我一直在我们公司从事 Spring Web 应用程序项目。它过去使用数据库对用户进行身份验证,但最近我们决定使用我们的 Activity 目录服务器作为身份验证方的手段。因此,我们将 spring-security.xml 更改为以下代码:
<http auto-config="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<intercept-url pattern="/Content/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/Desktop/New_Them/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/App/Index" access="ROLE_USER" />
<intercept-url pattern="/App/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/rest/clc/ClcLogPhon/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
<logout logout-success-url="/App/Login" />
<remember-me key="myAppKey" />
<session-management
session-authentication-strategy-ref="sas">
</session-management>
<csrf />
<headers>
<xss-protection />
</headers>
</http>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://192.168.1.199:389/DC=myDomain,DC=org" />
<beans:property name="userDn"
value="CN=myUsername,CN=Users,DC=myDomain,DC=org" />
<beans:property name="password" value="myPassword" />
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>uid={0},ou=users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="ou=groups" />
<beans:property name="groupRoleAttribute" value="ou" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<authentication-manager>
<authentication-provider ref="ldapAuthProvider"/>
</authentication-manager>
网络应用程序启动良好。但是当我想使用之前在 Activity 目录中声明的用户登录时,会出现以下错误:
DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
DEBUG LdapAuthenticationProvider - Processing authentication request for user: m.fazel
DEBUG BindAuthenticator - Attempting to bind as uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG BindAuthenticator - Failed to bind as uid=m.fazel,ou=users: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1];
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'sessionRegistry'
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'logoutSuccessHandler'
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@560d9ba6
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
DEBUG TokenBasedRememberMeServices - Cancelling cookie
DEBUG SimpleUrlAuthenticationFailureHandler - Redirecting to /spring_security_login?login_error
DEBUG DefaultRedirectStrategy - Redirecting to '/hafizApps/spring_security_login?login_error'
正如您在上面看到的调试结果,这是由于 Ldap 错误引起的:
LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
但是,我已经通过 JXplorer 连接到服务器。 LDAP 连接设置中没有其他错误。我尝试连接的测试用户(即 m.fazel)已经在 ldap 中声明,如下图所示:
@jeemster 编辑后:
然而,uid正是spring security ldap authentication中所写的。 .我像jeemster所说的那样更改了spring-security.xml并放置了cn={0},ou=test而不是uid={0},ou=users。 id="ldapAuthProvider"的 bean 更改为下面演示的 bean:
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>CN={0},OU=test</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="ou=groups" />
<beans:property name="groupRoleAttribute" value="ou" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
此外,我在测试组中创建了一个新用户并将其命名为 alialavi。在ldap中创建的新用户如下图所示。
如上图所示,从 JXplorer 捕获,新用户的可分辨名称是:
cn=alialavi,ou=test,dc=hafiz-co,dc=org
但是在 Web 应用程序启动后,我在登录页面中再次看到此错误:
DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
DEBUG LdapAuthenticationProvider - Processing authentication request for user: alialavi
DEBUG BindAuthenticator - Attempting to bind as cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG BindAuthenticator - Failed to bind as CN=alialavi,OU=test: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@4481f947
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
它再次导致新的 DistinguishedName 出现错误:
cn=alialavi,ou=test,dc=hafiz-co,dc=org
虽然两个distinguishedName相同,但还是发生了错误。
最佳答案
我首先尝试改变:
uid={0},ou=users
到
cn={0},ou=users
通常,uid 不是 Microsoft Active Directory 中的值。
但是,错误:
data 52e
当用户名有效但密码/凭据无效时,返回 AFIK。
最后,从发布的内容来看,
m.fazel
是 samAccountName,而不是用户的 cn 或 uid。用于绑定(bind)的 LDAP DN 似乎是:
uid=m.fazel,ou=users,dc=myDomain,dc=org
该用户是否出现在目录中?
-吉姆
关于java - 使用 Activity 目录的 Spring Security 身份验证失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32166646/