[英]No AuthenticationProvider found using spring security
我一直在尝试使用他们的x509证书通过LDAP验证用户,但似乎无法使其正常工作。 我已经声明了一个身份验证提供程序,但是仍然提示我没有提供程序,但仍然出现错误。
这是我的调试输出:
INFO: Initiating Jersey application, version 'Jersey: 1.12 02/15/2012 04:51 PM'
DEBUG: o.s.security.web.FilterChainProxy - /x509 at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
DEBUG: o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG: o.s.security.web.FilterChainProxy - /x509 at position 2 of 8 in additional filter chain; firing Filter: 'customX509AuthenticationFilter'
DEBUG: m.d.CustomX509AuthenticationFilter - Checking secure context token: null
DEBUG: m.d.CustomX509AuthenticationFilter - X.509 client authentication certificate: [removed to save space]
DEBUG: m.d.CustomX509PrincipalExtractor - Subject DN is 'CN=Last.First.M.1234567890, OU=GROUP1, O=ORG, C=US'
DEBUG: m.d.CustomX509PrincipalExtractor - Extracted Principal name is '1234567890'
DEBUG: m.d.CustomX509AuthenticationFilter - X.509 client authentication certificate: [removed to save space]
DEBUG: m.d.CustomX509AuthenticationFilter - preAuthenticatedPrincipal = 1234567890, trying to authenticate
DEBUG: m.d.CustomX509AuthenticationFilter - Cleared security context due to exception
org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:196) ~[spring-security-core-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:115) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:85) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:184) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:155) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:205) [cors-filter-1.3.2.jar:na]
at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:266) [cors-filter-1.3.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.29]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.29]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.29]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) [tomcat-coyote.jar:6.0.29]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) [tomcat-coyote.jar:6.0.29]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.29]
at java.lang.Thread.run(Thread.java:679) [na:1.6.0_22]
DEBUG: o.s.security.web.FilterChainProxy - /x509 at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG: o.s.security.web.FilterChainProxy - /x509 at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG: o.s.security.web.FilterChainProxy - /x509 at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG: o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG: o.s.security.web.FilterChainProxy - /x509 at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG: o.s.s.w.s.SessionManagementFilter - Requested session ID E34E30E0411B02EFA37B41BCBA282041 is invalid.
DEBUG: o.s.security.web.FilterChainProxy - /x509 at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG: o.s.security.web.FilterChainProxy - /x509 at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG: o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /x509; Attributes: [hasRole('user')]
DEBUG: o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG: o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6b207925, returned: -1
DEBUG: o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-3.1.1.RELEASE.jar:3.1.1.RELEASE]
...
DEBUG: o.s.s.w.s.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://192.168.56.67/cert/x509]
DEBUG: o.s.s.w.a.ExceptionTranslationFilter - Calling Authentication entry point.
DEBUG: o.s.s.w.a.Http403ForbiddenEntryPoint - Pre-authenticated entry point called. Rejecting access
DEBUG: o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG: o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
这是我的spring-security.xml:
<http entry-point-ref="http403" use-expressions="true">
<intercept-url pattern="/**" access="hasRole('user')" />
<custom-filter position="PRE_AUTH_FILTER" ref="x509Filter" />
</http>
<global-method-security secured-annotations="enabled" />
<authentication-manager alias="authManager">
<authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>
<beans:bean id="http403" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<beans:bean id="x509Filter" class="CustomX509AuthenticationFilter">
