Announcement Announcement Module
No announcement yet.
Spring LDAP cache of credentials Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring LDAP cache of credentials

    It seems that Spring Security is caching the login credentials, and I'm not sure how to prevent it. Here are the steps I take:

    1. login with user/pass
    2. change password to pass1
    3. logout
    4. login with user/pass (this shouldn't work but still does)
    5. logout
    6. logout with user/pass1 (this should work and does)

    Notice that now the user can login with the old and new password. If I redeploy my application, then it is corrected - the old password doesn't work and the new one does.

    I am using standalone ApacheDS for LDAP and Tomcat for my application.

  • #2
    I am getting exactly the same behaviour from the Ldap authentication, have you found a solution for this yet?


    • #3
      Ok so I updated to spring-security-2.0.4 and this sees to fix the issue for me, I was using 2.0.0.


      • #4
        I am still getting this behavior with OpenLDAP using Spring Security 2.0.4. If I restart Tomcat it seems to work fine. Is anyone else seeing this?


        • #5
          You will have better chances of getting an answer if you post this in the Spring Serucity forum.


          • #6
            Were you able to find the solution to this? I'm having the same problem using OpenDS and spring security 2.0.4.



            • #7
              This might help - I had a similar issue relating to caching of creds and was able to get around it by specifying the following :

              LdapContextSource ldapcontextsource = (LdapContextSource)ldapTemplateSUN3.getContextSour ce();
              //ensure credentials are not cached
              ldapcontextsource.setCacheEnvironmentProperties(fa lse);

              detail from AbstractContectSource

              public void setCacheEnvironmentProperties(boolean cacheEnvironmentProperties)

              Set whether environment properties should be cached between requsts for anonymous environment. Default is true; setting this property to false causes the environment Hashmap to be rebuilt from the current property settings of this instance between each request for an anonymous environment.

              cacheEnvironmentProperties - true causes that the anonymous environment properties should be cached, false causes the Hashmap to be rebuilt for each request.


              • #8
                I'm getting the same behaviour with:
                - Spring LDAP 1.3.0.RELEASE
                - ApacheDS 1.0.2

                Setting the Cache Environment to false (contextSource.setCacheEnvironmentProperties(false )) did not change the behaviour.

                Any further ideas?


                • #9
                  you might try



                  • #10
                    I honestly don't think Spring LDAP has anything to do with this problem. When authenticating (in effect: creating a new LDAP connection) Spring LDAP will always use the current credentials, regardless of whether the rest of the environment properties are cached or not.


                    • #11
                      if you set pooled to false I think it would create a new connection each time (end hence not cache the creds) - I could be wrong though however

                              LdapContextSource ldapcontextsource = (LdapContextSource)ldapTemplateSUN3.getContextSource();
                              //ensure credentials are not cached
                      worked for me


                      • #12
                        Pooling is set to false per default ...

                        Could this be a problem of Apache Directory Server?

                        I use ApacheDS in in-memory mode for unit testing. When attaching a debugger and waiting at a breakpoint for a while (I don't know how long exactly), then I do not have the problem. Sounds like the password change is not "committed" immediately. Also on our buildserver (Hudson), I don't have the problem. Maybe because the server is so slow ...

                        Additional information: Connected to the Apache Directory Server with Apache Directory Studio, I see, that the password change is done immediately.
                        Last edited by bsantschi; Feb 6th, 2009, 06:13 AM. Reason: Additional information:


                        • #13
                          Setup LdapAuthenticationProvider manually to set pooled to "false"


                          to set "pooled=false" you cannot use the security namespace configuration. Setup the bean graph youself!

                          This examples works for us. Try also the PasswordComparisionAuthenticator instead of BindAuthenticator.

                            <security:authentication-manager alias="authenticationManager">
                              <security:authentication-provider ref="ldapAuthenticationProvider"/>
                            <bean id="ldapAuthenticationProvider" class="">
                                <bean class="">
                                    <bean class="" id="contextSource">
                                      <property name="url" value="ldap://"/>
                                      <property name="base" value="ou=people,dc=xxx,dc=de"/>
                                      <property name="pooled" value="false"/>
                                  <property name="userDnPatterns" value="cn={0},ou=people,dc=xxx,dc=de"/>
                          Best Regards,

                          Joerg and Timmo