本文介绍了使用Active Directory Spring Security认证失败的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我一直对我们公司这个春天Web应用程序项目。它用于验证使用数据库用户,但最近我们决定使用我们的活动目录服务器的身份验证方的一种手段。所以,我们改变了弹簧的security.xml到低于code:

I've been working on a spring web application project in our company. It used to authenticate users using database, but recently we decided to use our active directory server as a means of authentication party. So, we changed the spring-security.xml to the code below:

<http auto-config="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
        <intercept-url pattern="/Content/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/Desktop/New_Them/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/App/Index" access="ROLE_USER" />
        <intercept-url pattern="/App/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/rest/clc/ClcLogPhon/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/**" access="ROLE_USER" />
        <custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
        <logout logout-success-url="/App/Login" />
        <remember-me key="myAppKey" />
        <session-management
            session-authentication-strategy-ref="sas">
        </session-management>
        <csrf />
        <headers>
            <xss-protection />
        </headers>
    </http>
<beans:bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg
            value="ldap://192.168.1.199:389/DC=myDomain,DC=org" />
        <beans:property name="userDn"
            value="CN=myUsername,CN=Users,DC=myDomain,DC=org" />
        <beans:property name="password" value="myPassword" />
    </beans:bean>

    <beans:bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource" />
                <beans:property name="userDnPatterns">
                    <beans:list>
                        <beans:value>uid={0},ou=users</beans:value>
                    </beans:list>
                </beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource" />
                <beans:constructor-arg value="ou=groups" />
                <beans:property name="groupRoleAttribute" value="ou" />
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>

    <authentication-manager>
        <authentication-provider ref="ldapAuthProvider"/>
    </authentication-manager>

和Web应用程序的启动很好。但是,当我想登录与之前在活动目录中,下面的错误是发生的声明用户:

And the web application starts up well. But when I want to login with users which declared before in the active directory, the error below is occurred:

DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
DEBUG LdapAuthenticationProvider - Processing authentication request for user: m.fazel
DEBUG BindAuthenticator - Attempting to bind as uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG BindAuthenticator - Failed to bind as uid=m.fazel,ou=users: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1];
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'sessionRegistry'
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'logoutSuccessHandler'
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@560d9ba6
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
DEBUG TokenBasedRememberMeServices - Cancelling cookie
DEBUG SimpleUrlAuthenticationFailureHandler - Redirecting to /spring_security_login?login_error
DEBUG DefaultRedirectStrategy - Redirecting to '/hafizApps/spring_security_login?login_error'

正如你可以看到上面的调试结果,就引起了由于LDAP错误:

As you can see debug result above, it caused due to Ldap error:

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

不过,我已经连接到服务器, JXplorer 。有一个在LDAP连接设置无可奈何错误。而且还测试用户,我试图用(iemfazel)连接,在LDAP已经被声明为你可以在下面的图中看到:

However, I have already connected to the server with JXplorer. There is no alternative error in ldap connection settings. And also the test user which I trying to connect with (i.e. m.fazel), is already declared in ldap as you can see in the figure below:

@jeemster修改后:

不过,UID正是写于的。我改变弹簧的security.xml就像jeemster说,一边CN = {0},OU =测试,而不是UID = {0},OU =用户。 id为ldapAuthProvider这个bean更改为下面展示了豆:

However, uid was exactly what was written in spring security ldap authentication.I change the spring-security.xml just like jeemster said and put cn={0},ou=test instead of uid={0},ou=users. The bean with id="ldapAuthProvider" is changed to the bean demonstrated below:

<beans:bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource" />
                <beans:property name="userDnPatterns">
                    <beans:list>
                        <beans:value>CN={0},OU=test</beans:value>
                    </beans:list>
                </beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource" />
                <beans:constructor-arg value="ou=groups" />
                <beans:property name="groupRoleAttribute" value="ou" />
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>

另外,我创建了测试组的新用户,并把它命名为alialavi。在LDAP创造了新的用户表现出如下图。

Also, I create a new user in the test group and named it alialavi. The new user which created in the ldap was shown in the figure below.

这表现在上图中,从JXplorer捕捉,新用户的专有名称为:

As demonstrated in the above figure that capture from JXplorer, the distinguished name for the new user is:

cn=alialavi,ou=test,dc=hafiz-co,dc=org

但在Web应用程序启动时,我在登录页面再次看到此错误:

But after the web application starts up, I see this error again in login page:

DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
DEBUG LdapAuthenticationProvider - Processing authentication request for user: alialavi
DEBUG BindAuthenticator - Attempting to bind as cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG BindAuthenticator - Failed to bind as CN=alialavi,OU=test: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@4481f947
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.

这又造成新的distinguishedName错误:

Again it caused error with the new distinguishedName:

cn=alialavi,ou=test,dc=hafiz-co,dc=org

虽然两者的distinguishedName是相同的,发生的错误。

Although both distinguishedName is the same, the error occurred.

推荐答案

我会先尝试改变:

uid={0},ou=users

cn={0},ou=users

通常情况下,uid是不是在Microsoft Active Directory中的值。

Normally, uid is not a value within Microsoft Active Directory.

但是,错误:

data 52e

返回AFIK,当用户名是有效的,但密码/凭据是无效的。

Returns AFIK, when username is valid but password/credential is invalid.

最后,它似乎从什么张贴,即

Finally, it appears from what is posted, that

m.fazel

是对的samAccountName而不是用户的cn或流体。的DN被用于绑定在LDAP似乎是:

Is the samAccountName and not the cn or uid of the user. The LDAP DN being used for the bind appears to be:

uid=m.fazel,ou=users,dc=myDomain,dc=org

该用户是否出现在目录?

Does this user appears in the directory?

-Jim

这篇关于使用Active Directory Spring Security认证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-17 04:22
查看更多