Announcement Announcement Module
Collapse
No announcement yet.
LDAP fails authentication ONLY first time Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP fails authentication ONLY first time

    Hi all,

    I am using spring security just for authentication. Roles will be get via db.

    The first time I try to authenticate a user it fails returning:

    Code:
    2012-10-05 14:35:01,245 [qtp14301726-22] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'dolbert', with user search [ searchFilter: '(uid={0})', searchBase: 'ou=users,ou=Internal,o=company', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
    2012-10-05 14:35:01,861 [qtp14301726-22] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
    2012-10-05 14:35:01,861 [qtp14301726-22] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
    2012-10-05 14:35:01,861 [qtp14301726-22] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@20c6a5
    Then the second one login goes ok showing:

    Code:
    2012-10-05 14:38:27,397 [qtp14301726-26] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'dolbert', with user search [ searchFilter: '(uid={0})', searchBase: 'ou=users,ou=Internal,o=company', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
    2012-10-05 14:38:27,514 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry in under DN '', base = 'ou=users,ou=Internal,o=company', filter = '(uid={0})'
    2012-10-05 14:38:27,576 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: uid=dolbert,ou=users,ou=Internal,o=company
    2012-10-05 14:38:27,596 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: uid=dolbert,ou=users,ou=Internal,o=company
    2012-10-05 14:38:27,613 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: uid=dolbert,ou=users,ou=Internal,o=company
    2012-10-05 14:38:27,626 [qtp14301726-26] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Attempting to bind as uid=dolbert,ou=users,ou=Internal,o=company
    2012-10-05 14:38:27,626 [qtp14301726-26] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user uid=dolbert,ou=users,ou=Internal,o=company
    2012-10-05 14:38:28,157 [qtp14301726-26] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user uid=dolbert,ou=users,ou=Internal,o=company
    2012-10-05 14:38:28,157 [qtp14301726-26] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'dolbert', DN = 'uid=dolbert,ou=users,ou=Internal,o=company', with filter (uniqueMember={0}) in search base ''
    2012-10-05 14:38:28,158 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (uniqueMember=uid=dolbert,ou=users,ou=Internal,o=company)
    2012-10-05 14:38:28,274 [qtp14301726-26] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [EP_ESS_01_A_MUS]
    My spring-security.xml

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans 
    	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    			http://www.springframework.org/schema/security 
    			http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    
    	<security:http auto-config="true"
    		access-denied-page="/flows/login/accessDenied.xhtml" create-session="never">
    		<security:http-basic />
    		<security:intercept-url pattern="/flows/admin/**"
    			access="ROLE_ADMIN" />
    		<security:intercept-url pattern="/flows/csrHandler/**"
    			access="ROLE_USER" />
    		<security:intercept-url pattern="/*"
    			access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<security:form-login login-processing-url="/j_spring_security_check"
    			login-page="/flows/login/login.xhtml" default-target-url="/flows/index.xhtml"
    			authentication-failure-url="/flows/login/login.xhtml?error='true'"
    			always-use-default-target='true' />
    		<security:logout logout-url="/flows/logout/logout.xhtml"
    			logout-success-url="/" />
    
    	</security:http>
    	<bean id="customUserContextMapper" class="com.company.boat.login.service.CustomUserDetailsMapper" />
    	<security:authentication-manager>
    		<security:ldap-authentication-provider
    			user-search-base="ou=users,ou=Internal,o=company"
    			user-search-filter="(uid={0})" user-context-mapper-ref="customUserContextMapper" />
    
    	</security:authentication-manager>
    	<security:ldap-server url="ldap://ecd.company.se"
    		manager-dn="uid=Uname,ou=Users,ou=Internal,o=company"
    		manager-password="PWD" />
    </beans>
    I am using spring security 3.0.5.RELEASE

    I tried adding to the spring-security.xml in the
    Code:
    <security:http
    Code:
    create-session="never"
    and
    Code:
    <security:http-basic />
    but the error is still there.

    Any ideas?

    Thanks in advance!

  • #2
    Maybe an admin can move the thread to spring-security.

    I am back with this error as it is one of the last issues to sort out.

    I tried updating to spring-security 3.1.3.RELEASE, spring to 3.0.6.RELEASE but the error is still there. Now at least I have a stack trace.

