Spring Security 4.0.0 + ActiveDirectoryLdapAuthenticationProvider + BadCredentialsException PartialResultException
问题内容:
我已经在stackoverflow上阅读了有关Spring / Security /
Ldap和ActiveDirectory的几乎所有内容。即使我找到了有用的提示和提示,也无法解决我的问题。
就是这样:我确实使用用户服务和自定义登录页面配置了Spring
Security,并且一切正常。然后,我尝试切换到恰好是ActiveDirectory的最终身份验证提供程序。
这是我的security-
applicationContext.xml(我提醒您,此设置可以与作为身份验证提供程序的用户服务一起正常使用,因此,该文件实际上已导入,等等):
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/security/oauth http://www.springframework.org/schema/security/spring-security-oauth.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!-- Définitions globales de sécurité -->
<global-method-security pre-post-annotations="enabled" />
<!-- Configuration de l'accès et du formulaire -->
<!-- Permettre l'accès libre aux feuilles de style, polices et images -->
<http pattern='/resources/css/**' security="none" />
<http pattern='/resources/fonts/**' security="none" />
<http pattern='/resources/images/**' security="none" />
<http use-expressions="true" access-denied-page="/403" disable-url-rewriting="true">
<!-- Limitation à une seule session utilisateur concurrente -->
<session-management invalid-session-url="/identite?time=1">
<concurrency-control max-sessions="1" expired-url="/identite?time=1" />
</session-management>
<!-- Définitions pour le formulaire de la page JSP d'identification -->
<form-login login-page="/identite" login-processing-url="/identite.proc" default-target-url="/" always-use-default-target="true" authentication-failure-url="/identite?err=1" username-parameter="username" password-parameter="password" />
<logout logout-url="/logout" logout-success-url="/identite?out=1" delete-cookies="JSESSIONID" invalidate-session="true" />
<!-- Utiliser un canal chiffré pour les échanges -->
<intercept-url requires-channel="https" pattern="/identite*" access="permitAll()" />
<intercept-url requires-channel="https" pattern="/**" access="isAuthenticated()" />
</http>
<!-- Fournisseurs d'identité pour le formulaire (au final, LDAP) -->
<authentication-manager erase-credentials="true">
<ldap-authentication-provider ref="myADProvider" />
<!-- This is the user-service authentication provider that is working fine
<authentication-provider>
<user-service>
<user name="Toto" authorities="ROLE_USER, ROLE_ADMIN" password="totototo" />
</user-service>
</authentication-provider>
-->
</authentication-manager>
<b:bean id="myADProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<b:constructor-arg value="fsappsuni" />
<b:constructor-arg value="ldap://fsapps.company.uni:389/" />
<b:property name="convertSubErrorCodesToExceptions" value="true" />
<b:property name="useAuthenticationRequestCredentials" value="true" />
</b:bean>
在bean
myADProvider中,即使我将第一个构造函数参数更改为fsapps.company.uni或company.uni或其他任何内容,它也不会更改以下错误。该问题似乎是由于以下事实造成的:绑定后,使用错误的过滤器执行搜索,查找的内容类似于(&(userPrincipalName
= {0})(objectClass = user)),而不是(&(sAMAccountName = {0})(objectClass
=用户))。由于当您可以使用LDAP提供程序进行操作时,由于无法弄清如何更改此设置,因此我切换到LDAP提供程序,尝试使其无法成功运行,也未在同一地点遇到问题。我还将Spring
Framework从3.1.2升级到4.1.6.RELEASE,并将Spring Security从3.1.2升级到4.0.0。
这是我的LDAP安装程序的配置,试图使身份验证与Active Directory一起使用:
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth"
xsi:schemaLocation="http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/security/oauth
http://www.springframework.org/schema/security/spring-security-oauth.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<!-- Définitions globales de sécurité -->
<global-method-security pre-post-annotations="enabled" />
<!-- Configuration de l'accès et du formulaire -->
<!-- Permettre l'accès libre aux feuilles de style, polices et images -->
<http pattern='/resources/css/**' security="none" />
