Announcement Announcement Module
Collapse
No announcement yet.
LDAP authentication working but Bad credentials sometimes Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP authentication working but Bad credentials sometimes

    I am using spring security 2.0.3.
    I've set up an LDAP authentication which is working well on localhost with Windows XP. When I deploy it on my linux server (debian), it's working most of the time, but I sometimes get a BadCredentials exception. I've checked my login and password. What could be the reason ?

    [EDIT]
    Here is the error logged :
    Code:
    19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.intercept.AbstractSecurityInterceptor  - Secure object: FilterInvocation: URL: /logon.html?erreur=1; ConfigAttributes: [ROLE_LECTEUR, ROLE_COL, ROLE_CE, ROLE_CE_DIR, ROLE_ADMIN]
    19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.ui.ExceptionTranslationFilter  - Authentication exception occurred; redirecting to authentication entry point
    org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    	at org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
    	at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
    	at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
    	at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
    	at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101)
    	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
    	at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:271)
    	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
    	at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
    	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
    	at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:174)
    	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:183)
    	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    	at org.jstripe.tomcat.probe.Tomcat55AgentValve.invoke(Tomcat55AgentValve.java:20)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
    	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
    	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
    	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
    	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
    	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
    	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
    	at java.lang.Thread.run(Thread.java:595)
    19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.ui.ExceptionTranslationFilter  - Authentication entry point being called; SavedRequest added to Session: SavedRequest[http://172.XX.X.XX:8081/extranet-0.02/logon.html?erreur=1]
    19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.context.HttpSessionContextIntegrationFilter  - HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
    19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.context.HttpSessionContextIntegrationFilter  - SecurityContextHolder now cleared, as request processing completed
    19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.util.FilterChainProxy  - Converted URL to lowercase, from: '/logon.html'; to: '/logon.html'
    19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.util.FilterChainProxy  - Candidate is: '/logon.html'; pattern is /logon.html; matched=true
    19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.util.FilterChainProxy  -  has an empty filter list
    [/EDIT]

    Here is a sample of my applicationContext-security.xml :

    Code:
    <bean id="contextSource"
    		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    		<constructor-arg value="ldap://VS-DC01.mydomain.fr:389/DC=mydomain,DC=fr" />
    		<property name="userDn"
    			value="CN=adsearch,OU=Compte de service,OU=MyOU,DC=mydomain,DC=fr" />
    		<property name="password" value="adsearch" />
    		<property name="baseEnvironmentProperties">
    			<map>
    				<entry key="java.naming.referral">
    					<value>follow</value>
    				</entry>
    			</map>
    		</property>
    	</bean>
    Any help would be appreciated. Thank you!
    Last edited by aukebefo; Aug 19th, 2010, 04:53 AM.

  • #2
    It's going to be impossible for us to help diagnose without logs illustrating the type of error you're seeing. Please attach logs on DEBUG showing one of these errors.

    Comment


    • #3
      Are you using bind authentication or password compare authentication in Spring Security?

      Comment


      • #4
        I edited the first message, giving the error logs.
        Last edited by aukebefo; Aug 19th, 2010, 11:04 AM.

        Comment


        • #5
          I use bindAuthenticator

          Code:
          <bean id="bindAuthenticator"
          	class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
          	<constructor-arg ref="contextSource" />
          	<!-- Pour l'authentification -->
          	<property name="userSearch">
          		<bean id="userSearch"
          			class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
          			<constructor-arg index="0" value="" />
          			<constructor-arg index="1" value="sAMAccountName={0}" />
          			<constructor-arg index="2" ref="contextSource" />
          		</bean>
          	</property>
          </bean>

          Comment


          • #6
            Originally posted by aukebefo View Post
            I edited the first message, giving the error logs.
            That isn't an error - check the FAQ.

            You need to show the error from your LDAP server. Write a test case which only attempts to authenticate (i.e without running in a web application). Until you get that working it is just complicating matters and slowing down the debug process if you try to run a full application.

            Comment


            • #7
              Until you get that working it is just complicating matters and slowing down the debug process if you try to run a full application.
              I already got it working perfectly @ localhost. It's working well on my server as well, but sometimes, if I try to reconnect after my session expired, I get a bad credentials error. It's not every time and it's working perfectly when there is previous activity. I don't know where it's coming from .

              Comment


              • #8
                If it's an LDAP login failure then the information should be in the debug log file.

                Comment


                • #9
                  It seems the ldap is not giving an answer fast enough, so the daoAuthenticator takes over.

                  Here is the sample debug when the authentication is working with ldap :
                  Code:
                  [...]
                  DEBUG - org.springframework.security.providers.ProviderManager  - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider
                   DEBUG - org.springframework.security.ldap.search.FilterBasedLdapUserSearch  - Searching for user 'jodo', with user search [ searchFilter: 'sAMAccountName={0}', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
                   DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Principal: 'CN=adsearch,OU=Compte de service,OU=Domain,DC=Domain,DC=fr'
                   DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Got Ldap context on server 'ldap://VS-DC01.Domain.fr:389/dc=Domain,dc=fr'
                   DEBUG - org.springframework.security.ldap.DefaultSpringSecurityContextSource  - Creating context with principal: 'cn=John Doe, ou=Utilisateurs, ou=Domain_Nantes, dc=domain, dc=fr'
                   DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Got Ldap context on server 'ldap://VS-DC01.Domain.fr:389/dc=Domain,dc=fr'
                   DEBUG - org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator  - Getting authorities for user cn=John Doe, ou=Utilisateurs, ou=Domain_Nantes, dc=Domain, dc=fr
                  [...]
                  Here is the sample when daoAuthenticator takes over :

                  Code:
                  [...]
                  DEBUG - org.springframework.security.providers.ProviderManager  - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider
                  DEBUG - org.springframework.security.ldap.search.FilterBasedLdapUserSearch  - Searching for user 'auke', with user search [ searchFilter: 'sAMAccountName={0}', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
                  DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Principal: 'CN=adsearch,OU=Compte de service,OU=Domain,DC=Domain,DC=fr'
                  DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Got Ldap context on server 'ldap://VS-DC01.Domain.fr:389/dc=Domain,dc=fr'
                  DEBUG - org.springframework.security.providers.ProviderManager  - Authentication attempt using org.springframework.security.providers.dao.DaoAuthenticationProvider
                  DEBUG - org.springframework.jdbc.core.JdbcTemplate  - Executing prepared SQL query
                  DEBUG - org.springframework.jdbc.core.JdbcTemplate  - Executing prepared SQL statement [SELECT LOG_COL as username, PAS_COL as password, ACT_COL as enabled
                  				FROM COLLABORATEUR
                  				WHERE LOG_COL=?
                  				]
                  [...]
                  Is there something I can do to make the LdapAuthenticationProvider wait longer ? Or am I looking to the wrong way ?
                  Last edited by aukebefo; Aug 20th, 2010, 10:30 AM.

                  Comment

                  Working...
                  X