能够为外部数据库权限执行自定义ldap身份验证。但是,当我尝试测试错误的密码时,身份验证失败的URL没有显示,而是我的浏览器打印了异常详细信息.Below是我的securitycontext.xml并且给出了异常:
<http auto-config="false" access-decision-manager-ref="accessDecisionManager" access-denied-page="/accessDenied.jsp">
<!-- Restrict access to ALL other pages -->
<intercept-url pattern="/index.jsp" filters="none" />
<!-- Don't set any role restrictions on login.jsp -->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/service/**" access="PRIV_Report User, PRIV_305" />
<logout logout-success-url="/index.jsp" />
<form-login authentication-failure-url="/index.jsp?error=1" default-target-url="/home.jsp" />
<anonymous/>
</http>
<b:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<b:property name="decisionVoters">
<b:list>
<b:ref bean="roleVoter" />
<b:ref bean="authenticatedVoter" />
</b:list>
</b:property>
</b:bean>
<b:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
<b:property name="rolePrefix" value="PRIV_" />
</b:bean>
<b:bean id="authenticatedVoter" class="org.springframework.security.vote.AuthenticatedVoter">
</b:bean>
<b:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<b:constructor-arg value="ldap://mydomain:389" />
</b:bean>
<b:bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<b:constructor-arg ref="contextSource" />
</b:bean>
<b:bean id="ldapAuthenticationProvider"
class="com.zo.sas.gwt.security.login.server.SASLdapAuthenticationProvider">
<b:property name="authenticator" ref="ldapAuthenticator" />
<custom-authentication-provider />
</b:bean>
<b:bean id="ldapAuthenticator"
class="com.zo.sas.gwt.security.login.server.SASAuthenticator">
<b:property name="contextSource" ref="contextSource" />
<b:property name="userDnPatterns">
<b:value>uid={0},OU=People</b:value>
</b:property>
</b:bean>
我的异常日志:
org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:180)
org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
com.zo.sas.gwt.security.login.server.SASAuthenticator.authenticate(SASAuthenticator.java:55)
com.zo.sas.gwt.security.login.server.SASLdapAuthenticationProvider.authenticate(SASLdapAuthenticationProvider.java:45)
org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:188)
org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
org.springframework.security.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:82)
org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:258)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:183)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
这是我的index.jsp
<html>
<script type="text/javascript" language="javascript">
var dictionary = {
loginErr: "${SPRING_SECURITY_LAST_EXCEPTION.message}",
error: "${param.error}"
};
</script>
<head>
</head>
<body >
<iframe src="javascript:''" id="__gwt_historyFrame" style="width:0;height:0;border:0"></iframe>
<script type="text/javascript" language="javascript" src="com.zo.sas.gwt.sasworkflow.home.Home.nocache.js"></script>
</body>
</html>
答案 0 :(得分:1)
该日志并没有多说。您应该 org.springframework 登录 DEBUG 级别,看看发生了什么。
查找以下消息:“更新SecurityContextHolder以包含空身份验证”和“身份验证请求失败:”,之后必须重定向到index.jsp。
index.jsp的代码是什么?
答案 1 :(得分:0)
这是正确的错误消息,LDAP:错误代码49 - 凭据无效,可能不是您想要的格式。
LDAP服务器应该传递子代码,原因是,Active Directory有一个列表:
对于错误的DN,AD LDAP 49 codes和eDirectory通常会为错误密码601发送669错误。虽然我认为在最近几个版本中发生了变化,但它们在eDirectory上都显示为669个错误,以免帮助攻击者确定真实的用户名。