Announcement Announcement Module
Collapse
No announcement yet.
ActiveDirectory Authorization fails Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • ActiveDirectory Authorization fails

    Hi,

    I am absolutely new to Active Directory and LDAP in general. What I want to achieve is to secure my Spring web app. I have a machine running Windows Server 2003 with AD set up. (domain name is "vmware.domain" I guess :o ).

    What I have done so far, is to have Acegi put me to the login page if I want to access a secured site. But Acegi does not authorize me but redirects me to login_failed instead. I tried the admin account and some newly generated user account. Both fail!

    I guess my config file for acegi has errors! What makes it even worse is my small amount of knowledge about Active Directory. So please have a look at the screens I took (attached). I hope it helps you to figure out some of the attributes I have to specify in my acegi config.

    You will probably see something if you compare it to my config:

    Code:
    <beans>
    	<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
    		<constructor-arg value="ldap://adserver:389/dc=vmware,dc=domain"/>
    			<property name="managerDn">
    				<value>[email protected]</value>
    			</property>
    			<property name="managerPassword">
    				<value>admin</value>
    			</property>
    	</bean>
    	
    	<bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
    		<constructor-arg index="0">
    			<value>DC=vmware,DC=domain</value>
    		</constructor-arg>
    		<constructor-arg index="1">
    			<value>(sAMAccountName={0})</value>
    		</constructor-arg>
    		<constructor-arg index="2">
    			<ref local="initialDirContextFactory"/>
    		</constructor-arg>
    		<property name="searchSubtree">
    			<value>true</value>
    		</property>
    	</bean>
    	
    
    	<bean id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider" abstract="false" singleton="true" lazy-init="default" dependency-check="default" autowire="default">
    		<constructor-arg>
    			<bean class="org.acegisecurity.providers.ldap.authenticator.PasswordComparisonAuthenticator">
    				<constructor-arg>
    					<ref local="initialDirContextFactory"/>
    				</constructor-arg>
    				<property name="userDnPatterns">
    					<list>
    						<value>sAMAccountName={0}</value>
    					</list>
    				</property>
    			</bean>
    		</constructor-arg>
    		<constructor-arg>
    			<bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
    				<constructor-arg>
    					<ref local="initialDirContextFactory"/>
    				</constructor-arg>
    				<constructor-arg>
    					<value>DC=vmware,DC=domain</value>
    				</constructor-arg>
    				<property name="convertToUpperCase" value="true"/>
    				<property name="searchSubtree" value="true"/>
    				<property name="groupSearchFilter" value="member={0}"/>				
    				<property name="groupRoleAttribute" value="cn"/>				
    			</bean>	
    		</constructor-arg>
    	</bean>
    	
    	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
    		<property name="providers">
    			<list>
    				<ref local="ldapAuthProvider"/>
    			</list>
    		</property>
    	</bean>
    	
    	<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    		<property name="accessDecisionManager">
    			<bean class="org.acegisecurity.vote.AffirmativeBased">
    				<property name="allowIfAllAbstainDecisions" value="false"/>
    				<property name="decisionVoters">
    					<list>
    						<bean class="org.acegisecurity.vote.RoleVoter"></bean>
    						<bean class="org.acegisecurity.vote.AuthenticatedVoter"></bean>
    					</list>
    				</property>
    			</bean>
    		</property>
    		<property name="objectDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				PATTERN_TYPE_APACHE_ANT
    				/*=IS_AUTHENTICATED_ANONYMOUSLY 
    				/secure/**=ROLE_ADGROUP
    			</value>
    		</property>
    	</bean>
    	
    	<bean id="formLoginAuthenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    		<property name="loginFormUrl">
    			<value>/login.jsp</value>
    		</property>
    		<property name="forceHttps">
    			<value>false</value>
    		</property>
    	</bean>
    	
    	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
    	</bean>
    	
    	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
    		<property name="authenticationEntryPoint">
    			<ref bean="formLoginAuthenticationEntryPoint" />
    		</property>
    	</bean>		
    	
