PDA

View Full Version : ActiveDirectory Authorization fails


Rapthor
Apr 16th, 2007, 09:26 AM
Hi,

I am absolutely new to Active Directory and LDAP in general. What I want to achieve is to secure my Spring web app. I have a machine running Windows Server 2003 with AD set up. (domain name is "vmware.domain" I guess :o ).

What I have done so far, is to have Acegi put me to the login page if I want to access a secured site. But Acegi does not authorize me but redirects me to login_failed instead. I tried the admin account and some newly generated user account. Both fail!

I guess my config file for acegi has errors! What makes it even worse is my small amount of knowledge about Active Directory. So please have a look at the screens I took (attached). I hope it helps you to figure out some of the attributes I have to specify in my acegi config.

You will probably see something if you compare it to my config:


<beans>
<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFac tory">
<constructor-arg value="ldap://adserver:389/dc=vmware,dc=domain"/>
<property name="managerDn">
<value>administrator@vmware.domain</value>
</property>
<property name="managerPassword">
<value>admin</value>
</property>
</bean>

<bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserS earch">
<constructor-arg index="0">
<value>DC=vmware,DC=domain</value>
</constructor-arg>
<constructor-arg index="1">
<value>(sAMAccountName={0})</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>


<bean id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticatio nProvider" abstract="false" singleton="true" lazy-init="default" dependency-check="default" autowire="default">
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.authenticator.Pas swordComparisonAuthenticator">
<constructor-arg>
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="userDnPatterns">
<list>
<value>sAMAccountName={0}</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.populator.Default LdapAuthoritiesPopulator">
<constructor-arg>
<ref local="initialDirContextFactory"/>
</constructor-arg>
<constructor-arg>
<value>DC=vmware,DC=domain</value>
</constructor-arg>
<property name="convertToUpperCase" value="true"/>
<property name="searchSubtree" value="true"/>
<property name="groupSearchFilter" value="member={0}"/>
<property name="groupRoleAttribute" value="cn"/>
</bean>
</constructor-arg>
</bean>

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthProvider"/>
</list>
</property>
</bean>

<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInte rceptor">
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="accessDecisionManager">
<bean class="org.acegisecurity.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<bean class="org.acegisecurity.vote.RoleVoter"></bean>
<bean class="org.acegisecurity.vote.AuthenticatedVoter"></bean>
</list>
</property>
</bean>
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/*=IS_AUTHENTICATED_ANONYMOUSLY
/secure/**=ROLE_ADGROUP
</value>
</property>
</bean>

<bean id="formLoginAuthenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilterEntryPoint">
<property name="loginFormUrl">
<value>/login.jsp</value>
</property>
<property name="forceHttps">
<value>false</value>
</property>
</bean>

<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegr ationFilter">
</bean>

<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref bean="formLoginAuthenticationEntryPoint" />
</property>
</bean>

<bean id="formAuthenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilter">
<property name="filterProcessesUrl">
<value>/secure/j_acegi_security_check</value>
</property>
<property name="authenticationFailureUrl">
<value>/login_failed.jsp</value>
</property>
<property name="defaultTargetUrl">
<value>/login.jsp</value>
</property>
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
</bean>

<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
<constructor-arg value="/index.jsp"/>
<constructor-arg>
<list>
<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutH andler"/>
</list>
</constructor-arg>
</bean>

<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/secure/**=httpSessionContextIntegrationFilter,logoutFilte r,formAuthenticationProcessingFilter,exceptionTran slationFilter,filterSecurityInterceptor
</value>
</property>
</bean>
</beans>

(Pinging "adserver" works and gives me the correct IP address, too.)

Please help!
Rapthor
Apr 22nd, 2007, 07:25 AM
Hi,

I got log4j working now. After trying to login with Acegi-Security I got the following logging. There is a "BadCredentialsException" although I know there's a user named "heinrich" with the same password. Neither "heinrich" nor "administrator" works with Acegi.

This is the log:


2007-04-22 14:10:24,068 [http-8080-Processor24] DEBUG org.acegisecurity.intercept.web.PathBasedFilterInv ocationDefinitionMap - Converted URL to lowercase, from: '/secure/j_acegi_security_check'; to: '/secure/j_acegi_security_check'
2007-04-22 14:10:24,068 [http-8080-Processor24] DEBUG org.acegisecurity.intercept.web.PathBasedFilterInv ocationDefinitionMap - Candidate is: '/secure/j_acegi_security_check'; pattern is /secure/**; matched=true
2007-04-22 14:10:24,068 [http-8080-Processor24] DEBUG org.acegisecurity.util.FilterChainProxy - /secure/j_acegi_security_check at position 1 of 5 in additional filter chain; firing Filter: 'org.acegisecurity.context.HttpSessionContextInteg rationFilter@1d6fbb3'
2007-04-22 14:10:24,068 [http-8080-Processor24] DEBUG org.acegisecurity.context.HttpSessionContextIntegr ationFilter - HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new SecurityContext instance associated with SecurityContextHolder
2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.util.FilterChainProxy - /secure/j_acegi_security_check at position 2 of 5 in additional filter chain; firing Filter: 'org.acegisecurity.ui.logout.LogoutFilter@c00025'
2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.util.FilterChainProxy - /secure/j_acegi_security_check at position 3 of 5 in additional filter chain; firing Filter: 'org.acegisecurity.ui.webapp.AuthenticationProcess ingFilter@149a794'
2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilter - Request is to process authentication
2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.providers.ProviderManager - Authentication attempt using org.acegisecurity.providers.ldap.LdapAuthenticatio nProvider
2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.providers.ldap.LdapAuthenticatio nProvider - Retrieving user heinrich
2007-04-22 14:10:24,078 [http-8080-Processor24] DEBUG org.acegisecurity.ldap.DefaultInitialDirContextFac tory - Creating InitialDirContext with environment {java.naming.provider.url=ldap://adserver:389/dc=vmware,dc=domain, java.naming.factory.initial=com.sun.jndi.ldap.Ldap CtxFactory, java.naming.security.principal=administrator@vmwar e.domain, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.credentials=******}
2007-04-22 14:10:24,128 [http-8080-Processor24] DEBUG org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilter - Updated SecurityContextHolder to contain null Authentication
2007-04-22 14:10:24,128 [http-8080-Processor24] DEBUG org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilter - Authentication request failed: org.acegisecurity.BadCredentialsException: Bad credentials
2007-04-22 14:10:24,128 [http-8080-Processor24] DEBUG org.acegisecurity.context.HttpSessionContextIntegr ationFilter - SecurityContextHolder set to new context, as request processing completed
2007-04-22 14:10:24,148 [http-8080-Processor24] DEBUG org.acegisecurity.intercept.web.PathBasedFilterInv ocationDefinitionMap - Converted URL to lowercase, from: '/login_failed.jsp'; to: '/login_failed.jsp'
2007-04-22 14:10:24,148 [http-8080-Processor24] DEBUG org.acegisecurity.intercept.web.PathBasedFilterInv ocationDefinitionMap - Candidate is: '/login_failed.jsp'; pattern is /secure/**; matched=false
2007-04-22 14:10:24,148 [http-8080-Processor24] DEBUG org.acegisecurity.util.FilterChainProxy - /login_failed.jsp has no matching filters


What's wrong with my acegi-config?