春季安全2.0.6认证与Active Directory [英] Spring Security 2.0.6 Authentication with Active Directory
问题描述
我试图把去验证与LDAP,Active Directory和春季安全2.0.6。但我不知道为什么验证不通过...
在这里,您可以看到控制台:
> INFO [服务器]的JBoss(MX微内核)
> [4.2.3.GA(编译:
> SVNTag = JBoss_4_2_3_GA
>日期= 200807181439)开始在
> 30年代:118ms
>
> INFO [STDOUT] [WARN]认证
>事件
> AuthenticationFailureBadCredentialsEvent:
> secretariauno1;详细信息:
> org.springframework.security.ui.WebAuthenticationDetails@255f8:
> RemoteIpAddress:127.0.0.1; SESSIONID:
> 1D1DEAD28D4AE44AF67277654889D73E;
>例外:用户secretariauno1不
>在目录中找到。
>
> INFO [STDOUT] [WARN]认证
>事件
> AuthenticationFailureBadCredentialsEvent:
> secretariauno;详细信息:
> org.springframework.security.ui.WebAuthenticationDetails@255f8:
> RemoteIpAddress:127.0.0.1; SESSIONID:
> 1D1DEAD28D4AE44AF67277654889D73E;
>例外:错误的凭证;嵌套
>例外的是
> org.springframework.ldap.AuthenticationException:
> [LDAP:错误code 49 - 80090308:
> LdapErr:DSID-0C0903A9,评论:
> AcceptSecurityContext错误,数据52E,
> v1db0
>
> INFO [STDOUT] [信息]中
>供给returnObjFlag
>的SearchControls没有设置,但一
> ContextMapper使用 - 设置标志
>真
>
> INFO [STDOUT] [WARN]认证
>事件
> AuthenticationFailureServiceExceptionEvent:
> secretariauno;详细信息:
> org.springframework.security.ui.WebAuthenticationDetails@255f8:
> RemoteIpAddress:127.0.0.1; SESSIONID:
> 1D1DEAD28D4AE44AF67277654889D73E;
>例外:未加工的延续
>参考(S);嵌套例外是
> javax.naming.PartialResultException:
>未处理继续参考(S);
>剩余名称'';嵌套例外是
> org.springframework.ldap.PartialResultException:
>未处理继续参考(S);
>嵌套例外是
> javax.naming.PartialResultException:
>未处理继续参考(S);
>剩余名称''
有三 [WARN]
,第一secretariauno1不在LDAP。第二,该密码是坏的。但三分之二,是好的,它不通过。它返回到登录电子页面。我已经看过了returnObjFlag和关于剩余名称没有目标......
请,如果有人能帮助我......,谢谢!!!
在这里你可以看到塔的applicationContext-的security.xml:
< XML版本=1.0编码=UTF-8&GT?;
<豆类的xmlns =http://www.springframework.org/schema/beans
的xmlns:XSI =http://www.w3.org/2001/XMLSchema-instance
的xmlns:安全=http://www.springframework.org/schema/security
XSI:的schemaLocation =http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<豆ID =loggerListener
类=org.springframework.security.event.authentication.LoggerListener/>
<安全性:HTTP>
<安全:拦截-URL模式=/ **访问=ROLE_USUARIO_AUTENTICADO/>
<安全:拦截-URL模式=/ login.jsp的过滤器=无/>
<安全:拦截-URL模式=/ CSS / *过滤器=无/>
<安全:表单登录
登录处理-URL =/ j_security_check
登录页=/ login.jsp的
默认目标URL =/ index.jsp的
始终使用默认目标=真
认证失败-URL =/ login.jsp的/>
<安全性:匿名/>
<安全性:HTTP-基本/>
<安全:注销/>
< /安全:HTTP>
<安全:LDAP服务器ID =ldapServer
URL =LDAP://bibredc05.$p$padm.com:389 / DC = preADM,DC = COM
经理-DN =CN = desLector,OU =用户,DC = preminjus,DC = ES
管理员密码=pwd123/>
<安全:LDAP身份验证提供者用户的搜索过滤器=(sAMAccountName赋= {0})
用户搜索的基础=OU =用户/>
<安全:LDAP用户服务的服务器REF =ldapServer
用户搜索过滤器=sAMAccountName赋= {0}
用户搜索的基础=OU =用户/>
< /豆>
解决
好了,终于我已经迁移到Spring Security的3.0.4。问题是,你必须使用豆类定义,因为活动目录需要填充器豆。