<http pattern='/resources/fonts/**' security="none" />
<http pattern='/resources/images/**' security="none" />
<http use-expressions="true" disable-url-rewriting="true">
<!-- Limitation à une seule session utilisateur concurrente -->
<session-management invalid-session-url="/identite?time=1">
<concurrency-control max-sessions="1" expired-url="/identite?time=1" />
</session-management>
<!-- Définitions pour le formulaire de la page JSP d'identification -->
<form-login login-page="/identite" login-processing-url="/identite.proc" default-target-url="/" always-use-default-target="true" authentication-failure-url="/identite?err=1" username-parameter="username" password-parameter="password" />
<csrf disabled="true" />
<logout logout-url="/logout" logout-success-url="/identite?out=1" delete-cookies="JSESSIONID" invalidate-session="true" />
<!-- Utiliser un canal chiffré pour les échanges -->
<intercept-url requires-channel="https" pattern="/identite*" access="permitAll()" />
<intercept-url requires-channel="https" pattern="/**" access="isAuthenticated()" />
</http>
<!-- Fournisseurs d'identité pour le formulaire (au final, LDAP) -->
<ldap-server url="ldap://fsapps.company.uni/dc=fsapps,dc=company,dc=uni" port="389" />
<authentication-manager erase-credentials="true">
<ldap-authentication-provider role-prefix="none"
user-search-filter="(&(sAMAccountName={0})(objectClass=user))"
group-search-filter="(&(member={0})(objectClass=group))"
user-search-base="dc=fsapps,dc=company,dc=uni">
</ldap-authentication-provider>
<!-- <authentication-provider ref="myADProvider" ></authentication-provider> -->
</authentication-manager>
<!--
<b:bean id="myADProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<b:constructor-arg value="fsapps.company.uni" />
<b:constructor-arg value="ldap://fsapps.company.uni:389/" />
<b:property name="convertSubErrorCodesToExceptions" value="true" />
<!- -
<b:property name="useAuthenticationRequestCredentials" value="true" />
- ->
</b:bean>
<b:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"></b:bean>
-->
</b:beans>
这次,我将Bean配置部分留给了AD提供程序以供参考。这也不起作用。
因此,如何将用户和组搜索路径传递给AD提供程序?或者,如何配置LDAP提供程序以使用AD并完成身份验证?
这是我在使用LDAP设置的日志中收到的消息,上面对AD设置进行了说明(错误的凭证主要是由于搜索路径错误):
2015-04-15 16:19:13,252 DEBUG (o.s.s.a.ProviderManager.authenticate) [http-8443-1] Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider MDC{}
2015-04-15 16:19:13,252 DEBUG (o.s.s.l.a.AbstractLdapAuthenticationProvider.authenticate) [http-8443-1] Processing authentication request for user: ba5glag MDC{}
2015-04-15 16:19:13,252 DEBUG (o.s.s.l.s.FilterBasedLdapUserSearch.searchForUser) [http-8443-1] Searching for user 'myuser', with user search [ searchFilter: '(&(sAMAccountName={0})(objectClass=user))', searchBase: 'dc=fsapps,dc=company,dc=uni', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ] MDC{}
2015-04-15 16:19:13,299 DEBUG (o.s.s.a.DefaultAuthenticationEventPublisher.publishAuthenticationFailure) [http-8443-1] No event was found for the exception org.springframework.security.authentication.InternalAuthenticationServiceException MDC{}
2015-04-15 16:19:13,299 ERROR (o.s.s.w.a.AbstractAuthenticationProcessingFilter.doFilter) [http-8443-1] An internal error occurred while trying to authenticate the user. MDC{}
org.springframework.security.authentication.InternalAuthenticationServiceException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece(unprintable character here)]; remaining name 'dc=fsapps,dc=company,dc=uni'
at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:207) ~[spring-security-ldap-4.0.0.RELEASE.jar:?]
at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:82) ~[spring-security-ldap-4.0.0.RELEASE.jar:?]