    	<bean id="formAuthenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
    		<property name="filterProcessesUrl">
    			<value>/secure/j_acegi_security_check</value>
    		</property>
    		<property name="authenticationFailureUrl">
    			<value>/login_failed.jsp</value>
    		</property>
    		<property name="defaultTargetUrl">
    			<value>/login.jsp</value>
    		</property>
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    	</bean>
    	
    	<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
    		<constructor-arg value="/index.jsp"/>
    		<constructor-arg>
    			<list>
    				<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
    			</list>
    		</constructor-arg>
    	</bean>		
    	
    	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
    		<property name="filterInvocationDefinitionSource">
    			<value>	
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				PATTERN_TYPE_APACHE_ANT
    				/secure/**=httpSessionContextIntegrationFilter,logoutFilter,formAuthenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
    			</value>
    		</property>
    	</bean>	
    </beans>
    (Pinging "adserver" works and gives me the correct IP address, too.)

    Please help!

  • #2
    Hi,

    I got log4j working now. After trying to login with Acegi-Security I got the following logging. There is a "BadCredentialsException" although I know there's a user named "heinrich" with the same password. Neither "heinrich" nor "administrator" works with Acegi.

    This is the log:

    Code:
    2007-04-22 14:10:24,068 [http-8080-Processor24] DEBUG org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap - Converted URL to lowercase, from: '/secure/j_acegi_security_check'; to: '/secure/j_acegi_security_check'
    2007-04-22 14:10:24,068 [http-8080-Processor24] DEBUG org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap - Candidate is: '/secure/j_acegi_security_check'; pattern is /secure/**; matched=true
    2007-04-22 14:10:24,068 [http-8080-Processor24] DEBUG org.acegisecurity.util.FilterChainProxy - /secure/j_acegi_security_check at position 1 of 5 in additional filter chain; firing Filter: '[email protected]fbb3'
    2007-04-22 14:10:24,068 [http-8080-Processor24] DEBUG org.acegisecurity.context.HttpSessionContextIntegrationFilter - HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new SecurityContext instance associated with SecurityContextHolder
    2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.util.FilterChainProxy - /secure/j_acegi_security_check at position 2 of 5 in additional filter chain; firing Filter: 'org.acegisecurity.ui.logout.LogoutFilter@c00025'
    2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.util.FilterChainProxy - /secure/j_acegi_security_check at position 3 of 5 in additional filter chain; firing Filter: '[email protected]4'
    2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.ui.webapp.AuthenticationProcessingFilter - Request is to process authentication
    2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.providers.ProviderManager - Authentication attempt using org.acegisecurity.providers.ldap.LdapAuthenticationProvider
    2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.providers.ldap.LdapAuthenticationProvider - Retrieving user heinrich
    2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.ldap.DefaultInitialDirContextFactory - Creating InitialDirContext with environment {java.naming.provider.url=ldap://adserver:389/dc=vmware,dc=domain, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=[email protected], com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.credentials=******}
    2007-04-22 14:10:24,128 [http-8080-Processor24] DEBUG org.acegisecurity.ui.webapp.AuthenticationProcessingFilter - Updated SecurityContextHolder to contain null Authentication
    2007-04-22 14:10:24,128 [http-8080-Processor24] DEBUG org.acegisecurity.ui.webapp.AuthenticationProcessingFilter - Authentication request failed: org.acegisecurity.BadCredentialsException: Bad credentials
    2007-04-22 14:10:24,128 [http-8080-Processor24] DEBUG org.acegisecurity.context.HttpSessionContextIntegrationFilter - SecurityContextHolder set to new context, as request processing completed
    2007-04-22 14:10:24,148 [http-8080-Processor24] DEBUG org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap - Converted URL to lowercase, from: '/login_failed.jsp'; to: '/login_failed.jsp'
    2007-04-22 14:10:24,148 [http-8080-Processor24] DEBUG org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap - Candidate is: '/login_failed.jsp'; pattern is /secure/**; matched=false
    2007-04-22 14:10:24,148 [http-8080-Processor24] DEBUG org.acegisecurity.util.FilterChainProxy - /login_failed.jsp has no matching filters

    What's wrong with my acegi-config?

    Comment

    Working...
    X