Error using LDAP Authentication with Microsoft ADAM

**eborisow** · Jun 6th, 2011, 08:20 AM

Hi,

I have spent quite some time trying to figure out what I'm doing wrong, but I can't seem to get it. I'm trying to access a protected URL. I am using Spring Security 3.0.5. When I used the simple user name and password, I was getting prompted and then was able to access the page. However, with LDAP configuration, I'm unable to get it to work. I'm using Microsoft's ADAM for the LDAP side. To start with, here is my configuration:

HTML Code:

    <http auto-config="true">
    	<http-basic/>
    	<intercept-url pattern="/app/tutorials/list" access="ROLE_Administrators"></intercept-url>
    </http>
    
    <authentication-manager>
    	<authentication-provider>
    		<password-encoder hash="{sha}"/>
    		<ldap-user-service server-ref="ldapServer"
    		user-search-filter="(userPrincipalName={0})" user-search-base="ou=people"
    		group-search-filter="(member={0})" group-search-base="ou=groups" role-prefix="ROLE_"/>
    	</authentication-provider>
    </authentication-manager>
    
    <ldap-server id="ldapServer"
    url="ldap://server.myDomain.com:50000/dc=myDomain,dc=com"
    manager-dn="cn=admin,ou=people,dc=myDomain,dc=com" manager-password="password"/>

Next, here is the output in the log:

HTML Code:

2011-06-06 12:53:20,215 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:195)  - Converted URL to lowercase, from: '/app/tutorials/list'; to: '/app/tutorials/list'
2011-06-06 12:53:20,277 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:202)  - Candidate is: '/app/tutorials/list'; pattern is /**; matched=true
2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository(HttpSessionSecurityContextRepository.java:130)  - No HttpSession currently exists
2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository(HttpSessionSecurityContextRepository.java:88)  - No SecurityContext was available from the HttpSession: null. A new one will be created.
2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 4 of 11 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.FilterChainProxy(FilterChainProxy.java:375)  - /app/tutorials/list at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.web.authentication.[url]www.BasicAuthenticationFilter(BasicAuthenticationFilter.java:131[/url])  - Basic Authentication Authorization header found for user 'jsmith'
2011-06-06 12:53:20,293 [http-8080-6] DEBUG org.springframework.security.authentication.ProviderManager(ProviderManager.java:127)  - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2011-06-06 12:53:20,308 [http-8080-6] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch(FilterBasedLdapUserSearch.java:107)  - Searching for user 'jsmith', with user search [ searchFilter: '(userPrincipalName={0})', searchBase: 'ou=people', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2011-06-06 12:53:20,371 [http-8080-6] DEBUG org.springframework.ldap.core.support.AbstractContextSource(AbstractContextSource.java:259)  - Got Ldap context on server 'ldap://server.myDomain.com:50000/dc=myDomain,dc=com'
2011-06-06 12:53:20,371 [http-8080-6] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate(SpringSecurityLdapTemplate.java:200)  - Searching for entry in under DN 'dc=myDomain,dc=com', base = 'ou=people', filter = '(userPrincipalName={0})'
2011-06-06 12:53:20,371 [http-8080-6] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate(SpringSecurityLdapTemplate.java:216)  - Found DN: cn=John Smith,ou=people
2011-06-06 12:53:20,387 [http-8080-6] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator(DefaultLdapAuthoritiesPopulator.java:179)  - Getting authorities for user cn=John Smith,ou=people,dc=myDomain,dc=com
2011-06-06 12:53:20,387 [http-8080-6] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator(DefaultLdapAuthoritiesPopulator.java:208)  - Searching for roles for user 'jsmith', DN = 'cn=John Smith,ou=people,dc=myDomain,dc=com', with filter (member={0}) in search base 'ou=groups'
2011-06-06 12:53:20,387 [http-8080-6] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate(SpringSecurityLdapTemplate.java:151)  - Using filter: (member=cn=John Smith,ou=people,dc=myDomain,dc=com)
2011-06-06 12:53:20,387 [http-8080-6] INFO  org.springframework.ldap.core.LdapTemplate(LdapTemplate.java:1262)  - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2011-06-06 12:53:20,387 [http-8080-6] DEBUG org.springframework.ldap.core.support.AbstractContextSource(AbstractContextSource.java:259)  - Got Ldap context on server 'ldap://server.myDomain.com:50000/dc=myDomain,dc=com'
2011-06-06 12:53:20,433 [http-8080-6] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator(DefaultLdapAuthoritiesPopulator.java:216)  - Roles from search: [New users for site Demo Site, Administrators, admin]
2011-06-06 12:53:20,433 [http-8080-6] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper(LdapUserDetailsMapper.java:51)  - Mapping user details from context with DN: cn=John Smith,ou=people,dc=myDomain,dc=com
2011-06-06 12:53:20,449 [http-8080-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository(HttpSessionSecurityContextRepository.java:338)  - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
2011-06-06 12:53:20,449 [http-8080-6] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter(SecurityContextPersistenceFilter.java:89)  - SecurityContextHolder now cleared, as request processing completed

