Announcement Announcement Module
Collapse
No announcement yet.
Wrong GrantedAuthority in LdapAuthoritiesPopulator Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wrong GrantedAuthority in LdapAuthoritiesPopulator

    hi!

    I am using ACEGI v1.0.7 to authenticate my java website against a Windows AD. The LDAP part of the equation is working fine. The server talks to the AD, does a Bind, searches for the user, gets the group membership etc.

    However, the group membership being returned from the LdapAuthoritiesPopulator is wrong - it is returning the authenticated user's DN, instead of the 'name' attribute of the group he belongs to.

    here is the exception I am getting:

    2009-07-16 16:14:34,061 WARN [org.acegisecurity.event.authorization.LoggerListen er] Security authorization failed due to: org.acegisecurity.AccessDeniedException: Access is denied; authenticated prin
    cipal: org.acegisecurity.providers.UsernamePasswordAuthen ticationToken@1f52c80e: Username: org.acegisecurity.userdetails.ldap.LdapUserDetails Impl@7548c; Password: [PROTECTED]; Authenticated: true; Det
    ails: org.acegisecurity.ui.WebAuthenticationDetails@ffff 6a82: RemoteIpAddress: 127.0.0.1; SessionId: dlicuqvilt4d; Granted Authorities: ROLE_CN=ROLE_IMPORTER,OU=DEVELOPMENT,OU=SERVICE ACCOUNTS,OU=ACMESEA,DC=ACME,DC=LOCAL; secure object: FilterInvocation: URL: /import?type=DEFAULT; configuration attributes: [ROLE_IMPORTER_GROUP]
    2009-07-16 16:14:34,077 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] Access is denied (user is not anonymous); delegating to AccessDeniedHandler
    org.acegisecurity.AccessDeniedException: Access is denied
    at org.acegisecurity.vote.AffirmativeBased.decide(Aff irmativeBased.java:68)
    at org.acegisecurity.intercept.AbstractSecurityInterc eptor.beforeInvocation(AbstractSecurityInterceptor .java:323)
    at org.acegisecurity.intercept.web.FilterSecurityInte rceptor.invoke(FilterSecurityInterceptor.java:104)
    at org.acegisecurity.intercept.web.FilterSecurityInte rceptor.doFilter(FilterSecurityInterceptor.java:72 )
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.ui.ExceptionTranslationFilter.do Filter(ExceptionTranslationFilter.java:124)
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.providers.anonymous.AnonymousPro cessingFilter.doFilter(AnonymousProcessingFilter.j ava:125)
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.ui.rememberme.RememberMeProcessi ngFilter.doFilter(RememberMeProcessingFilter.java: 142)
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.wrapper.SecurityContextHolderAwa reRequestFilter.doFilter(SecurityContextHolderAwar eRequestFilter.java:81)
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFi lter(AbstractProcessingFilter.java:271)


    ------

    As you can see from above, the GrantedAuthorities for this principal is "ROLE_CN=ROLE_IMPORTER,OU=DEVELOPMENT,OU=SERVI CE ACCOUNTS,OU=ACMESEA,DC=ACME,DC=LOCAL". However, this is wrong, this is the DN of the authenticated user. as can be seen from output of ldp.exe:

    Expanding base 'CN=ROLE_IMPORTER,OU=Development,OU=Service Accounts,OU=ACMESEA,DC=ACME,DC=LOCAL'...
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:
    >> Dn: CN=ROLE_IMPORTER,OU=Development,OU=Service Accounts,OU=ACMESEA,DC=ACME,DC=LOCAL
    4> objectClass: top; person; organizationalPerson; user;
    1> cn: ROLE_IMPORTER;
    1> givenName: ROLE_IMPORTER;
    1> distinguishedName: CN=ROLE_IMPORTER,OU=Development,OU=Service Accounts,OU=ACMESEA,DC=ACME,DC=LOCAL;


    here is my filterinvocationinterceptor:

    <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecur ityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager">
    <bean class="org.acegisecurity.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions" value="false"/>
    <property name="decisionVoters">
    <list>
    <bean class="org.acegisecurity.vote.RoleVoter"/>
    <bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
    </list>
    </property>
    </bean>
    </property>
    <property name="objectDefinitionSource">
    <value><![CDATA[
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /tasks=ROLE_IMPORTER
    /import=ROLE_IMPORTER
    /bvt=ROLE_IMPORTER
    /process=ROLE_IMPORTER_GROUP
    /workflow=ROLE_IMPORTER_GROUP
    /listauditlog=ROLE_IMPORTER_GROUP
    /editpropertytransaction=ROLE_PROPERTY_TRANSACTION_
    ]]></value>
    </property>
    </bean>


    ------

    Here is my LDAP conf:

    <bean id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthen ticationProvider">
    <constructor-arg>
    <!-- bind authenticator uses the details of the LDAP server bean, and the userSearch bean -->
    <bean class="org.acegisecurity.providers.ldap.authentica tor.BindAuthenticator">
    <constructor-arg>
    <ref local="initialDirContextFactory"/>
    </constructor-arg>
    <property name="userSearch" ref="userSearch"/>
    </bean>
    </constructor-arg>
    <constructor-arg>
    <bean class="org.acegisecurity.providers.ldap.populator. DefaultLdapAuthoritiesPopulator">
    <constructor-arg>
    <ref local="initialDirContextFactory"/>
    </constructor-arg>
    <constructor-arg>
    <value>OU=Development,OU=Security Groups,OU=ACMESEA,DC=ACME,DC=LOCAL</value>
    </constructor-arg>
    <property name="groupRoleAttribute">
    <value>member</value>
    </property>
    <!-- the following properties are shown with their default values -->
    <property name="searchSubtree"><value>false</value></property>
    <property name="rolePrefix"><value>ROLE_</value></property>
    <property name="convertToUpperCase"><value>true</value></property>
    </bean>
    </constructor-arg>
    </bean>


    ------

    As you can see, there is a group with that name, that has the user as it's member:

    -------

    Expanding base 'CN=ROLE_IMPORTER_GROUP,OU=Development,OU=Security Groups,OU=ACMESEA,DC=ACME,DC=LOCAL'...
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:
    >> Dn: CN=ROLE_IMPORTER_GROUP,OU=Development,OU=Security Groups,OU=ACMESEA,DC=ACME,DC=LOCAL
    2> objectClass: top; group; 1> cn: ROLE_IMPORTER_GROUP;
    1> member: CN=ROLE_IMPORTER,OU=Development,OU=Service Accounts,OU=ACMESEA,DC=ACME,DC=LOCAL;
    1> distinguishedName: CN=ROLE_IMPORTER_GROUP,OU=Development,OU=Security Groups,OU=ACMESEA,DC=ACME,DC=LOCAL;


    -----

    To summarize:

    Expecting Granted authority = ROLE_IMPORTER_GROUP (of type group)
    Received Granted Authority = ROLE_IMPORTER (of type person)

    Any idea what I am doing wrong?

    Thanks

    feroze.

  • #2
    Try the Spring Security forum.

    Comment

    Working...
    X