundID sdk to try and authenticate to the same ldap server and it connected on first attempt. ****更新我尝试使用一个简单的Java程序,使用UnboundID sdk尝试对同一ldap服务器进行身份验证,并在首次尝试时将其连接。
This simply indicates that there is something incorrect in my Spring configuration but I am unable to find it. 这只是表明我的Spring配置中有不正确的地方,但是我找不到它。 I have tried with BindAuthenticator as well as Password comparison method. 我尝试使用BindAuthenticator以及密码比较方法。 Is there some configuration in spring security which might cause password to be encrypted in a different scheme than our ldap server? Spring Security中是否有一些配置可能会导致密码以与ldap服务器不同的方案进行加密?
static boolean authenticate(String username, String password) throws LDAPException {
LDAPConnection ldap = new LDAPConnection("authserver", 389);
SearchResult sr = ldap.search("ou=people,dc=mydomain,dc=net", SearchScope.SUB, "(uid=" + username + ")");
if (sr.getEntryCount() == 0)
return false;
String dn = sr.getSearchEntries().get(0).getDN();
try {
ldap = new LDAPConnection("authserver", 389, dn, password);
return true;
}
catch (LDAPException e) {
if (e.getResultCode() == ResultCode.INVALID_CREDENTIALS)
return false;
throw e;
}
}
Solution by OP. 由OP解决。
I was able to resolve this after changing the security context as follows: 如下更改安全上下文后,我能够解决此问题:
<authentication-manager>
<ldap-authentication-provider user-search-filter="(uid={0})"
user-search-base="ou=people"
group-role-attribute="cn"
group-search-base="ou=group"
group-search-filter="(memberUid={1})"/>
</authentication-manager>
The user-search-filter was the missing piece. 用户搜索过滤器是缺少的部分。 The previous entry (uid={0},ou=people) caused incorrect look up in ldap because it used uid instead of cn in format. 上一个条目(uid = {0},ou = people)在ldap中导致错误查找,因为它使用uid而不是cn格式。 The search filter explicitly uses the uid for searching the id in ou=people. 搜索过滤器显式使用uid来搜索ou = people中的id。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.