我希望我为某人提供所有必需的信息,以提供一些提示和指导来解决此配置问题。
更新2015-04-16〜10:20
我想出了如何使用ActiveDirectoryLdapAuthenticationProvider添加搜索过滤器。我还通过Wireshark观看了我的应用程序服务器和AD服务器之间的交换,以查看实际完成的工作。这是我的发现,我相信我距离解决问题还很遥远。由于我现在专注于使ActiveDirectoryLdapAuthenticationProvider能够正常工作,因此我更新了security-
applicationContext.xml,并丢弃了ldap服务器的内容。因此,现在这是一个更干净的配置:
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth"
xsi:schemaLocation="http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/security/oauth
http://www.springframework.org/schema/security/spring-security-oauth.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<!-- Définitions globales de sécurité -->
<global-method-security pre-post-annotations="enabled" />
<!-- Configuration de l'accès et du formulaire -->
<!-- Permettre l'accès libre aux feuilles de style, polices et images -->
<http pattern='/resources/css/**' security="none" />
<http pattern='/resources/fonts/**' security="none" />
<http pattern='/resources/images/**' security="none" />
<http pattern='/resources/js/**' security="none" />
<http use-expressions="true" disable-url-rewriting="true">
<!-- Limitation à une seule session utilisateur concurrente -->
<session-management invalid-session-url="/identite?expiree=1">
<concurrency-control max-sessions="1" expired-url="/identite?expiree=1" />
</session-management>
<!-- Définitions pour le formulaire de la page JSP d'identification -->
<form-login login-page="/identite" login-processing-url="/identite.proc" default-target-url="/" always-use-default-target="true" authentication-failure-url="/identite?err=1" username-parameter="username" password-parameter="password" />
<csrf disabled="true" />
<logout logout-url="/logout" logout-success-url="/identite?termine=1" delete-cookies="JSESSIONID" invalidate-session="true" />
<!-- Utiliser un canal chiffré pour les échanges -->
<intercept-url requires-channel="https" pattern="/identite*" access="permitAll()" />
<intercept-url requires-channel="https" pattern="/**" access="isAuthenticated()" />
<access-denied-handler error-page="/erreur403" />
</http>
<!-- Fournisseurs d'identité pour le formulaire (au final, LDAP) -->
<authentication-manager erase-credentials="true">
<authentication-provider ref="myADProvider" />
</authentication-manager>
<b:bean id="myADProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<b:constructor-arg value="fsapps.company.uni" />
<b:constructor-arg value="ldap://fsapps.company.uni:389/" />
<b:property name="searchFilter" value="(&(sAMAccountName={0})(objectClass=user))" />
<b:property name="convertSubErrorCodesToExceptions" value="true" />
<b:property name="useAuthenticationRequestCredentials" value="true" />
</b:bean>
<b:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
</b:beans>
关于配置的评论很少。在myADProvider
bean定义中,构造函数的第一个参数fsapps.company.uni用于创建形式为username@fsapps.company.uni的主体,并使用以下形式的baseObject构建用于搜索请求的baseObject:dc
= fsapps, dc = company,dc = uni。
第二个构造函数的参数用于建立通信。属性类型的下一个名为name =“
searchFilter”的元素将调用ActiveDirectoryLdapAuthenticationProvider类的setSearchFilter()方法来设置搜索过滤器(这是我最初寻求取得一些进展的东西)。因此,现在将其设置为搜索(&(sAMAccountName
= {0})(objectClass = user))。
通过此设置,我可以在WireShark中看到LDAP对话,并且绑定成功。绑定响应是成功的。接下来,搜索请求也成功,但不返回任何结果。因此,我仍然在日志中得到以下内容:
