【问题标题】:Ldap invalid credentials not loading authentication failure urlLdap 无效凭据未加载身份验证失败 url
【发布时间】:2010-11-15 10:58:36
【问题描述】:

能够为外部数据库权限进行自定义 ldap 身份验证。但是当我尝试测试错误的密码时,身份验证失败的 URL 没有显示,而是我的浏览器打印了异常详细信息。下面是我的 securitycontext.xml 和给出的异常:

<http auto-config="false" access-decision-manager-ref="accessDecisionManager" access-denied-page="/accessDenied.jsp">
    <!-- Restrict access to ALL other pages -->
    <intercept-url pattern="/index.jsp" filters="none" />
    <!-- Don't set any role restrictions on login.jsp -->
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/service/**" access="PRIV_Report User, PRIV_305" />

    <logout logout-success-url="/index.jsp" />
    <form-login authentication-failure-url="/index.jsp?error=1" default-target-url="/home.jsp" />
    <anonymous/>
</http>

<b:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    <b:property name="decisionVoters">
        <b:list>
            <b:ref bean="roleVoter" />
            <b:ref bean="authenticatedVoter" />
        </b:list>
    </b:property>
</b:bean>

<b:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
    <b:property name="rolePrefix" value="PRIV_" />
</b:bean>
<b:bean id="authenticatedVoter" class="org.springframework.security.vote.AuthenticatedVoter">
</b:bean>

<b:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <b:constructor-arg value="ldap://mydomain:389" />
</b:bean>
<b:bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
    <b:constructor-arg ref="contextSource" />
</b:bean>

<b:bean id="ldapAuthenticationProvider"
        class="com.zo.sas.gwt.security.login.server.SASLdapAuthenticationProvider">
        <b:property name="authenticator" ref="ldapAuthenticator" />
        <custom-authentication-provider />
</b:bean>

<b:bean id="ldapAuthenticator"
        class="com.zo.sas.gwt.security.login.server.SASAuthenticator">
        <b:property name="contextSource" ref="contextSource" />
        <b:property name="userDnPatterns">
            <b:value>uid={0},OU=People</b:value>
        </b:property>
</b:bean> 

还有我的异常日志:

org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials];嵌套异常是 javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:180) org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266) org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106) com.zo.sas.gwt.security.login.server.SASAuthenticator.authenticate(SASAuthenticator.java:55) com.zo.sas.gwt.security.login.server.SASLdapAuthenticationProvider.authenticate(SASLdapAuthenticationProvider.java:45) org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:188) org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46) org.springframework.security.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:82) org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:258) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:183) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)

这是我的 index.jsp

<html>
<script type="text/javascript" language="javascript">
    var dictionary = {
            loginErr: "${SPRING_SECURITY_LAST_EXCEPTION.message}",
            error: "${param.error}"
            };
</script>

    <head>
    </head>
    <body >
       <iframe src="javascript:''" id="__gwt_historyFrame" style="width:0;height:0;border:0"></iframe>

        <script type="text/javascript" language="javascript" src="com.zo.sas.gwt.sasworkflow.home.Home.nocache.js"></script>
    </body>
</html>

【问题讨论】:

    标签: ldap spring-security


    【解决方案1】:

    该日志并没有说太多。你应该把 org.springframework 放在 DEBUG 级别登录,看看发生了什么。
    查找以下消息:“更新 SecurityContextHolder 以包含空身份验证”“身份验证请求失败:”,之后必须重定向到 index.jsp。
    index.jsp的代码是什么?

    【讨论】:

    • 感谢您的回复,但我没有收到这些消息。如果失败,我的 url 将是 localhost/sas/j_spring_security_check,它显示 http 状态 500 和包含我之前粘贴的错误日志。
    【解决方案2】:

    这是正确的错误消息,LDAP:错误代码 49 - Invalid Credentials,但可能不是您想要的格式。

    LDAP 服务器应该传递一个子代码,因为 Active Directory 有一个列表:
    AD LDAP 49 codes,并且 eDirectory 通常会发送 669 错误密码错误 601 错误 DN。虽然我认为在最近的几个版本中发生了变化,并且它们在 eDirectory 上都显示为 669 错误,以免帮助攻击者确定真实的用户名。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2018-01-15
      • 2019-09-11
      • 2016-08-20
      • 2020-04-14
      • 2015-04-19
      • 2016-02-05
      • 1970-01-01
      相关资源
      最近更新 更多