使用活动目录的Spring Security身份验证失败
[英]Spring security authentication using active directory failed
问题描述
I've been working on a spring web application project in our company. 
我一直在我们公司从事Spring Web应用程序项目。 It used to authenticate users using database, but recently we decided to use our active directory server as a means of authentication party. 它曾经使用数据库对用户进行身份验证,但是最近我们决定使用活动目录服务器作为身份验证方。 So, we changed the spring-security.xml to the code below: 因此,我们将spring-security.xml更改为以下代码:
<http auto-config="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<intercept-url pattern="/Content/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/Desktop/New_Them/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/App/Index" access="ROLE_USER" />
<intercept-url pattern="/App/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/rest/clc/ClcLogPhon/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
<logout logout-success-url="/App/Login" />
<remember-me key="myAppKey" />
<session-management
session-authentication-strategy-ref="sas">
</session-management>
<csrf />
<headers>
<xss-protection />
</headers>
</http>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://192.168.1.199:389/DC=myDomain,DC=org" />
<beans:property name="userDn"
value="CN=myUsername,CN=Users,DC=myDomain,DC=org" />
<beans:property name="password" value="myPassword" />
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>uid={0},ou=users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="ou=groups" />
<beans:property name="groupRoleAttribute" value="ou" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<authentication-manager>
<authentication-provider ref="ldapAuthProvider"/>
</authentication-manager>
And the web application starts up well. Web应用程序启动良好。 But when I want to login with users which declared before in the active directory, the error below is occurred: 但是,当我要使用在活动目录中之前声明的用户登录时,会发生以下错误:
DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
DEBUG LdapAuthenticationProvider - Processing authentication request for user: m.fazel
DEBUG BindAuthenticator - Attempting to bind as uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG BindAuthenticator - Failed to bind as uid=m.fazel,ou=users: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1];
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'sessionRegistry'
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'logoutSuccessHandler'
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@560d9ba6
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
DEBUG TokenBasedRememberMeServices - Cancelling cookie
DEBUG SimpleUrlAuthenticationFailureHandler - Redirecting to /spring_security_login?login_error
DEBUG DefaultRedirectStrategy - Redirecting to '/hafizApps/spring_security_login?login_error'
As you can see debug result above, it caused due to Ldap error: 如您在上面看到的调试结果,它是由于Ldap错误引起的:
LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
However, I have already connected to the server with JXplorer . 但是,我已经使用JXplorer连接到服务器。 There is no alternative error in ldap connection settings. ldap连接设置中没有其他错误。 And also the test user which I trying to connect with (iemfazel), is already declared in ldap as you can see in the figure below: 您尝试连接的测试用户(iemfazel)也已在ldap中声明,如下图所示:
After @jeemster edit: @jeemster之后编辑:
However, uid was exactly what was written in spring security ldap authentication .I change the spring-security.xml just like jeemster said and put cn={0},ou=test instead of uid={0},ou=users. 但是,uid确实是在春季安全性ldap身份验证中编写的内容。就像jeemster所说的那样,我更改了spring-security.xml并将cn = {0},ou = test代替了uid = {0},ou = users。 The bean with id="ldapAuthProvider" is changed to the bean demonstrated below: 具有id =“ ldapAuthProvider”的bean更改为下面演示的bean:
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>CN={0},OU=test</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="ou=groups" />
<beans:property name="groupRoleAttribute" value="ou" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
Also, I create a new user in the test group and named it alialavi. 另外,我在测试组中创建了一个新用户,并将其命名为alialavi。 The new user which created in the ldap was shown in the figure below. 下图显示了在ldap中创建的新用户。
As demonstrated in the above figure that capture from JXplorer, the distinguished name for the new user is: 如上图所示,它是从JXplorer捕获的,新用户的专有名称为:
cn=alialavi,ou=test,dc=hafiz-co,dc=org
But after the web application starts up, I see this error again in login page: 但是,在Web应用程序启动后,我在登录页面中再次看到此错误:
DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
DEBUG LdapAuthenticationProvider - Processing authentication request for user: alialavi
DEBUG BindAuthenticator - Attempting to bind as cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG BindAuthenticator - Failed to bind as CN=alialavi,OU=test: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@4481f947
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
Again it caused error with the new distinguishedName: 再次使用新的distinguishedName导致错误:
cn=alialavi,ou=test,dc=hafiz-co,dc=org
Although both distinguishedName is the same, the error occurred. 尽管两个distinguishedName相同,但是发生了错误。
1 个解决方案
解决方案1
2 2015-08-24 10:59:41
I would first try changing: 我首先尝试更改:
uid={0},ou=users
to 至
cn={0},ou=users
Normally, uid is not a value within Microsoft Active Directory. 通常,uid不是Microsoft Active Directory中的值。
However, the error: 但是,错误:
data 52e
Returns AFIK, when username is valid but password/credential is invalid. 当用户名有效但密码/凭据无效时,返回AFIK。
Finally, it appears from what is posted, that 最后,从发布的内容来看,
m.fazel
Is the samAccountName and not the cn or uid of the user. 是samAccountName而不是用户的cn或uid。 The LDAP DN being used for the bind appears to be: 用于绑定的LDAP DN似乎是:
uid=m.fazel,ou=users,dc=myDomain,dc=org
Does this user appears in the directory? 该用户是否出现在目录中?
-jim -Jim
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.