使用Spring Security 3进行LDAP身份验证(LDAP Authentication with Spring Security 3)

使用Spring Security 3进行LDAP身份验证(LDAP Authentication with Spring Security 3)

我试图通过对我组织的LDAP服务器进行身份验证来保护Spring 3 MVC Web应用程序的一部分。 我是LDAP的新手，所以我正在学习。 我一直在关注这里的文档和这里的例子，但我似乎无法做到正确。

这是我的security-context.xml

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:s="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> <!-- Security Configuration --> <s:http> <s:intercept-url pattern="/page/tosecure/*" access="ROLE_USER" /> <s:http-basic /> </s:http> <s:ldap-server root="dc=ldap,dc=sub,dc=myorg,dc=org" url="ldap.sub.myorg.org" port="636" /> <s:authentication-manager> <s:ldap-authentication-provider user-dn-pattern="uid={0},cn=users" /> <s:authentication-provider ref="ldapAuthProvider" /> </s:authentication-manager> <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldaps://ldap.sub.myorg.org:636/dc=ldap,dc=sub,dc=myorg,dc=org" /> </bean> <bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> <constructor-arg ref="contextSource" /> <property name="userDnPatterns"> <list> <value>uid={0},cn=users</value> </list> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource" /> <constructor-arg value="cn=groups" /> <property name="groupRoleAttribute" value="cn" /> </bean> </constructor-arg> </bean> </beans>

这是我得到的错误（堆栈跟踪中列出的最后几个原因）

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.securityContextSource': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:288) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:323) ... 106 more Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:162) at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:121) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:280) ... 115 more Caused by: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:224) at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:174) at org.springframework.ldap.core.support.AbstractContextSource.setBase(AbstractContextSource.java:207) at org.springframework.security.ldap.DefaultSpringSecurityContextSource.<init>(DefaultSpringSecurityContextSource.java:67) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:147) ... 117 more Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:678) at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:231) at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114) at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94) at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58) at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23) at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:218)

它似乎不喜欢contextSource bean的constructor-arg中列出的URL，尽管我不确定原因。

另外，我怀疑这种配置的其他部分是不正确的。 例如，我在ldap-server标记和contextSource bean中定义了ldap服务器URL。 这似乎是不必要的重复，但它是如何在示例中完成的。 有人可以好好看看配置，以确保它是理智的吗？

另外，如果有必要，我会谈谈我们的LDAP服务器布局，因为它似乎有点不标准。 用户的DN由uid = {the_user_name}，cn = users，dc = ldap，dc = sub，dc = myorg，dc = org构成。 组DN是cn = {group_name}，cn = groups，dc = ldap，dc = sub，dc = myorg，dc = org，组的成员由memberUid属性定义。 我说这是非标准的，因为从我所读到的，组应该由ou定义。 但希望Spring安全可以处理这种设置。 此配置是否正确获取用户所属的角色（组）？

I'm trying to secure parts of my Spring 3 MVC web application by authenticating against my organization's LDAP server. I'm new to LDAP so I'm learning as I go. I've been following the documentation here and the example here but I can't seem to get it right.

Here is my security-context.xml

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:s="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> <!-- Security Configuration --> <s:http> <s:intercept-url pattern="/page/tosecure/*" access="ROLE_USER" /> <s:http-basic /> </s:http> <s:ldap-server root="dc=ldap,dc=sub,dc=myorg,dc=org" url="ldap.sub.myorg.org" port="636" /> <s:authentication-manager> <s:ldap-authentication-provider user-dn-pattern="uid={0},cn=users" /> <s:authentication-provider ref="ldapAuthProvider" /> </s:authentication-manager> <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldaps://ldap.sub.myorg.org:636/dc=ldap,dc=sub,dc=myorg,dc=org" /> </bean> <bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> <constructor-arg ref="contextSource" /> <property name="userDnPatterns"> <list> <value>uid={0},cn=users</value> </list> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource" /> <constructor-arg value="cn=groups" /> <property name="groupRoleAttribute" value="cn" /> </bean> </constructor-arg> </bean> </beans>

And here is the error I am getting (the last few causes listed in the stack trace)

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.securityContextSource': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:288) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:323) ... 106 more Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:162) at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:121) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:280) ... 115 more Caused by: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:224) at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:174) at org.springframework.ldap.core.support.AbstractContextSource.setBase(AbstractContextSource.java:207) at org.springframework.security.ldap.DefaultSpringSecurityContextSource.<init>(DefaultSpringSecurityContextSource.java:67) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:147) ... 117 more Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "." (46), after : "" at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:678) at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:231) at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114) at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94) at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58) at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23) at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:218)

It appears that it doesn't like the URL that is listed in the the constructor-arg for the contextSource bean although I'm not sure why.

Also, I have a suspicion that other parts of this configuration are incorrect. For instance, I have the ldap server URL defined in the ldap-server tag and in the contextSource bean. That seems like unneeded duplication but it's how it is done in the examples. Could someone take a good look at the configuration to make sure it is sane?

In addition, in case it's necessary, I'll talk a little about our LDAP server layout since it seems to be a little non-standard. A user's DN is constructed by uid={the_user_name},cn=users,dc=ldap,dc=sub,dc=myorg,dc=org. Group DNs are cn={group_name},cn=groups,dc=ldap,dc=sub,dc=myorg,dc=org and the members of a group are defined by a memberUid attribute. I say this is non-standard because, from what I've read, groups should be defined by an ou instead. But hopefully spring security can handle this setup. Does this configuration properly fetch the roles (groups) a user belongs to?

最满意答案

您是否尝试删除ldap-server元素？ 您不应该需要它并且没有使用正确的URL配置它（它应该以ldap://或ldaps://开头）。

您链接到的示例使用嵌入式服务器，并为同一事物说明命名空间和bean配置。

组属性默认为cn ，因此对于您的设置应该是正确的。 DefaultLdapAuthoritiesPopulator的Javadoc非常好地描述了它的工作原理。

Have you tried removing the ldap-server element? You shouldn't need it and you haven't configured it with a proper URL (it should probably start with ldap:// or ldaps://).

The example you've linked to uses an embedded server and is illustrating both namespace and bean configurations for the same thing.

The group attribute defaults to cn, so that should be correct for your setup. The Javadoc for DefaultLdapAuthoritiesPopulator gives quite a good description of how it works.