Spring security DefaultLdapAuthoritiesPopulator未授予权限
我正在设置Spring安全性以使用LDAP。我遇到的问题是,当Spring的org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator尝试获取用户权限时,出现了一个“无效DN”错误。我已经浏览了这个网站和其他网站上的许多其他帖子,但没有任何帮助。我猜我忽略了什么,但不知道是什么 这就是错误:Spring security DefaultLdapAuthoritiesPopulator未授予权限,spring-security,openldap,Spring Security,Openldap,我正在设置Spring安全性以使用LDAP。我遇到的问题是,当Spring的org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator尝试获取用户权限时,出现了一个“无效DN”错误。我已经浏览了这个网站和其他网站上的许多其他帖子,但没有任何帮助。我猜我忽略了什么,但不知道是什么 这就是错误: org.springframework.dao.DataAccessResourceFailureExcept
org.springframework.dao.DataAccessResourceFailureException: Failed to borrow DirContext from pool.; nested exception is org.springframework.ldap.InvalidNameException: [LDAP: error code 34 - invalid DN]; nested exception is javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]
at org.springframework.ldap.pool.factory.PoolingContextSource.getContext(PoolingContextSource.java:425)
at org.springframework.ldap.pool.factory.PoolingContextSource.getReadWriteContext(PoolingContextSource.java:408)
at org.springframework.ldap.transaction.compensating.manager.TransactionAwareContextSourceProxy.getReadWriteContext(TransactionAwareContextSourceProxy.java:94)
at org.springframework.ldap.transaction.compensating.manager.TransactionAwareContextSourceProxy.getReadOnlyContext(TransactionAwareContextSourceProxy.java:65)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:287)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:524)
at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:173)
at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:215)
at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:185)
at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:197)
at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:63)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:843)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)
Caused by: org.springframework.ldap.InvalidNameException: [LDAP: error code 34 - invalid DN]; nested exception is javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:128)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
at org.springframework.ldap.core.support.AbstractContextSource.getReadWriteContext(AbstractContextSource.java:138)
at org.springframework.ldap.pool.factory.DirContextPoolableObjectFactory.makeObject(DirContextPoolableObjectFactory.java:127)
at org.apache.commons.pool.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:797)
at org.springframework.ldap.pool.factory.PoolingContextSource.getContext(PoolingContextSource.java:422)
... 41 more
Caused by: javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3008)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2815)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2729)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:43)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:254)
... 46 more
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
<version>1.3.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core-tiger</artifactId>
<version>1.3.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-odm</artifactId>
<version>1.3.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-ldif-core</artifactId>
<version>1.3.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-ldif-batch</artifactId>
<version>1.3.1.RELEASE</version>
</dependency>
/usr/bin/ldapsearch -x -b "ou=user,dc=company,dc=com" -D "cn=Manager,dc=company,dc=com" -w xxxxxxxxx "(&(member=cn=LucyVanPelt,ou=user,dc=company,dc=com))"