2015-04-16 10:30:28,201 DEBUG (o.s.s.a.ProviderManager.authenticate) [http-8443-2] Authentication attempt using org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider MDC{}
2015-04-16 10:30:28,201 DEBUG (o.s.s.l.a.AbstractLdapAuthenticationProvider.authenticate) [http-8443-2] Processing authentication request for user: myusername MDC{}
2015-04-16 10:30:28,294 DEBUG (o.s.s.l.SpringSecurityLdapTemplate.searchForSingleEntryInternal) [http-8443-2] Searching for entry under DN '', base = 'dc=fsapps,dc=company,dc=uni', filter = '(&(sAMAccountName={0})(objectClass=user))' MDC{}
2015-04-16 10:30:28,294 INFO (o.s.s.l.SpringSecurityLdapTemplate.searchForSingleEntryInternal) [http-8443-2] Ignoring PartialResultException MDC{}
2015-04-16 10:30:28,310 DEBUG (o.s.s.w.a.AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication) [http-8443-2] Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials MDC{}
2015-04-16 10:30:28,310 DEBUG (o.s.s.w.a.AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication) [http-8443-2] Updated SecurityContextHolder to contain null Authentication MDC{}
2015-04-16 10:30:28,310 DEBUG (o.s.s.w.a.AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication) [http-8443-2] Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@2876b359 MDC{}
我相信我快到了,但是如果有人可以提供帮助,仍然可以使用一点帮助。经过仔细检查,似乎第一个构造函数的参数用于构造baseObject,而userPrincipalName是我的问题。在我们的设置中,userPrincipalName使用的域名不是LDAP
URL中的域名(即Campus.company.com)。到目前为止,到目前为止,我可以更改参数以匹配用于构造用户主体的域名。现在,问题在于这将更改必须与LDAP
URL的架构(即fsapps.company.uni)匹配的baseObject。
根据文档,只有一种方法可以设置搜索过滤器,但是构造函数可以使用一个,两个或三个参数。第三个参数是提供baseObject值。
然后,通过以下配置解决了我的问题,在该配置中,我必须使用所有可用的setter和构造函数的参数来使其工作。myADProvider bean定义如下:
<b:bean id="myADProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<b:constructor-arg value="campus.company.com" />
<b:constructor-arg value="ldap://fsapps.company.uni:389/" />
<b:constructor-arg value="dc=fsapps,dc=company,dc=uni" />
<b:property name="searchFilter" value="(&(userPrincipalName={0})(objectClass=user))" />
<b:property name="convertSubErrorCodesToExceptions" value="true" />
</b:bean>
就我而言,自从我使用默认值后,现在可以省略searchFilter属性。尽管对我的设置和问题进行了很长的描述。我希望其他人可以从中受益。
- 这是ActiveDirectorLdapAuthenticationProvider类文档的链接:[http]( http://docs.spring.io/autorepo/docs/spring-
- security/4.0.0.RELEASE/apidocs/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.html)
-
//docs.spring.io/autorepo/docs/spring-
security/4.0.0.RELEASE/apidocs/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider。
html
我发现WireShark对查看应用程序服务器和AD服务器之间发生的情况以调试此问题非常有帮助。
问题答案:
我无法使用Context.REFERRAL =“
follow”解决此问题,实际上问题出在ActiveDirectoryLdapProvider类的方法searchForUser()的代码中。在此方法中,使用bindPrincipal调用SpringSecurityLdapTemplate.searchForSingleEntryInternal()方法,该方法实际上是由在第一个参数中传递给构造函数的参数和用户名组成的userPrincipalName。因此,即使您将搜索过滤器设置为除userPrincipalName之外的任何其他内容,它都将作为参数0传递给userPrincipalName。因此,具有sAMAccountName的过滤器将不适用于UPN并引发异常。
应该修改或扩充searchForUser()以检测到searchFilter需要用户名而不是UPN,或者提供了额外的设置器来使用searchFilter的模式设置参数。
但是,如果不修改代码,就无法使此类在这种情况下正常工作。那就是我最终所做的。我编写了自己的类,基本上是原始ActiveDirectoryLdapAUthenticationProvider的复本,其中对searchForUser()进行了一次简单修改,将用户名而不是bindPrincipal传递给searchForSingleEntryInternal()。
您可以输入所需的任何搜索过滤器,但被迫仅使用单个参数(实际上是userPrincipalName),而别无其他,这有点废话。
