Results 1 to 3 of 3

Thread: LDAP fails authentication ONLY first time

  1. Oct 5th, 2012, 10:20 AM #1
    voidance
    voidance is offline Junior Member
    Join Date
    Oct 2012
    Posts
    3

    Default LDAP fails authentication ONLY first time

    Hi all,

    I am using spring security just for authentication. Roles will be get via db.

    The first time I try to authenticate a user it fails returning:

    Code:
    2012-10-05 14:35:01,245 [qtp14301726-22] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'dolbert', with user search [ searchFilter: '(uid={0})', searchBase: 'ou=users,ou=Internal,o=company', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2012-10-05 14:35:01,861 [qtp14301726-22] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
2012-10-05 14:35:01,861 [qtp14301726-22] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
2012-10-05 14:35:01,861 [qtp14301726-22] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@20c6a5
    Then the second one login goes ok showing:

    Code:
    2012-10-05 14:38:27,397 [qtp14301726-26] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'dolbert', with user search [ searchFilter: '(uid={0})', searchBase: 'ou=users,ou=Internal,o=company', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2012-10-05 14:38:27,514 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry in under DN '', base = 'ou=users,ou=Internal,o=company', filter = '(uid={0})'
2012-10-05 14:38:27,576 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: uid=dolbert,ou=users,ou=Internal,o=company
2012-10-05 14:38:27,596 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: uid=dolbert,ou=users,ou=Internal,o=company
2012-10-05 14:38:27,613 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: uid=dolbert,ou=users,ou=Internal,o=company
2012-10-05 14:38:27,626 [qtp14301726-26] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Attempting to bind as uid=dolbert,ou=users,ou=Internal,o=company
2012-10-05 14:38:27,626 [qtp14301726-26] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user uid=dolbert,ou=users,ou=Internal,o=company
2012-10-05 14:38:28,157 [qtp14301726-26] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user uid=dolbert,ou=users,ou=Internal,o=company
2012-10-05 14:38:28,157 [qtp14301726-26] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'dolbert', DN = 'uid=dolbert,ou=users,ou=Internal,o=company', with filter (uniqueMember={0}) in search base ''
2012-10-05 14:38:28,158 [qtp14301726-26] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (uniqueMember=uid=dolbert,ou=users,ou=Internal,o=company)
2012-10-05 14:38:28,274 [qtp14301726-26] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [EP_ESS_01_A_MUS]
    My spring-security.xml

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			http://www.springframework.org/schema/security 
			http://www.springframework.org/schema/security/spring-security-3.0.xsd">


	<security:http auto-config="true"
		access-denied-page="/flows/login/accessDenied.xhtml" create-session="never">
		<security:http-basic />
		<security:intercept-url pattern="/flows/admin/**"
			access="ROLE_ADMIN" />
		<security:intercept-url pattern="/flows/csrHandler/**"
			access="ROLE_USER" />
		<security:intercept-url pattern="/*"
			access="IS_AUTHENTICATED_ANONYMOUSLY" />

		<security:form-login login-processing-url="/j_spring_security_check"
			login-page="/flows/login/login.xhtml" default-target-url="/flows/index.xhtml"
			authentication-failure-url="/flows/login/login.xhtml?error='true'"
			always-use-default-target='true' />
		<security:logout logout-url="/flows/logout/logout.xhtml"
			logout-success-url="/" />

	</security:http>
	<bean id="customUserContextMapper" class="com.company.boat.login.service.CustomUserDetailsMapper" />
	<security:authentication-manager>
		<security:ldap-authentication-provider
			user-search-base="ou=users,ou=Internal,o=company"
			user-search-filter="(uid={0})" user-context-mapper-ref="customUserContextMapper" />

	</security:authentication-manager>
	<security:ldap-server url="ldap://ecd.company.se"
		manager-dn="uid=Uname,ou=Users,ou=Internal,o=company"
		manager-password="PWD" />
</beans>
    I am using spring security 3.0.5.RELEASE

    I tried adding to the spring-security.xml in the
    Code:
    <security:http
    Code:
    create-session="never"
    and
    Code:
    <security:http-basic />
    but the error is still there.

    Any ideas?

    Thanks in advance!
    Reply With Quote Reply With Quote
  2. Dec 7th, 2012, 05:06 AM #2
    voidance
    voidance is offline Junior Member
    Join Date
    Oct 2012
    Posts
    3

    Wink

    Maybe an admin can move the thread to spring-security.

    I am back with this error as it is one of the last issues to sort out.

    I tried updating to spring-security 3.1.3.RELEASE, spring to 3.0.6.RELEASE but the error is still there. Now at least I have a stack trace.

