JBOSS上的ActiveDirectoryLdapAuthenticationProvider

时间:2015-02-16 02:32:30

标签: java jboss spring-security-ldap

我试图在JBOSS EAP 6.3上使用ActiveDirectoryLdapAuthenticationProvider实现Active Directory身份验证。

如果要验证的用户ID被锁定/过期,我会遇到意外的异常。

org.springframework.ldap.UncategorizedLdapException:
Uncategorized exception occured during LDAP processing;
nested exception is javax.naming.NamingException:
JBAS011843: Classloader ModuleClassLoader for Module
"deployment.multildap.war:main" from Service Module Loader
failed to instanciate InitialContextFactory 
com.sun.jndi.ldap.LdapCtxFactory [Root exception is
javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
    comment: AcceptSecurityContext error, data 533, v1db1 ]]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217) [spring-ldap-core-1.3.2.RELEASE.jar:1.3.2.RELEASE]
at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:187) [spring-security-ldap-3.2.5.RELEASE.jar:3.2.5.RELEASE]
...

我的配置如下,它可以与Tomcat 8一起使用。

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="adAuthenticationProvider" />
</authentication-manager>

<beans:bean id="adAuthenticationProvider"
    class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <beans:constructor-arg value="DOMAIN_NAME.COM" />
    <beans:constructor-arg value="ldap://my-comain-controller/" />
</beans:bean>

我潜入了ActiveDirectoryLdapAuthenticationProvider源代码,方法bindAsUser有以下部分:

try {
    return contextFactory.createContext(env);
} catch (NamingException e) {
    if ((e instanceof AuthenticationException) || (e instanceof OperationNotSupportedException)) {
        handleBindException(bindPrincipal, e);
        throw badCredentials(e);
    } else {
        throw LdapUtils.convertLdapException(e);
    }
}

但是在JBOSS中,似乎引发的NamingException不是AuthenticationException或OperationNotSupportedException的实例。它们被包装为根本原因,异常本身就是NamingException。

快速而肮脏的解决方案可能会在else部分添加一些额外的行,如下所示:

Throwable rootCause = e.getRootCause();
if ((rootCause instanceof AuthenticationException) || (rootCause instanceof OperationNotSupportedException)) {
    handleBindException(bindPrincipal, (NamingException) rootCause);
    throw badCredentials(rootCause);
} else {
    throw LdapUtils.convertLdapException(e);
}

有人有similer问题和/或有更好的解决方案吗?

0 个答案:

没有答案
相关问题
最新问题