Spring Security + LDAP始终返回BadCredentialsException

时间:2015-08-19 14:45:48

标签: java spring spring-security active-directory ldap

我一直在尝试将Spring Security配置为使用LDAP,但收效甚微。

我有以下配置bean:

@Bean
public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {

    ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("go.com.mt", "LDAP://CORPORATE.INTRA");
    provider.setConvertSubErrorCodesToExceptions(true);
    provider.setUseAuthenticationRequestCredentials(true);
    provider.setUserDetailsContextMapper(userDetailsContextMapper());
    return provider;
}

@Bean
public UserDetailsContextMapper userDetailsContextMapper() {
    UserDetailsContextMapper contextMapper = new AttributesLDAPUserDetailsContextMapper();
    return contextMapper;
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}

我尝试按照堆栈溢出的许多答案的建议创建自定义映射器,将每个权限设置为ROLE_USER 

public class AttributesLDAPUserDetailsContextMapper implements UserDetailsContextMapper {
    @Override
    public UserDetails mapUserFromContext(DirContextOperations dirContextOperations, String username, Collection<? extends GrantedAuthority> authority) {
        List<GrantedAuthority> mappedAuthorities = new ArrayList<GrantedAuthority>();
        for (GrantedAuthority granted : authority) {
            if (true) {
                mappedAuthorities.add(() -> "ROLE_USER");
            } else if(granted.getAuthority().equalsIgnoreCase("MY ADMIN GROUP")) {
                mappedAuthorities.add(() -> "ROLE_ADMIN");
            }
        }
        return new User(username, "", mappedAuthorities);
    }

    @Override
    public void mapUserToContext(UserDetails userDetails, DirContextAdapter dirContextAdapter) {

    }
}

当我尝试使用现有用户进行身份验证并输入错误密码时,我收到以下消息:

[apr-8080-exec-6] ctiveDirectoryLdapAuthenticationProvider : Active Directory authentication failed: Supplied password was invalid
[apr-8080-exec-6] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Thu Aug 20 07:31:59 CEST 2015, principal=samantha.catania, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.BadCredentialsException, message=Bad credentials}]

意味着活动目录正在正常工作,但当我尝试使用正确的凭据进行身份验证时,我收到以下消息:

[pr-8080-exec-10] o.s.s.ldap.SpringSecurityLdapTemplate    : Ignoring PartialResultException
[pr-8080-exec-10] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Thu Aug 20 07:32:05 CEST 2015, principal=samantha.catania, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.BadCredentialsException, message=Bad credentials}]

任何想法如何解决这个问题?

2 个答案:

答案 0 :(得分:2)

问题似乎是因为ActiveDirectoryLdapAuthenticationProvider正在使用域“猜测”DN。将spring-security-ldap更新为最新版本可提供new constructor with 3 parameters,其中最后一个允许您指定DN。之后,映射器开始被成功调用,并且验证通过了。

我要感谢所有贡献的人:)

答案 1 :(得分:0)

尝试使用java环境属性“java.naming.referral”设置为“follow”(在启动时的代码中,或通过JVM的参数-Djava.naming.referral = follow。

您是否获得了堆栈跟踪,或者您是否可以打印BadCredentialsException?

这与AD遇到的问题非常相似,问题在于AD如何处理引用,这会在数据检索过程中产生错误。

根据您发布的内容,我预计会在ActiveDirectoryLdapAuthenticationProvider.java line 323中生成异常,这会导致同样的问题。

相关问题
最新问题