    First login attempt with error:

    Code:
    2012-12-07 10:44:29,598 [qtp6825008-24] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user uid=efedrep,ou=users,ou=Internal,o=company
2012-12-07 10:44:30,006 [qtp6825008-24] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
2012-12-07 10:44:30,192 [qtp6825008-24] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user uid=efedrep,ou=users,ou=Internal,o=company
2012-12-07 10:44:30,192 [qtp6825008-24] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'efedrep', DN = 'uid=efedrep,ou=users,ou=Internal,o=company', with filter (uniqueMember={0}) in search base ''
2012-12-07 10:44:30,193 [qtp6825008-24] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (uniqueMember=uid=efedrep,ou=users,ou=Internal,o=company)
2012-12-07 10:44:30,200 [qtp6825008-24] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2012-12-07 10:44:30,358 [qtp6825008-24] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2012-12-07 10:44:30,359 [qtp6825008-24] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2012-12-07 10:44:30.359:WARN:oejs.ServletHandler:/boat2/j_spring_security_check
org.springframework.ldap.AuthenticationException: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:182)
	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
	at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
	at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:125)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:287)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:524)
	at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:173)
	at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:215)
	at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:185)
	at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:197)
	at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:63)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
	at 
...
Caused by: 
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:290)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
    Second attempt goes fine:

    Code:
    2012-12-06 17:09:52,845 [qtp17518647-22] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user uid=efedrep,ou=users,ou=Internal,o=company
2012-12-06 17:09:53,251 [qtp17518647-22] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
2012-12-06 17:09:53,341 [qtp17518647-22] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user uid=efedrep,ou=users,ou=Internal,o=company
2012-12-06 17:09:53,342 [qtp17518647-22] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'efedrep', DN = 'uid=efedrep,ou=users,ou=Internal,o=company', with filter (uniqueMember={0}) in search base ''
2012-12-06 17:09:53,342 [qtp17518647-22] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (uniqueMember=uid=efedrep,ou=users,ou=Internal,o=company)
2012-12-06 17:09:53,343 [qtp17518647-22] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2012-12-06 17:09:53,465 [qtp17518647-22] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [EP_ESS_01_A_MUS]
2012-12-06 17:09:53,469 [qtp17518647-22] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: uid=efedrep,ou=users,ou=Internal,o=company
    Haven't modified much of the spring security but here it is:

    Code:
    <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="
           http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">


	<security:http create-session="never" auto-config="false">

		<security:intercept-url pattern="/spring/main/**" access="ROLE_ADMIN, ROLE_MANAGER, ROLE_TEAMLEADER" />
		<security:access-denied-handler error-page="/spring/denied" /> 
	
		<security:form-login authentication-failure-url="/spring/login?login_error=1" default-target-url="/spring/main"
			login-processing-url="/j_spring_security_check" login-page="/spring/login" />
		<security:logout logout-success-url="/spring/logoutSuccess" logout-url="/spring/logout" />
		<security:http-basic />
	</security:http>


	<bean class="com.company.boat.login.service.CustomUserDetailsMapper" id="customUserContextMapper" />
	
	<security:authentication-manager>
		<security:ldap-authentication-provider user-context-mapper-ref="customUserContextMapper" user-dn-pattern="uid={0},ou=users,ou=Internal,o=company" />
	</security:authentication-manager>


	<security:ldap-server manager-password="PWD" manager-dn="uid=Uname,ou=Users,ou=Internal,o=company" url="ldap://egd.company.es" />
</beans>
    What it catches my attention is why the first time logs

    Code:
    org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    and the second one

    Code:
    org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [EP_ESS_01_A_MUS]
org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: uid=efedrep,ou=users,ou=Internal,o=company
    Any help would be very appreciated!
    Reply With Quote Reply With Quote
  3. Dec 11th, 2012, 05:02 AM #3
    voidance
    voidance is offline Junior Member
    Join Date
    Oct 2012
    Posts
    3

    Default

    I quit trying to make it work so created a CustomLdapAuthenticatorProvider that extends AbstractUserDetailsAuthenticatorProvider and authenticates over the ldap server

    Code:
    	<bean class="com.company.boat.login.service.CustomLdapAuthenticationProvider" id="customLdapAuthenticationProvider" />


	<security:authentication-manager>
		<security:authentication-provider ref="customLdapAuthenticationProvider"/>
	</security:authentication-manager>
    Code:
    public class CustomLdapAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {

	@Override
	protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
			throws AuthenticationException {
		final Hashtable<String, String> env = new Hashtable<String, String>();
		env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
		env.put(Context.PROVIDER_URL, props.getProperty("ldap.server", "ldap://ldap.server"));
		String ldapPrincipal = props.getProperty("ldap.principal", "uid={0},ou=users,ou=internal,o=company");
		env.put(Context.SECURITY_PRINCIPAL, MessageFormat.format(ldapPrincipal, username));
		env.put(Context.SECURITY_CREDENTIALS, (String)authentication.getCredentials());
		try {
			new InitialLdapContext(env, null).close();
               .... (if no exception is thrown search for authorities and add them) ...
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules