Announcement Announcement Module
Collapse
No announcement yet.
Error using LDAP Authentication with Microsoft ADAM Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Error using LDAP Authentication with Microsoft ADAM

    Hi,

    I have spent quite some time trying to figure out what I'm doing wrong, but I can't seem to get it. I'm trying to access a protected URL. I am using Spring Security 3.0.5. When I used the simple user name and password, I was getting prompted and then was able to access the page. However, with LDAP configuration, I'm unable to get it to work. I'm using Microsoft's ADAM for the LDAP side. To start with, here is my configuration:
    HTML Code:
        <http auto-config="true">
        	<http-basic/>
        	<intercept-url pattern="/app/tutorials/list" access="ROLE_Administrators"></intercept-url>
        </http>
        
        <authentication-manager>
        	<authentication-provider>
        		<password-encoder hash="{sha}"/>
        		<ldap-user-service server-ref="ldapServer"
        		user-search-filter="(userPrincipalName={0})" user-search-base="ou=people"
        		group-search-filter="(member={0})" group-search-base="ou=groups" role-prefix="ROLE_"/>
        	</authentication-provider>
        </authentication-manager>
        
        <ldap-server id="ldapServer"
        url="ldap://server.myDomain.com:50000/dc=myDomain,dc=com"
        manager-dn="cn=admin,ou=people,dc=myDomain,dc=com" manager-password="password"/>
        
    Next, here is the output in the log:
    HTML Code:
    2011-06-06 12:53:20,215 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:195)  - Converted URL to lowercase, from: '/app/tutorials/list'; to: '/app/tutorials/list'
    2011-06-06 12:53:20,277 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:202)  - Candidate is: '/app/tutorials/list'; pattern is /**; matched=true
    2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository(HttpSessionSecurityContextRepository.java:130)  - No HttpSession currently exists
    2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository(HttpSessionSecurityContextRepository.java:88)  - No SecurityContext was available from the HttpSession: null. A new one will be created.
    2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
    2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
    2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 4 of 11 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
    2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
    2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.authentication.[url]www.BasicAuthenticationFilter(BasicAuthenticationFilter.java:131[/url])  - Basic Authentication Authorization header found for user 'jsmith'
    2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.authentication.ProviderManager(ProviderManager.java:127)  - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
    2011-06-06 12:53:20,308 [http-8080-6] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch(FilterBasedLdapUserSearch.java:107)  - Searching for user 'jsmith', with user search [ searchFilter: '(userPrincipalName={0})', searchBase: 'ou=people', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
    2011-06-06 12:53:20,371 [http-8080-6] DEBUG org.springframework.ldap.core.support.AbstractContextSource(AbstractContextSource.java:259)  - Got Ldap context on server 'ldap://server.myDomain.com:50000/dc=myDomain,dc=com'
    2011-06-06 12:53:20,371 [http-8080-6] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate(SpringSecurityLdapTemplate.java:200)  - Searching for entry in under DN 'dc=myDomain,dc=com', base = 'ou=people', filter = '(userPrincipalName={0})'
    2011-06-06 12:53:20,371 [http-8080-6] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate(SpringSecurityLdapTemplate.java:216)  - Found DN: cn=John Smith,ou=people
    2011-06-06 12:53:20,387 [http-8080-6] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator(DefaultLdapAuthoritiesPopulator.java:179)  - Getting authorities for user cn=John Smith,ou=people,dc=myDomain,dc=com
    2011-06-06 12:53:20,387 [http-8080-6] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator(DefaultLdapAuthoritiesPopulator.java:208)  - Searching for roles for user 'jsmith', DN = 'cn=John Smith,ou=people,dc=myDomain,dc=com', with filter (member={0}) in search base 'ou=groups'
    2011-06-06 12:53:20,387 [http-8080-6] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate(SpringSecurityLdapTemplate.java:151)  - Using filter: (member=cn=John Smith,ou=people,dc=myDomain,dc=com)
    2011-06-06 12:53:20,387 [http-8080-6] INFO  org.springframework.ldap.core.LdapTemplate(LdapTemplate.java:1262)  - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
    2011-06-06 12:53:20,387 [http-8080-6] DEBUG org.springframework.ldap.core.support.AbstractContextSource(AbstractContextSource.java:259)  - Got Ldap context on server 'ldap://server.myDomain.com:50000/dc=myDomain,dc=com'
    2011-06-06 12:53:20,433 [http-8080-6] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator(DefaultLdapAuthoritiesPopulator.java:216)  - Roles from search: [New users for site Demo Site, Administrators, admin]
    2011-06-06 12:53:20,433 [http-8080-6] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper(LdapUserDetailsMapper.java:51)  - Mapping user details from context with DN: cn=John Smith,ou=people,dc=myDomain,dc=com
    2011-06-06 12:53:20,449 [http-8080-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository(HttpSessionSecurityContextRepository.java:338)  - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
    2011-06-06 12:53:20,449 [http-8080-6] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter(SecurityContextPersistenceFilter.java:89)  - SecurityContextHolder now cleared, as request processing completed
    Finally, here is the error that appears on the web page:
    HTML Code:
    HTTP Status 500 -
    
