1. 首頁
  2. 問答
  3. 使用Spring Security進行LDAP身份驗證3

使用Spring Security進行LDAP身份驗證3

2012-11-30 172 views
2

我試圖通過對組織的LDAP服務器進行身份驗證來保護我的Spring 3 MVC Web應用程序的某些部分。我是LDAP新手,所以我正在學習。我一直在遵循文檔here和示例here,但我似乎無法做到正確。使用Spring Security進行LDAP身份驗證3

這裏是我的安全context.xml的

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:s="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd 
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> 

    <!-- Security Configuration --> 
    <s:http> 
     <s:intercept-url pattern="/page/tosecure/*" access="ROLE_USER" /> 
     <s:http-basic /> 
    </s:http> 

    <s:ldap-server root="dc=ldap,dc=sub,dc=myorg,dc=org" url="ldap.sub.myorg.org" port="636" /> 

    <s:authentication-manager> 
     <s:ldap-authentication-provider user-dn-pattern="uid={0},cn=users" /> 
     <s:authentication-provider ref="ldapAuthProvider" /> 
    </s:authentication-manager> 

    <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
     <constructor-arg value="ldaps://ldap.sub.myorg.org:636/dc=ldap,dc=sub,dc=myorg,dc=org" /> 
    </bean> 

    <bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
     <constructor-arg> 
      <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
       <constructor-arg ref="contextSource" /> 
       <property name="userDnPatterns"> 
        <list> 
         <value>uid={0},cn=users</value> 
        </list> 
       </property> 
      </bean> 
     </constructor-arg> 
     <constructor-arg> 
      <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> 
       <constructor-arg ref="contextSource" /> 
       <constructor-arg value="cn=groups" /> 
       <property name="groupRoleAttribute" value="cn" /> 
      </bean> 
     </constructor-arg> 
    </bean> 

</beans>

這裏是我得到的錯誤(堆棧跟蹤中列出的最後幾個原因)

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.securityContextSource': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" 
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:288) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) 
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294) 
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225) 
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291) 
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193) 
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:323) 
    ... 106 more 
Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" 
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:162) 
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:121) 
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:280) 
    ... 115 more 
Caused by: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" 
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:224) 
    at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:174) 
    at org.springframework.ldap.core.support.AbstractContextSource.setBase(AbstractContextSource.java:207) 
    at org.springframework.security.ldap.DefaultSpringSecurityContextSource.<init>(DefaultSpringSecurityContextSource.java:67) 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) 
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) 
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513) 
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:147) 
    ... 117 more 
Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" 
    at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:678) 
    at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:231) 
    at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114) 
    at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94) 
    at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58) 
    at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23) 
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:218)

看來,它不不喜歡在contextSource bean的constructor-arg中列出的URL,儘管我不知道爲什麼。

另外,我有一個懷疑,該配置的其它部分是不正確的。例如,我有在ldap-server標記和contextSource bean中定義的ldap服務器URL。這似乎是不必要的重複,但它是如何在示例中完成的。有人可以仔細看看配置,以確保它是理智的?

另外,如果有必要,我將談一下我們的LDAP服務器佈局,因爲它似乎是有點不標準。用戶的DN由uid = {the_user_name},cn = users,dc = ldap,dc = sub,dc = myorg,dc = org構建。組DN是cn = {group_name},cn = groups,dc = ldap,dc = sub,dc = myorg,dc = org,組的成員由memberUid屬性定義。我說這是非標準的,因爲從我讀過的內容來看,組織應該由ou來定義。但希望春季安全可以處理這個設置。此配置是否能夠正確獲取用戶所屬的角色(組)?

來源

2012-11-30 Eddie

回答

1

你有沒有試圖消除ldap-server元素?您不應該需要它,並且您沒有使用正確的URL配置它(它應該可能從ldap://ldaps://開始)。

你鏈接到該示例使用嵌入式服務器,並說明了同樣的事情,都命名空間和豆配置。

組屬性默認爲cn,所以應該適合你的設置是正確的。 Javadoc爲DefaultLdapAuthoritiesPopulator給出了相當好的描述。

來源

2012-11-30 16:45:05

+0

有了您的幫助,我的配置簡化到這個 ' < S:認證管理器> ' – Eddie

+0

然而,我想能夠限制對特定組的訪問。在intercept-url中,我更改了對ROLE_GROUPNAME的訪問權限,並向s:ldap-authentication-provider添加了'group-search-filter =「memberUid = {0}」',但我總是被拒絕訪問。該文檔表示,組搜索過濾器將替代完整的DN,而不僅僅是像我的LDAP服務器那樣的用戶名。我如何配置它以匹配我的LDAP服務器? – Eddie

+0

啊,我明白了。而不是group-search-filter =「memberUid = {0}」,如果組只包含用戶名而不是完整的DN,我應該有group-search-filter =「memberUid = {1}」。 – Eddie

相關問題

 相關問題