Finally, here is the error that appears on the web page:

HTML Code:

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

java.lang.NullPointerException
	org.springframework.security.authentication.encoding.LdapShaPasswordEncoder.extractPrefix(LdapShaPasswordEncoder.java:155)
	org.springframework.security.authentication.encoding.LdapShaPasswordEncoder.isPasswordValid(LdapShaPasswordEncoder.java:129)
	org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:68)
	org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:146)
	org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)
	org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
	org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:148)
	org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
	org.springframework.security.web.authentication.[url]www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:142[/url])
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)

I was initially thinking that it was a problem with the mapping of the Role to the Group, but now it just seems like the 'SecurityContext is empty' is the cause of the problem, but I'm not quite sure. Can anyone offer some ideas?

Thanks,
Eric

**Luke Taylor** · Jun 6th, 2011, 09:18 AM

It's unlikely you can treat ADAM as a UserDetailsService, since (assuming it behaves like AD), you can't read the password from the directory. You'll probably need to use proper LDAP bind authentication.

**eborisow** · Jun 6th, 2011, 10:38 AM

Luke,

Thanks! That worked. The only caveat is that I'm not able to login with my selected attribute. For me, it's not a big deal because this is a development environment. Anyway, here's the updated config. Oh, I also had to uppercase the role name in the access attribute.

Regards,
Eric

HTML Code:

<http auto-config="true">
	<http-basic/>
	<intercept-url pattern="/app/tutorials/list" access="ROLE_ADMINISTRATORS"></intercept-url>
</http>

<authentication-manager>
	<authentication-provider ref="ldapAuthProvider"/>
</authentication-manager>
 
<beans:bean id="contextSource"
		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://server.myDomain.com:50000/dc=myDomain,dc=com"/>
  <beans:property name="userDn" value="cn=admin,ou=people,dc=myDomain,dc=com"/>
  <beans:property name="password" value="password"/>
</beans:bean>

<beans:bean id="ldapAuthProvider"
	class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
 <beans:constructor-arg>
   <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
	 <beans:constructor-arg ref="contextSource"/>
	 <beans:property name="userDnPatterns">
	   <beans:list><beans:value>cn={0},ou=people</beans:value></beans:list>
	 </beans:property>
   </beans:bean>
 </beans:constructor-arg>
 <beans:constructor-arg>
   <beans:bean
	 class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
	 <beans:constructor-arg ref="contextSource"/>
	 <beans:constructor-arg value="ou=groups"/>
	 <beans:property name="groupRoleAttribute" value="cn"/>
   </beans:bean>
 </beans:constructor-arg>
</beans:bean>

Thread: Error using LDAP Authentication with Microsoft ADAM

Thread Tools

Display

Error using LDAP Authentication with Microsoft ADAM

That works

Tags for this Thread

Posting Permissions