Albert PLK
May 21st, 2007, 10:24 PM
Hi,
I am configuring acegi-security with LDAP authentication.
I cannot login successful because of bad credentials . I have the user :
dn: cn=Member,ou=groups,dc=plk,dc=hk
uniqueMember: cn=peter,ou=people,dc=plk,dc=hk
What's going wrong on my applicationContext-acegi-security.xml setting ?
[DEBUG,LdapAuthenticationProvider,http-8080-Processor25] Retrieving user
peter
[DEBUG,DefaultInitialDirContextFactory,http-8080-Processor25] Creating
InitialDirContext with environment
{java.naming.provider.url=ldap://plk.hk:389/dc=plk,dc=hk,
java.naming.factory.initial=com.sun.jndi.ldap.Ldap CtxFactory,
java.naming.security.principal=cn=peter,ou=people, dc=plk,dc=hk,
java.naming.security.authentication=simple,
java.naming.security.credentials=******}
[DEBUG,BindAuthenticator,http-8080-Processor25] Failed to bind as
cn=peter,ou=people,dc=plk,dc=hk: javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment:
AcceptSecurityContext error, data 525, v893^@]
Here is my applicationContext-acegi-security.xml :
<!-- ======================== FILTER CHAIN ======================= -->
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>
<!-- if you wish to use channel security, add "channelProcessingFilter,"
in front
of "httpSessionContextIntegrationFilter" in the list below -->
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,logoutFilte r,authenticationProcessin
gFilter,exceptionTranslationFilter,filterInvocatio nInterceptor
</value>
</property>
</bean>
<!-- ======================== AUTHENTICATION ======================= -->
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFac tory">
<constructor-arg value="ldap://plk.hk:389/dc=plk,dc=hk"/>
<property
name="managerDn"><value>cn=Manager,dc=plk,dc=hk</value></property>
<property name="managerPassword"><value>secret</value></property>
</bean>
<bean id="ldapPopulator"
class="org.acegisecurity.providers.ldap.populator.Default LdapAuthoritiesPopu
lator">
<constructor-arg index="0" ref="initialDirContextFactory" />
<constructor-arg index="1" value="ou=groups,dc=plk,dc=hk" />
<property name="groupRoleAttribute" value="ou" />
<property name="rolePrefix" value="ROLE_" />
<property name="convertToUpperCase" value="true" />
<property name="searchSubtree" value="true" />
<!-- <property name="groupSearchFilter" value="(Member={0})" /> -->
</bean>
<bean id="userSearch"
class="org.acegisecurity.ldap.search.FilterBasedLdapUserS earch">
<constructor-arg index="0">
<value>ou=people,dc=plk,dc=hk</value>
</constructor-arg>
<constructor-arg index="1">
<value>(cn={0})</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
<bean
class="org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator">
<constructor-arg>
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="userSearch" ref="userSearch"/>
</bean>
<bean id="ldapAuthenticationProvider"
class="org.acegisecurity.providers.ldap.LdapAuthenticatio nProvider">
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator">
<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
<property name="userDnPatterns">
<list>
<value>cn={0},ou=people</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<ref local="ldapPopulator"/>
</constructor-arg>
</bean>
<!-- An access decision manager used by the business objects -->
<bean id="httpRequestAccessDecisionManager"
class="org.acegisecurity.vote.AffirmativeBased">
<property
name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<!-- Automatically receives AuthenticationEvent messages -->
<bean id="loggerListener"
class="org.acegisecurity.event.authentication.LoggerListe ner"/>
<bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegr ationFilter">
</bean>
<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
<constructor-arg value="/index.jsp"/> <!-- URL redirected to after
logout -->
<constructor-arg>
<list>
<bean
class="org.acegisecurity.ui.logout.SecurityContextLogoutH andler"/>
</list>
</constructor-arg>
</bean>
<!-- ===================== HTTP REQUEST SECURITY ==================== -->
<bean id="exceptionTranslationFilter"
class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint"><ref
local="authenticationProcessingFilterEntryPoint"/></property>
</bean>
<bean id="authenticationProcessingFilter"
class="org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilter">
<property name="authenticationManager"><ref
bean="authenticationManager"/></property>
<property
name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value>
</property>
<property name="defaultTargetUrl"><value>/</value></property>
<property
name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
</bean>
<bean id="authenticationProcessingFilterEntryPoint"
class="org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilterEntryPoint"
>
<property
name="loginFormUrl"><value>/acegilogin.jsp</value></property>
<property name="forceHttps"><value>false</value></property>
</bean>
<!-- Note the order that entries are placed against the
objectDefinitionSource is critical.
The FilterSecurityInterceptor will work from the top of the list down
to the FIRST pattern that matches the request URL.
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions
first, with LEAST SPECIFIC (ie a/.*) expressions last -->
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInte rceptor">
<property name="authenticationManager"><ref
local="authenticationManager"/></property>
<property name="accessDecisionManager"><ref
local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/secure/super.*\Z=ROLE_WE_DONT_HAVE
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
</value>
</property>
</bean>
</beans>
Thanks.