< XML版本=1.0编码=UTF-8&GT?;
<豆类的xmlns =http://www.springframework.org/schema/beans
的xmlns:安全=http://www.springframework.org/schema/security
的xmlns:XSI =http://www.w3.org/2001/XMLSchema-instance
XSI:的schemaLocation =http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<豆ID =loggerListener
类=org.springframework.security.authentication.event.LoggerListener/>
<安全性:HTTP>
<安全性:会话管理>
&所述;安全:并发控制最大-会话=1的错误,如果 - 最大超过=真/>
< /安全:会话管理>
<安全:拦截-URL模式=/ CSS / *过滤器=无/>
<安全:拦截-URL模式=/ login.jsp的过滤器=无/>
<安全:拦截-URL模式=/ **访问=ROLE_USER_AUTENTICADO/>
<安全:表单登录
登录处理-URL =/ j_spring_security_check
登录页=/ login.jsp的
默认目标URL =/ index.jsp的
始终使用默认目标=真
认证失败-URL =/ login.jsp的/>
<安全性:匿名/>
<安全性:HTTP-基本/>
<安全:注销/>
< /安全:HTTP>
<安全:认证经理>
<安全性:身份验证提供参考='ldapAuthProvider'/>
< /安全:认证经理>
<! -
*这个DefaultLdapAuthoritiesPopulator类的第二个构造函数是paramerter
什么是包含在LDAP作为的memberOf,例如,如果它有值=OU =用户的
用户无需thios组用不上。
*它付诸访问用户:ROLE_USUARIO_AUTENTICADO我用这拦截。
但是,例如,如果在LDAP中,用户有在memberOf属性:
CN = preADM,OU =应用程序,OU = Usuers,DC = preADM,DC = COM的用户应该有权限
OU =用户,但它会工作,如果拦截器有ROLE_ preADM,ROLE_是默认的preFIX,
preADM是CN = preADM中的memberOf。
- >
<豆ID =ldapAuthProvider
类=org.springframework.security.ldap.authentication.LdapAuthenticationProvider>
<构造带参数的>
<豆ID =认证者
类=org.springframework.security.ldap.authentication.BindAuthenticator>
<构造带参数REF =好的ContextSource/>
<属性名=userSearchREF =userSearch/>
< /豆>
< /构造带参数的>
<构造带参数的>
< bean类=org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator>
<构造带参数REF =好的ContextSource/>
<构造带参数的值=OU =用户/>
<属性名=defaultRole值=ROLE_USER_AUTENTICADO/>
<属性名=searchSubtree值=真/>
<属性名=ignorePartialResultException值=真/>
< /豆>
< /构造带参数的>
< /豆>
<豆ID =userSearch
类=org.springframework.security.ldap.search.FilterBasedLdapUserSearch>
<构造带参数的指数=0值=OU =用户/>
<构造带参数的指数=1值=(sAMAccountName赋= {0})/>
<构造带参数的指数=2REF =好的ContextSource/>
<属性名=searchSubtree值=真/>
< /豆>
<豆ID =好的ContextSource
类=org.springframework.security.ldap.DefaultSpringSecurityContextSource>
<构造带参数的值=LDAP://bibredc05.$p$padm.com:389 / DC = preADM,DC = COM/>
<属性名=用户DN值=CN = desReader,OU =用户,DC = preADM,DC = COM/>
<属性名=密码值=pwd123/>
< /豆>
< /豆>
I have tried to put de authentication with Ldap-Active Directory and Spring Security 2.0.6. But I don't know why the authentication don't pass...
Here you can see the console:
> INFO [Server] JBoss (MX MicroKernel)
> [4.2.3.GA (build:
> SVNTag=JBoss_4_2_3_GA
> date=200807181439)] Started in
> 30s:118ms
>
> INFO [STDOUT] [WARN] Authentication
> event
> AuthenticationFailureBadCredentialsEvent:
> secretariauno1; details:
> org.springframework.security.ui.WebAuthenticationDetails@255f8:
> RemoteIpAddress: 127.0.0.1; SessionId:
> 1D1DEAD28D4AE44AF67277654889D73E;
> exception: User secretariauno1 not
> found in directory.
>
> INFO [STDOUT] [WARN] Authentication
> event
> AuthenticationFailureBadCredentialsEvent:
> secretariauno; details:
> org.springframework.security.ui.WebAuthenticationDetails@255f8:
> RemoteIpAddress: 127.0.0.1; SessionId:
> 1D1DEAD28D4AE44AF67277654889D73E;
> exception: Bad credentials; nested
> exception is
> org.springframework.ldap.AuthenticationException:
> [LDAP: error code 49 - 80090308:
> LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 52e,
> v1db0
>
> INFO [STDOUT] [INFO] The
> returnObjFlag of supplied
> SearchControls is not set but a
> ContextMapper is used - setting flag
> to true
>
> INFO [STDOUT] [WARN] Authentication
> event
> AuthenticationFailureServiceExceptionEvent:
> secretariauno; details:
> org.springframework.security.ui.WebAuthenticationDetails@255f8:
> RemoteIpAddress: 127.0.0.1; SessionId:
> 1D1DEAD28D4AE44AF67277654889D73E;
> exception: Unprocessed Continuation
> Reference(s); nested exception is
> javax.naming.PartialResultException:
> Unprocessed Continuation Reference(s);
> remaining name ''; nested exception is
> org.springframework.ldap.PartialResultException:
> Unprocessed Continuation Reference(s);
> nested exception is
> javax.naming.PartialResultException:
> Unprocessed Continuation Reference(s);
> remaining name ''
There are three [WARN]
, the first secretariauno1 is not in LDAP. The second, the password is bad. But the thirds, is good and it don't pass. It return to loging page. I have looked for "returnObjFlag" and about "remaining name" without goals...
Please, if anyone can help me..., THANK YOU!!!
Here you can see tha applicationContext-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<bean id="loggerListener"
class="org.springframework.security.event.authentication.LoggerListener" />
<security:http>
<security:intercept-url pattern="/**" access="ROLE_USUARIO_AUTENTICADO" />
<security:intercept-url pattern="/login.jsp" filters="none"/>
<security:intercept-url pattern="/css/*" filters="none"/>
<security:form-login
login-processing-url="/j_security_check"
login-page="/login.jsp"
default-target-url="/index.jsp"
always-use-default-target="true"
authentication-failure-url="/login.jsp" />
<security:anonymous/>
<security:http-basic/>
<security:logout/>
</security:http>
<security:ldap-server id="ldapServer"
url="ldap://bibredc05.preadm.com:389/dc=preadm,dc=com"
manager-dn="cn=desLector,ou=Users,dc=preminjus,dc=es"
manager-password="pwd123"/>
<security:ldap-authentication-provider user-search-filter="(sAMAccountName={0})"
user-search-base="ou=Users"/>
<security:ldap-user-service server-ref="ldapServer"
user-search-filter="sAMAccountName={0}"
user-search-base="ou=Users"/>
</beans>
Resolved
Well, finally I have migrated to Spring Security 3.0.4. The problem was that you have to use the beans definition because Active Directory need the Populator bean.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<bean id="loggerListener"
class="org.springframework.security.authentication.event.LoggerListener" />
<security:http>
<security:session-management>
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
</security:session-management>
<security:intercept-url pattern="/css/*" filters="none"/>
<security:intercept-url pattern="/login.jsp" filters="none"/>
<security:intercept-url pattern="/**" access="ROLE_USER_AUTENTICADO" />
<security:form-login
login-processing-url="/j_spring_security_check"
login-page="/login.jsp"
default-target-url="/index.jsp"
always-use-default-target="true"
authentication-failure-url="/login.jsp" />
<security:anonymous/>
<security:http-basic/>
<security:logout/>
</security:http>
<security:authentication-manager>
<security:authentication-provider ref='ldapAuthProvider' />
</security:authentication-manager>
<!--
* The second constructor of the DefaultLdapAuthoritiesPopulator class is the paramerter
what is included in LDAP as memberOf, for example, if it have value="ou=Users" the
users without thios group don't have access.
* It put to the accessed user: ROLE_USUARIO_AUTENTICADO". I use this in the interceptor.
But, for example, if in the LDAP, the user have in memberOf attribute:
"CN=Preadm,OU=Applications,OU=Usuers,DC=preadm,DC=com" the user should have authority for
OU=Users, but it will work if the interceptor have "ROLE_PREADM", "ROLE_" is the default prefix,
"PREADM" is for CN=Preadm in the memberOf.
-->
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean id="bindAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch" ref="userSearch"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="ou=Users"/>
<property name="defaultRole" value="ROLE_USER_AUTENTICADO"/>
<property name="searchSubtree" value="true" />
<property name="ignorePartialResultException" value="true"/>
</bean>
</constructor-arg>
</bean>
<bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="ou=Users"/>
<constructor-arg index="1" value="(sAMAccountName={0})"/>
<constructor-arg index="2" ref="contextSource" />
<property name="searchSubtree" value="true"/>
</bean>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://bibredc05.preadm.com:389/dc=preadm,dc=com"/>
<property name="userDn" value="cn=desReader,ou=Users,dc=preadm,dc=com"/>
<property name="password" value="pwd123"/>
</bean>
</beans>
这篇关于春季安全2.0.6认证与Active Directory的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!