<beans:property name="authenticationManager" ref="authManager" />
<beans:property name="principalExtractor">
<beans:bean class="CustomX509PrincipalExtractor" />
</beans:property>
</beans:bean>
<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:ref bean="authenticator" />
</beans:constructor-arg>
<beans:constructor-arg>
<beans:ref local="populator" />
</beans:constructor-arg>
<beans:property name="hideUserNotFoundExceptions" value="false" />
</beans:bean>
<beans:bean id="authenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg>
<beans:ref local="contextSource" />
</beans:constructor-arg>
<beans:property name="userSearch">
<beans:ref local="userSearch" />
</beans:property>
</beans:bean>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://localhost:389/dc=my,dc=domain" />
<beans:property name="userDn" value="cn=manager,dc=my,dc=domain" />
<beans:property name="password" value="password" />
</beans:bean>
<beans:bean id="populator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg index="0">
<beans:ref local="contextSource" />
</beans:constructor-arg>
<beans:constructor-arg index="1" value="ou=roles" />
<beans:property name="groupRoleAttribute" value="cn" />
<beans:property name="groupSearchFilter" value="(member={0})" />
<beans:property name="rolePrefix" value="none" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="searchSubtree" value="false" />
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=people" />
<beans:constructor-arg index="1" value="(uid={0})" />
<beans:constructor-arg index="2">
<beans:ref local="contextSource" />
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg>
<beans:ref local="userSearch" />
</beans:constructor-arg>
<beans:constructor-arg>
<beans:ref local="populator" />
</beans:constructor-arg>
</beans:bean>
我无法弄清楚为什么会引发该错误,并且已经进行了大量研究以试图找出问题的根源。 任何帮助将不胜感激。
谢谢,詹姆斯
从技术上讲,问题在于身份验证筛选器与身份验证提供程序不兼容: CustomX509AuthenticationFilter创建一个PreAuthenticatedAuthenticationToken ,并将其发送到已配置的LdapAuthenticationProvider进行处理,但是该提供程序仅支持UsernamePasswordAuthenticationToken 。
您也许可以通过使CustomX509AuthenticationFilter创建一个UsernamePasswordAuthenticationToken来解决问题,但是我想这里似乎存在一些概念上的问题。
如果客户端提供了有效的x509证书,您是否应该不经过进一步LDAP身份验证就信任它? 即使您希望执行此附加步骤,您从何处获取LDAP绑定操作的密码? 您是否从证书中提取出来? 如果是这样,这将不会为您提供任何额外的安全性,因为如果某人拥有证书,无论使用或不使用LDAP,无论如何他们都将获得身份验证。
詹姆斯评论后更新:
看来,LDAP所需的只是证书所标识用户的角色信息,在这种情况下,您无需根据LDAP对其进行身份验证。 您只需要使用contextSource已配置的LDAP管理器帐户来加载用户详细信息。 请尝试以下操作:
LdapUserDetailsService在UserDetailsByNameServiceWrapper LdapAuthenticationProvider配置一个PreAuthenticatedAuthenticationProvider ,它将能够处理CustomX509AuthenticationFilter发出的PreAuthenticatedAuthenticationToken 。 LdapUserDetailsService注入PreAuthenticatedAuthenticationProvider 。 这将确保使用来自LDAP的所有可用信息填充Authentication对象。 然后,后续的过滤器可以基于用户的授予权限(LDAP中定义的组成员身份)来授权请求。
Spring Security AuthenticationProvider-扩展身份验证
[英]Spring Security AuthenticationProvider - extends Authentication
Spring security 5/spring boot 2.2: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken
[英]Spring security 5/spring boot 2.2: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken
Spring Security自定义在AuthenticationManager中注入AuthenticationProvider
[英]spring security custom inject AuthenticationProvider inside AuthenticationManager
如何在Spring-Security中创建条件AuthenticationProvider?
[英]How to create conditional AuthenticationProvider in Spring-Security?
Spring 安全性 - 自定义 AuthenticationProvider 不起作用 - Java Config
[英]Spring security - Custom AuthenticationProvider not working - Java Config
Spring Security:AuthenticationProvider和UserDetailsService无法按预期工作
[英]Spring Security: AuthenticationProvider and UserDetailsService not working as expected
spring security自定义AuthenticationProvider被调用两次并失败
[英]spring security custom AuthenticationProvider is called twice and fails
Spring Security默认使用AuthenticationProvider和UserDetailsService
[英]AuthenticationProvider and UserDetailsService used by default by Spring Security
Spring Security自定义身份验证 - AuthenticationProvider与UserDetailsService
[英]Spring Security Custom Authentication - AuthenticationProvider vs UserDetailsService
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.