PLKAlbert
I am configuring acegi-security with LDAP authentication.
I cannot login successful because of bad credentials . I have the user :
dn: cn=Member,ou=groups,dc=plk,dc=hk
uniqueMember: cn=peter,ou=people,dc=plk,dc=hk
What's going wrong on my applicationContext-acegi-security.xml setting ?
[DEBUG,LdapAuthenticationProvider,http-8080-Processor25] Retrieving user
peter
[DEBUG,DefaultInitialDirContextFactory,http-8080-Processor25] Creating
InitialDirContext with environment
{java.naming.provider.url=ldap://plk.hk:389/dc=plk,dc=hk,
java.naming.factory.initial=com.sun.jndi.ldap.Ldap CtxFactory,
java.naming.security.principal=cn=peter,ou=people, dc=plk,dc=hk,
java.naming.security.authentication=simple,
java.naming.security.credentials=******}
[DEBUG,BindAuthenticator,http-8080-Processor25] Failed to bind as
cn=peter,ou=people,dc=plk,dc=hk: javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment:
AcceptSecurityContext error, data 525, v893^@]
Here is my applicationContext-acegi-security.xml :
<!-- ======================== FILTER CHAIN ======================= -->
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>
<!-- if you wish to use channel security, add "channelProcessingFilter,"
in front
of "httpSessionContextIntegrationFilter" in the list below -->
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,logoutFilte r,authenticationProcessin
gFilter,exceptionTranslationFilter,filterInvocatio nInterceptor
</value>
</property>
</bean>
<!-- ======================== AUTHENTICATION ======================= -->
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFac tory">
<constructor-arg value="ldap://plk.hk:389/dc=plk,dc=hk"/>
<property
name="managerDn"><value>cn=Manager,dc=plk,dc=hk</value></property>
<property name="managerPassword"><value>secret</value></property>
</bean>
<bean id="ldapPopulator"
class="org.acegisecurity.providers.ldap.populator.Default LdapAuthoritiesPopu
lator">
<constructor-arg index="0" ref="initialDirContextFactory" />
<constructor-arg index="1" value="ou=groups,dc=plk,dc=hk" />
<property name="groupRoleAttribute" value="ou" />
<property name="rolePrefix" value="ROLE_" />
<property name="convertToUpperCase" value="true" />
<property name="searchSubtree" value="true" />
<!-- <property name="groupSearchFilter" value="(Member={0})" /> -->
</bean>
<bean id="userSearch"
class="org.acegisecurity.ldap.search.FilterBasedLdapUserS earch">
<constructor-arg index="0">
<value>ou=people,dc=plk,dc=hk</value>
</constructor-arg>
<constructor-arg index="1">
<value>(cn={0})</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
<bean
class="org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator">
<constructor-arg>
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="userSearch" ref="userSearch"/>
</bean>
<bean id="ldapAuthenticationProvider"
class="org.acegisecurity.providers.ldap.LdapAuthenticatio nProvider">
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator">
<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
<property name="userDnPatterns">
<list>
<value>cn={0},ou=people</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<ref local="ldapPopulator"/>
</constructor-arg>
</bean>
<!-- An access decision manager used by the business objects -->
<bean id="httpRequestAccessDecisionManager"
class="org.acegisecurity.vote.AffirmativeBased">
<property
name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<!-- Automatically receives AuthenticationEvent messages -->
<bean id="loggerListener"
class="org.acegisecurity.event.authentication.LoggerListe ner"/>
<bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegr ationFilter">
</bean>
<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
<constructor-arg value="/index.jsp"/> <!-- URL redirected to after
logout -->
<constructor-arg>
<list>
<bean
class="org.acegisecurity.ui.logout.SecurityContextLogoutH andler"/>
</list>
</constructor-arg>
</bean>
<!-- ===================== HTTP REQUEST SECURITY ==================== -->
<bean id="exceptionTranslationFilter"
class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint"><ref
local="authenticationProcessingFilterEntryPoint"/></property>
</bean>
<bean id="authenticationProcessingFilter"
class="org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilter">
<property name="authenticationManager"><ref
bean="authenticationManager"/></property>
<property
name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value>
</property>
<property name="defaultTargetUrl"><value>/</value></property>
<property
name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
</bean>
<bean id="authenticationProcessingFilterEntryPoint"
class="org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilterEntryPoint"
>
<property
name="loginFormUrl"><value>/acegilogin.jsp</value></property>
<property name="forceHttps"><value>false</value></property>
</bean>
<!-- Note the order that entries are placed against the
objectDefinitionSource is critical.
The FilterSecurityInterceptor will work from the top of the list down
to the FIRST pattern that matches the request URL.
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions
first, with LEAST SPECIFIC (ie a/.*) expressions last -->
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInte rceptor">
<property name="authenticationManager"><ref
local="authenticationManager"/></property>
<property name="accessDecisionManager"><ref
local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/secure/super.*\Z=ROLE_WE_DONT_HAVE
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
</value>
</property>
</bean>
</beans>
Thanks.
PLKAlbert