# ACME_ADMIN, user, company.com
dn: cn=ACME_ADMIN,ou=user,dc=company,dc=com
cn: ACME_ADMIN
objectClass: groupOfNames
objectClass: top
ou: ACME_ADMIN
member: cn=LucyVanPelt,ou=user,dc=company,dc=com
这是日志文件中的一些调试输出:
2013-12-06 10:57:43831[btpool0-0]调试AntPathRequestMatcher-检查请求的匹配:'/login/process';针对“/admin\u门户/css/**”
2013-12-06 10:57:43832[btpool0-0]调试AntPathRequestMatcher-检查请求的匹配:'/login/process';针对“/admin\u门户/images/**”
2013-12-06 10:57:43833[btpool0-0]调试过滤器链Proxy-/login/process位于附加过滤器链中9个位置中的第1个位置;触发筛选器:“ChannelProcessingFilter”
2013-12-06 10:57:43833[btpool0-0]调试AntPathRequestMatcher-检查请求的匹配:'/login/process';针对“/login.html*”
2013-12-06 10:57:43834[btpool0-0]调试AntPathRequestMatcher-检查请求的匹配:'/login/process';针对“/login/process”
2013-12-06 10:57:43834[btpool0-0]调试通道处理筛选器-请求:筛选器职业:URL:/login/process;ConfigAttributes:[需要\u不安全的\u通道]
2013-12-06 10:57:43836[btpool0-0]调试过滤器链在附加过滤器链中9个位置中的第2个位置处的proxy-/login/process;正在启动筛选器:“SecurityContextPersistenceFilter”
2013-12-06 10:57:43836[btpool0-0]调试HttpSessionSecurityContextRepository-当前不存在HttpSession
2013-12-06 10:57:43836[btpool0-0]调试HttpSessionSecurityContextRepository-HttpSession中没有可用的SecurityContext:null。将创建一个新的。
2013-12-06 10:57:43839[btpool0-0]调试过滤器链Proxy-/login/流程,位于附加过滤器链中9的第3个位置;正在启动筛选器:“UsernamePasswordAuthenticationFilter”
2013-12-06 10:57:43839[btpool0-0]调试用户名密码身份验证筛选器-请求处理身份验证
2013-12-06 10:57:43846[btpool0-0]调试ProviderManager-尝试使用org.springframework.security.ldap.Authentication.ldapaauthenticationProvider进行身份验证
2013-12-06 10:57:43853[btpool0-0]调试LdapAuthenticationProvider-处理用户的身份验证请求:LucyVanPelt
2013-12-06 10:57:43861[btpool0-0]调试BindAuthenticator-尝试绑定为cn=LucyVanPelt,ou=user,dc=company,dc=com
2013-12-06 10:57:44149[btpool0-0]调试AbstractContextSource-已在服务器上获取Ldap上下文ldap://m1devldap01.mm3.company.com:389/dc=company,dc=com'
2013-12-06 10:57:44153[btpool0-0]调试BindAuthenticator-正在检索属性。。。
2013-12-06 10:57:44265[btpool0-0]调试DefaultLdapAuthoritiesPopulator-获取用户cn=LucyVanPelt、ou=user、dc=company、dc=com的权限
2013-12-06 10:57:44265[btpool0-0]调试DefaultLdapAuthoritiesPopulator-搜索用户'LucyVanPelt',DN='cn=LucyVanPelt,ou=user,dc=company,dc=com'的角色,搜索库'ou=user,dc=company,dc=com'中有筛选器(&(member={0})'
2013-12-06 10:57:44266[btpool0-0]调试SpringSecurityLdapTemplate-使用筛选器:(&(member=cn=LucyVanPelt,ou=user,dc=company,dc=com))
2013-12-06 10:57:44266[btpool0-0]信息LdapTemplate-未设置提供的SearchControls的returnObjFlag,但使用了ContextMapper-将标志设置为true
2013-12-06 10:57:44273[btpool0-0]调试DirContextPoolableObjectFactory-创建新的读写DirContextSnow在我的配置文件中,我使用的管理员用户dn周围有额外的引号,这使得它无效。奇怪的是BindAuthenticator对此没有问题 我上面配置中的BindAuthenticator是contextSource而不是contextSourceTarget。
# user, company.com
dn: ou=user,dc=company,dc=com
ou: user
objectClass: organizationalUnit
# ACME_ADMIN, user, company.com
dn: cn=ACME_ADMIN,ou=user,dc=company,dc=com
cn: ACME_ADMIN
objectClass: groupOfNames
objectClass: top
ou: ACME_ADMIN
member: cn=LucyVanPelt,ou=user,dc=company,dc=com
# LucyVanPelt, user, company.com
dn: cn=LucyVanPelt,ou=user,dc=company,dc=com
givenName: Lucy
sn: VanPelt
userPassword:: MTIzNDU=
uidNumber: 1002
gidNumber: 500
homeDirectory: /home/users/lvanpelt
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: LucyVanPelt
ou: ACME_ADMIN
uid: LucyVanPelt
/usr/bin/ldapsearch -x -b "ou=user,dc=company,dc=com" -D "cn=Manager,dc=company,dc=com" -w xxxxxxxxx "(&(member=cn=LucyVanPelt,ou=user,dc=company,dc=com))"
# ACME_ADMIN, user, company.com
dn: cn=ACME_ADMIN,ou=user,dc=company,dc=com
cn: ACME_ADMIN
objectClass: groupOfNames
objectClass: top
ou: ACME_ADMIN
member: cn=LucyVanPelt,ou=user,dc=company,dc=com