1. 首页
  2. 问答
  3. 使用Spring Security进行LDAP身份验证3

使用Spring Security进行LDAP身份验证3

2012-11-30 171 views
2

我试图通过对组织的LDAP服务器进行身份验证来保护我的Spring 3 MVC Web应用程序的某些部分。我是LDAP新手,所以我正在学习。我一直在遵循文档here和示例here,但我似乎无法做到正确。使用Spring Security进行LDAP身份验证3

这里是我的安全context.xml的

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:s="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd 
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> 

    <!-- Security Configuration --> 
    <s:http> 
     <s:intercept-url pattern="/page/tosecure/*" access="ROLE_USER" /> 
     <s:http-basic /> 
    </s:http> 

    <s:ldap-server root="dc=ldap,dc=sub,dc=myorg,dc=org" url="ldap.sub.myorg.org" port="636" /> 

    <s:authentication-manager> 
     <s:ldap-authentication-provider user-dn-pattern="uid={0},cn=users" /> 
     <s:authentication-provider ref="ldapAuthProvider" /> 
    </s:authentication-manager> 

    <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
     <constructor-arg value="ldaps://ldap.sub.myorg.org:636/dc=ldap,dc=sub,dc=myorg,dc=org" /> 
    </bean> 

    <bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
     <constructor-arg> 
      <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
       <constructor-arg ref="contextSource" /> 
       <property name="userDnPatterns"> 
        <list> 
         <value>uid={0},cn=users</value> 
        </list> 
       </property> 
      </bean> 
     </constructor-arg> 
     <constructor-arg> 
      <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> 
       <constructor-arg ref="contextSource" /> 
       <constructor-arg value="cn=groups" /> 
       <property name="groupRoleAttribute" value="cn" /> 
      </bean> 
     </constructor-arg> 
    </bean> 

</beans>

这里是我得到的错误(堆栈跟踪中列出的最后几个原因)

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.securityContextSource': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" 
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:288) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) 
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294) 
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225) 
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291) 
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193) 
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:323) 
    ... 106 more 
Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" 
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:162) 
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:121) 
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:280) 
    ... 115 more 
Caused by: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" 
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:224) 
    at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:174) 
    at org.springframework.ldap.core.support.AbstractContextSource.setBase(AbstractContextSource.java:207) 
    at org.springframework.security.ldap.DefaultSpringSecurityContextSource.<init>(DefaultSpringSecurityContextSource.java:67) 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) 
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) 
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513) 
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:147) 
    ... 117 more 
Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" 
    at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:678) 
    at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:231) 
    at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114) 
    at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94) 
    at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58) 
    at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23) 
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:218)

看来,它不不喜欢在contextSource bean的constructor-arg中列出的URL,尽管我不知道为什么。

另外,我有一个怀疑,该配置的其它部分是不正确的。例如,我有在ldap-server标记和contextSource bean中定义的ldap服务器URL。这似乎是不必要的重复,但它是如何在示例中完成的。有人可以仔细看看配置,以确保它是理智的?

另外,如果有必要,我将谈一下我们的LDAP服务器布局,因为它似乎是有点不标准。用户的DN由uid = {the_user_name},cn = users,dc = ldap,dc = sub,dc = myorg,dc = org构建。组DN是cn = {group_name},cn = groups,dc = ldap,dc = sub,dc = myorg,dc = org,组的成员由memberUid属性定义。我说这是非标准的,因为从我读过的内容来看,组织应该由ou来定义。但希望春季安全可以处理这个设置。此配置是否能够正确获取用户所属的角色(组)?

来源

2012-11-30 Eddie

回答

1

你有没有试图消除ldap-server元素?您不应该需要它,并且您没有使用正确的URL配置它(它应该可能从ldap://ldaps://开始)。

你链接到该示例使用嵌入式服务器,并说明了同样的事情,都命名空间和豆配置。

组属性默认为cn,所以应该适合你的设置是正确的。 Javadoc为DefaultLdapAuthoritiesPopulator给出了相当好的描述。

来源

2012-11-30 16:45:05

+0

有了您的帮助,我的配置简化到这个 ' < S:认证管理器> ' – Eddie

+0

然而,我想能够限制对特定组的访问。在intercept-url中,我更改了对ROLE_GROUPNAME的访问权限,并向s:ldap-authentication-provider添加了'group-search-filter =“memberUid = {0}”',但我总是被拒绝访问。该文档表示,组搜索过滤器将替代完整的DN,而不仅仅是像我的LDAP服务器那样的用户名。我如何配置它以匹配我的LDAP服务器? – Eddie

+0

啊,我明白了。而不是group-search-filter =“memberUid = {0}”,如果组只包含用户名而不是完整的DN,我应该有group-search-filter =“memberUid = {1}”。 – Eddie

相关问题

 相关问题