没有使用Spring安全性找到AuthenticationProvider
我一直在尝试使用他们的x509证书通过LDAP对用户进行身份validation,但似乎无法使用它。 我声明了一个身份validation提供程序,但我仍然收到一个错误,说没有提供程序。
这是我的调试输出:
INFO: Initiating Jersey application, version 'Jersey: 1.12 02/15/2012 04:51 PM' DEBUG: ossecurity.web.FilterChainProxy - /x509 at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' DEBUG: osswcHttpSessionSecurityContextRepository - No HttpSession currently exists DEBUG: osswcHttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created. DEBUG: ossecurity.web.FilterChainProxy - /x509 at position 2 of 8 in additional filter chain; firing Filter: 'customX509AuthenticationFilter' DEBUG: mdCustomX509AuthenticationFilter - Checking secure context token: null DEBUG: mdCustomX509AuthenticationFilter - X.509 client authentication certificate: [removed to save space] DEBUG: mdCustomX509PrincipalExtractor - Subject DN is 'CN=Last.First.M.1234567890, OU=GROUP1, O=ORG, C=US' DEBUG: mdCustomX509PrincipalExtractor - Extracted Principal name is '1234567890' DEBUG: mdCustomX509AuthenticationFilter - X.509 client authentication certificate: [removed to save space] DEBUG: mdCustomX509AuthenticationFilter - preAuthenticatedPrincipal = 1234567890, trying to authenticate DEBUG: mdCustomX509AuthenticationFilter - Cleared security context due to exception org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:196) ~[spring-security-core-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:115) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:85) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:184) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:155) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29] at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:205) [cors-filter-1.3.2.jar:na] at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:266) [cors-filter-1.3.2.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.29] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.29] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.29] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.29] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.29] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.29] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) [tomcat-coyote.jar:6.0.29] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) [tomcat-coyote.jar:6.0.29] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.29] at java.lang.Thread.run(Thread.java:679) [na:1.6.0_22] DEBUG: ossecurity.web.FilterChainProxy - /x509 at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' DEBUG: ossecurity.web.FilterChainProxy - /x509 at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' DEBUG: ossecurity.web.FilterChainProxy - /x509 at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' DEBUG: osswaAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' DEBUG: ossecurity.web.FilterChainProxy - /x509 at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter' DEBUG: osswsSessionManagementFilter - Requested session ID E34E30E0411B02EFA37B41BCBA282041 is invalid. DEBUG: ossecurity.web.FilterChainProxy - /x509 at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' DEBUG: ossecurity.web.FilterChainProxy - /x509 at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' DEBUG: osswaiFilterSecurityInterceptor - Secure object: FilterInvocation: URL: /x509; Attributes: [hasRole('user')] DEBUG: osswaiFilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS DEBUG: ossaccess.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6b207925, returned: -1 DEBUG: osswaExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-3.1.1.RELEASE.jar:3.1.1.RELEASE] ... DEBUG: osswsHttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://192.168.56.67/cert/x509] DEBUG: osswaExceptionTranslationFilter - Calling Authentication entry point. DEBUG: osswaHttp403ForbiddenEntryPoint - Pre-authenticated entry point called. Rejecting access DEBUG: osswcHttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. DEBUG: osswcSecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed 这是我的spring-security.xml:
我无法弄清楚为什么会抛出错误并且已经做了很多研究试图找到问题的根源。 任何帮助将不胜感激。
谢谢,詹姆斯
在技术层面,问题是您的身份validationfilter与您的身份validation提供程序不兼容:您的CustomX509AuthenticationFilter创建PreAuthenticatedAuthenticationToken ,并将其发送到要处理的已配置的LdapAuthenticationProvider ,但该提供程序仅支持UsernamePasswordAuthenticationToken 。
您可以通过使CustomX509AuthenticationFilter创建UsernamePasswordAuthenticationToken来解决问题,但我想这里似乎存在一些概念性问题。
如果客户端提供有效的x509证书,您是否应该在没有进一步LDAP身份validation的情况下信任它? 即使您想要这个额外的步骤,您在哪里获得LDAP绑定操作的密码? 你从证书中提取出来的吗? 如果是这样,这将不会给您任何额外的安全性,因为如果有人拥有证书,无论是否有LDAP,他们都将获得身份validation。
詹姆斯发表评论后更新:
看来您从LDAP获得的所有内容都是由证书标识的用户的角色信息,在这种情况下,您无需针对LDAP对其进行身份validation。 您只需使用已在contextSource配置的LDAP管理员帐户加载用户详细信息。 请尝试以下方法:
- 将
LdapUserDetailsService包装在UserDetailsByNameServiceWrapper - 而不是
LdapAuthenticationProvider配置PreAuthenticatedAuthenticationProvider,它将能够处理CustomX509AuthenticationFilter发出的PreAuthenticatedAuthenticationToken。 - 将包装的
LdapUserDetailsService注入PreAuthenticatedAuthenticationProvider。
这将确保使用LDAP中提供的所有信息填充Authentication对象。 然后,后续filter可以根据用户授予的权限(LDAP中定义的组成员身份)授权请求。