使用Spring Security 3.2,Spring Ldap 2.0和JavaConfig进行Active Directory身份validation
我正在编写一个要求用户登录的Web应用程序。 我的公司有一个Active Directory服务器,我想为此目的使用它。 但是,我在使用Springvalidation用户凭据时遇到问题。
我正在使用Spring Security 3.2.2,Spring Ldap 2.0.1和Java 1.7。
Web应用程序启动良好,针对InMemory-Authentication的身份validation也运行良好,因此我的应用程序的其余部分似乎配置正确。
这是我的配置:
@Configuration @EnableWebSecurity public class LdapConfig extends WebSecurityConfigurerAdapter { @Bean public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() { val provider = new ActiveDirectoryLdapAuthenticationProvider("my.domain", "ldap://LDAP_ID:389/OU=A_GROUP,DC=domain,DC=tld"); provider.setConvertSubErrorCodesToExceptions(true); provider.setUseAuthenticationRequestCredentials(true); provider.setUseAuthenticationRequestCredentials(true); return provider; } @Bean public LoggerListener loggerListener() { return new LoggerListener(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider()); } @Override protected void configure(HttpSecurity http) throws Exception { // Configuration for Redirects, Login-Page and stuff } } 当我尝试使用MY_USERNAME和MY_PASSWORD登录时,我收到Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
完整Stacktrace:
14:59:00,508 DEBUG UsernamePasswordAuthenticationFilter:205 - Request is to process authentication 14:59:00,509 DEBUG ProviderManager:152 - Authentication attempt using org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider 14:59:00,509 DEBUG ActiveDirectoryLdapAuthenticationProvider:65 - Processing authentication request for user: USERNAME 14:59:00,563 ERROR ActiveDirectoryLdapAuthenticationProvider:133 - Failed to locate directory entry for authenticated user: USERNAME javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=A_GROUP,DC=domain,DC=tld' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) at javax.naming.directory.InitialDirContext.search(Unknown Source) at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:208) at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.searchForUser(ActiveDirectoryLdapAuthenticationProvider.java:285) at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:130) at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:80) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) ... a few more 14:59:00,597 WARN LoggerListener:60 - Authentication event AuthenticationFailureBadCredentialsEvent: USERNAME; details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddUSERNAME: 0:0:0:0:0:0:0:1; SessionId: 1E9401031886F0155F0ACE881CC50A4B; exception: Bad credentials 14:59:00,597 DEBUG UsernamePasswordAuthenticationFilter:348 - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials 14:59:00,597 DEBUG UsernamePasswordAuthenticationFilter:349 - Updated SecurityContextHolder to contain null Authentication 14:59:00,597 DEBUG UsernamePasswordAuthenticationFilter:350 - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@3d876453
当我使用Ldap-Explorer浏览AD并搜索(&(objectClass=user)(userPrincipalName=MY_USERNAME)) ,Spring在ActiveDirectoryLdapAuthenticationProvider:searchForUser(…)中执行此操作时,它返回正确的用户。
输入无效密码时,Spring返回ActiveDirectoryLdapAuthenticationProvider:200 - Active Directory authentication failed: Supplied password was invalid 。 这似乎没问题。
是否缺少配置的一部分?
是否有任何有关如何使用JavaConfig为AD配置Spring Ldap的工作示例? 官方的Spring Guide只描述了XML-Way http://docs.spring.io/spring-security/site/docs/3.1.5.RELEASE/reference/ldap.html#ldap-active-directory
更新:刚刚将我的AuthenticationProvider更新为以下内容:
@Bean public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() { val provider = new ActiveDirectoryLdapAuthenticationProvider("company.tld", "ldap://LDAP_URL:389"); provider.setConvertSubErrorCodesToExceptions(true); provider.setUseAuthenticationRequestCredentials(true); provider.setAuthoritiesMapper(myAuthoritiesMapper()); // see http://comdynamics.net/blog/544/spring-security-3-integration-with-active-directory-ldap/ provider.setUseAuthenticationRequestCredentials(true); return provider; }
它很好,感谢guido!
注意:Spring声明忽略了PartialResultException。 文件说
某些Active Directory(AD)服务器无法自动跟踪引用,这通常会导致在搜索中抛出PartialResultException。 您可以通过将ignorePartialResultException属性设置为true来指定要忽略PartialResultException。
也许有一种方法可以通过JavaConfig设置这个属性。 我忽略了它。
- 对于PartialResultException您应该在您的上下文源上将参数引用设置为“跟随”。
例如: https : //stackoverflow.com/a/26872236/2718510
- 如何在JBoss中配置SQL Server数据源以使用特定的Active Directory用户进行连接?
- 在尝试使用unboundid LDAP SDK更改scala中的密码时,如何解决“WILL_NOT_PERFORM”MS AD回复?
- 安全Java SOAP Web服务 – Active Directory身份validation信任
- 检测使用Java登录计算机的用户
- 在ssl(ldaps)的支持下连接活动目录
- 带有Active Directory的JNDI PartialResultException
- 将Ldap用户与使用Java的组关联
- 用户解锁后,Windows机器上的Kerberos缓存票证无法重新生成
- Java SimpleDateFormat总是返回1月份的月份