使用活动目录的Spring安全认证失败
我一直在我们公司的一个弹簧网络应用项目上工作。它用于使用数据库对用户进行身份验证,但最近我们决定使用我们的活动目录服务器作为身份验证方。因此,我们将spring-security.xml更改为以下代码:
<http auto-config="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<intercept-url pattern="/Content/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/Desktop/New_Them/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/App/Index" access="ROLE_USER" />
<intercept-url pattern="/App/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/rest/clc/ClcLogPhon/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
<logout logout-success-url="/App/Login" />
<remember-me key="myAppKey" />
<session-management
session-authentication-strategy-ref="sas">
</session-management>
<csrf />
<headers>
<xss-protection />
</headers>
</http>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://192.168.1.199:389/DC=myDomain,DC=org" />
<beans:property name="userDn"
value="CN=myUsername,CN=Users,DC=myDomain,DC=org" />
<beans:property name="password" value="myPassword" />
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>uid={0},ou=users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="ou=groups" />
<beans:property name="groupRoleAttribute" value="ou" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<authentication-manager>
<authentication-provider ref="ldapAuthProvider"/>
</authentication-manager>
Web应用程序启动良好。但是当我想要在活动目录中使用之前声明的用户登录时,会发生以下错误:
DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
DEBUG LdapAuthenticationProvider - Processing authentication request for user: m.fazel
DEBUG BindAuthenticator - Attempting to bind as uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG BindAuthenticator - Failed to bind as uid=m.fazel,ou=users: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1];
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'sessionRegistry'
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'logoutSuccessHandler'
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@560d9ba6
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
DEBUG TokenBasedRememberMeServices - Cancelling cookie
DEBUG SimpleUrlAuthenticationFailureHandler - Redirecting to /spring_security_login?login_error
DEBUG DefaultRedirectStrategy - Redirecting to '/hafizApps/spring_security_login?login_error'
正如您可以看到上面的调试结果,它是由于Ldap错误引起的:
LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
但是,我已使用JXplorer连接到服务器。 ldap连接设置中没有替代错误。而且我尝试连接的测试用户(即m.fazel)已经在ldap中声明,如下图所示:
@jeemster编辑后:
然而,uid正是在spring security ldap authentication中写的。我改变了spring-security.xml,就像jeemster所说的那样,把cn = {0},ou = test而不是uid = {0},ou =用户。 id =“ldapAuthProvider”的bean更改为下面演示的bean:
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>CN={0},OU=test</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="ou=groups" />
<beans:property name="groupRoleAttribute" value="ou" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
此外,我在测试组中创建了一个新用户,并将其命名为alialavi。在ldap中创建的新用户如下图所示。
如上图所示,从JXplorer捕获,新用户的专有名称是:
cn=alialavi,ou=test,dc=hafiz-co,dc=org
但是在Web应用程序启动后,我在登录页面中再次看到此错误:
DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
DEBUG LdapAuthenticationProvider - Processing authentication request for user: alialavi
DEBUG BindAuthenticator - Attempting to bind as cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG BindAuthenticator - Failed to bind as CN=alialavi,OU=test: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@4481f947
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
同样,它引起了新的distinguishedName错误:
cn=alialavi,ou=test,dc=hafiz-co,dc=org
虽然distinguishedName都相同,但是发生了错误。
1 个答案:
答案 0 :(得分:2)
我会先尝试改变:
uid={0},ou=users
到
cn={0},ou=users
通常,uid不是Microsoft Active Directory中的值。
然而,错误:
data 52e
当用户名有效但密码/凭证无效时,返回AFIK。
最后,从发布的内容看来,
m.fazel
是samAccountName而不是用户的cn或uid。用于绑定的LDAP DN似乎是:
uid=m.fazel,ou=users,dc=myDomain,dc=org
此用户是否出现在目录中?
-Jim
相关问题
- Spring Security 2.0.6使用Active Directory进行身份验证
- Spring Security 3 Active Directory身份验证,数据库授权
- Spring Security 3.1 Active Directory身份验证
- Spring Security 3.1使用Active Directory
- 使用用户组的Grails Spring Security 2.0 Active Directory身份验证
- 使用spring-security进行活动目录身份验证
- 使用活动目录的Spring安全认证失败
- 使用&#34; proxy&#34;进行Spring Active Directory身份验证用户
- Spring启动 - 验证config中存在的活动目录用户列表
- 使用spirng引导的Active Directory LDAP认证
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?