我有一个针对ApacheDS配置正常工作的Spring-LDAP实例。
漂亮的安全上下文:
<authentication-manager alias="authenticationManager">
<ldap-authentication-provider
user-context-mapper-ref="detailsMapper"
user-dn-pattern="uid={0},ou=people" user-search-filter="(uid={0})"
group-search-base="ou=groups" group-search-filter="member={0}">
</ldap-authentication-provider>
</authentication-manager>
当帐户被锁定时,我会在调试中看到确认锁定的位置:
DEBUG: org.springframework.security.ldap.authentication.BindAuthenticator - Failed to bind as uid=lorin,ou=people: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: account will remain locked till Sun Jun 07 22:17:01 EDT 2015]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: account will remain locked till Sun Jun 07 22:17:01 EDT 2015]
DEBUG: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Login credentials not found
DEBUG: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@521758c5
DEBUG: org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
但是当异常使它返回到我的失败处理程序时,异常严格来说就是BadCredentialsException,只有我配置的消息语句。
public abstract class AbstractLockDetectingAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
private final static Logger logger = LoggerFactory .getLogger(AbstractLockDetectingAuthenticationFailureHandler.class);
final protected static Locale locale = Locale.getDefault();
@Resource(name="messageSource")
private ReloadableResourceBundleMessageSource messages;
@Override
public void onAuthenticationFailure(final HttpServletRequest request,
final HttpServletResponse response, final AuthenticationException exception)
throws IOException, ServletException {
exception.printStackTrace();
super.onAuthenticationFailure(request, response, exception);
}
如何在不必自定义课程的情况下报告锁定帐户与错误密码,然后将自己投入到单个邮件的配置地狱中?
(是的,我知道报告锁定的密码不好,因为它泄漏了安全性......坚持不懈的客户)
答案 0 :(得分:0)
您可能希望使用以下代码覆盖BindAuthenticator中的方法“ handleBindException”以引发特定的异常:
protected void handleBindException(String userDn, String username, Throwable cause) {
super.handleBindException(userDn, username, cause);
//handle account locked
if (cause.getMessage().contains("account was permanently locked"))
{
throw new LockedException(messages.getMessage(
"LdapAuthenticationProvider.locked", "User account is locked"), cause);
}
//second example: handle password lifetime reached
if (cause.getMessage().contains("password end time reached"))
{
throw new AccountExpiredException(messages.getMessage(
"LdapAuthenticationProvider.expired", "User account has expired"),
cause);
}
}
如何覆盖BindAuthenticator的方法主要取决于您的Spring版本以及是否使用spring-boot。您的代码看起来像您在使用香草弹簧。
由于定义您自己的身份验证提供程序而不是使用xml ldap-authentication-provider-Tag bean可能很麻烦(因为所有子bean都需要手动定义,然后)我建议调用LdapAuthenticationProvider.setAuthenticator( ),以覆盖身份验证器。