    First login attempt with error:

    Code:
    2012-12-07 10:44:29,598 [qtp6825008-24] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user uid=efedrep,ou=users,ou=Internal,o=company
    2012-12-07 10:44:30,006 [qtp6825008-24] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
    2012-12-07 10:44:30,192 [qtp6825008-24] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user uid=efedrep,ou=users,ou=Internal,o=company
    2012-12-07 10:44:30,192 [qtp6825008-24] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'efedrep', DN = 'uid=efedrep,ou=users,ou=Internal,o=company', with filter (uniqueMember={0}) in search base ''
    2012-12-07 10:44:30,193 [qtp6825008-24] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (uniqueMember=uid=efedrep,ou=users,ou=Internal,o=company)
    2012-12-07 10:44:30,200 [qtp6825008-24] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
    2012-12-07 10:44:30,358 [qtp6825008-24] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    2012-12-07 10:44:30,359 [qtp6825008-24] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    2012-12-07 10:44:30.359:WARN:oejs.ServletHandler:/boat2/j_spring_security_check
    org.springframework.ldap.AuthenticationException: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
    	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:182)
    	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
    	at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
    	at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:125)
    	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:287)
    	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
    	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
    	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:524)
    	at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:173)
    	at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:215)
    	at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:185)
    	at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:197)
    	at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:63)
    	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
    	at 
    ...
    Caused by: 
    javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
    	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:290)
    	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
    	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
    Second attempt goes fine:

    Code:
    2012-12-06 17:09:52,845 [qtp17518647-22] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user uid=efedrep,ou=users,ou=Internal,o=company
    2012-12-06 17:09:53,251 [qtp17518647-22] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
    2012-12-06 17:09:53,341 [qtp17518647-22] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user uid=efedrep,ou=users,ou=Internal,o=company
    2012-12-06 17:09:53,342 [qtp17518647-22] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'efedrep', DN = 'uid=efedrep,ou=users,ou=Internal,o=company', with filter (uniqueMember={0}) in search base ''
    2012-12-06 17:09:53,342 [qtp17518647-22] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (uniqueMember=uid=efedrep,ou=users,ou=Internal,o=company)
    2012-12-06 17:09:53,343 [qtp17518647-22] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
    2012-12-06 17:09:53,465 [qtp17518647-22] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [EP_ESS_01_A_MUS]
    2012-12-06 17:09:53,469 [qtp17518647-22] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: uid=efedrep,ou=users,ou=Internal,o=company
    Haven't modified much of the spring security but here it is:

    Code:
    <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    	xsi:schemaLocation="
               http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
               http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    
    	<security:http create-session="never" auto-config="false">
    
    		<security:intercept-url pattern="/spring/main/**" access="ROLE_ADMIN, ROLE_MANAGER, ROLE_TEAMLEADER" />
    		<security:access-denied-handler error-page="/spring/denied" /> 
    	
    		<security:form-login authentication-failure-url="/spring/login?login_error=1" default-target-url="/spring/main"
    			login-processing-url="/j_spring_security_check" login-page="/spring/login" />
    		<security:logout logout-success-url="/spring/logoutSuccess" logout-url="/spring/logout" />
    		<security:http-basic />
    	</security:http>
    
    
    	<bean class="com.company.boat.login.service.CustomUserDetailsMapper" id="customUserContextMapper" />
    	
    	<security:authentication-manager>
    		<security:ldap-authentication-provider user-context-mapper-ref="customUserContextMapper" user-dn-pattern="uid={0},ou=users,ou=Internal,o=company" />
    	</security:authentication-manager>
    
    
    	<security:ldap-server manager-password="PWD" manager-dn="uid=Uname,ou=Users,ou=Internal,o=company" url="ldap://egd.company.es" />
    </beans>
    What it catches my attention is why the first time logs

    Code:
    org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    and the second one

    Code:
    org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [EP_ESS_01_A_MUS]
    org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: uid=efedrep,ou=users,ou=Internal,o=company
    Any help would be very appreciated!

    Comment


    • #3
      I quit trying to make it work so created a CustomLdapAuthenticatorProvider that extends AbstractUserDetailsAuthenticatorProvider and authenticates over the ldap server

      Code:
      	<bean class="com.company.boat.login.service.CustomLdapAuthenticationProvider" id="customLdapAuthenticationProvider" />
      
      
      	<security:authentication-manager>
      		<security:authentication-provider ref="customLdapAuthenticationProvider"/>
      	</security:authentication-manager>
      Code:
      public class CustomLdapAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
      
      	@Override
      	protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
      			throws AuthenticationException {
      		final Hashtable<String, String> env = new Hashtable<String, String>();
      		env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
      		env.put(Context.PROVIDER_URL, props.getProperty("ldap.server", "ldap://ldap.server"));
      		String ldapPrincipal = props.getProperty("ldap.principal", "uid={0},ou=users,ou=internal,o=company");
      		env.put(Context.SECURITY_PRINCIPAL, MessageFormat.format(ldapPrincipal, username));
      		env.put(Context.SECURITY_CREDENTIALS, (String)authentication.getCredentials());
      		try {
      			new InitialLdapContext(env, null).close();
                     .... (if no exception is thrown search for authorities and add them) ...

      Comment

      Working...
      X