    type Exception report
    
    message
    
    description The server encountered an internal error () that prevented it from fulfilling this request.
    
    exception
    
    java.lang.NullPointerException
    	org.springframework.security.authentication.encoding.LdapShaPasswordEncoder.extractPrefix(LdapShaPasswordEncoder.java:155)
    	org.springframework.security.authentication.encoding.LdapShaPasswordEncoder.isPasswordValid(LdapShaPasswordEncoder.java:129)
    	org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:68)
    	org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:146)
    	org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)
    	org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
    	org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:148)
    	org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
    	org.springframework.security.web.authentication.[url]www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:142[/url])
    	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91)
    	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
    I was initially thinking that it was a problem with the mapping of the Role to the Group, but now it just seems like the 'SecurityContext is empty' is the cause of the problem, but I'm not quite sure. Can anyone offer some ideas?

    Thanks,
    Eric

  • #2
    It's unlikely you can treat ADAM as a UserDetailsService, since (assuming it behaves like AD), you can't read the password from the directory. You'll probably need to use proper LDAP bind authentication.

    Comment


    • #3
      That works

      Luke,

      Thanks! That worked. The only caveat is that I'm not able to login with my selected attribute. For me, it's not a big deal because this is a development environment. Anyway, here's the updated config. Oh, I also had to uppercase the role name in the access attribute.

      Regards,
      Eric

      HTML Code:
      <http auto-config="true">
      	<http-basic/>
      	<intercept-url pattern="/app/tutorials/list" access="ROLE_ADMINISTRATORS"></intercept-url>
      </http>
      
      <authentication-manager>
      	<authentication-provider ref="ldapAuthProvider"/>
      </authentication-manager>
       
      <beans:bean id="contextSource"
      		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://server.myDomain.com:50000/dc=myDomain,dc=com"/>
        <beans:property name="userDn" value="cn=admin,ou=people,dc=myDomain,dc=com"/>
        <beans:property name="password" value="password"/>
      </beans:bean>
      
      <beans:bean id="ldapAuthProvider"
      	class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
       <beans:constructor-arg>
         <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      	 <beans:constructor-arg ref="contextSource"/>
      	 <beans:property name="userDnPatterns">
      	   <beans:list><beans:value>cn={0},ou=people</beans:value></beans:list>
      	 </beans:property>
         </beans:bean>
       </beans:constructor-arg>
       <beans:constructor-arg>
         <beans:bean
      	 class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      	 <beans:constructor-arg ref="contextSource"/>
      	 <beans:constructor-arg value="ou=groups"/>
      	 <beans:property name="groupRoleAttribute" value="cn"/>
         </beans:bean>
       </beans:constructor-arg>
      </beans:bean>

      Comment

      Working...
      X