Results 1 to 2 of 2

Thread: Wrong GrantedAuthority in LdapAuthoritiesPopulator

  1. Jul 16th, 2009, 06:37 PM #1
    feroze
    feroze is offline Junior Member
    Join Date
    Jul 2009
    Posts
    2

    Default Wrong GrantedAuthority in LdapAuthoritiesPopulator

    hi!

    I am using ACEGI v1.0.7 to authenticate my java website against a Windows AD. The LDAP part of the equation is working fine. The server talks to the AD, does a Bind, searches for the user, gets the group membership etc.

    However, the group membership being returned from the LdapAuthoritiesPopulator is wrong - it is returning the authenticated user's DN, instead of the 'name' attribute of the group he belongs to.

    here is the exception I am getting:

    2009-07-16 16:14:34,061 WARN [org.acegisecurity.event.authorization.LoggerListen er] Security authorization failed due to: org.acegisecurity.AccessDeniedException: Access is denied; authenticated prin
    cipal: org.acegisecurity.providers.UsernamePasswordAuthen ticationToken@1f52c80e: Username: org.acegisecurity.userdetails.ldap.LdapUserDetails Impl@7548c; Password: [PROTECTED]; Authenticated: true; Det
    ails: org.acegisecurity.ui.WebAuthenticationDetails@ffff 6a82: RemoteIpAddress: 127.0.0.1; SessionId: dlicuqvilt4d; Granted Authorities: ROLE_CN=ROLE_IMPORTER,OU=DEVELOPMENT,OU=SERVICE ACCOUNTS,OU=ACMESEA,DC=ACME,DC=LOCAL; secure object: FilterInvocation: URL: /import?type=DEFAULT; configuration attributes: [ROLE_IMPORTER_GROUP]
    2009-07-16 16:14:34,077 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] Access is denied (user is not anonymous); delegating to AccessDeniedHandler
    org.acegisecurity.AccessDeniedException: Access is denied
    at org.acegisecurity.vote.AffirmativeBased.decide(Aff irmativeBased.java:68)
    at org.acegisecurity.intercept.AbstractSecurityInterc eptor.beforeInvocation(AbstractSecurityInterceptor .java:323)
    at org.acegisecurity.intercept.web.FilterSecurityInte rceptor.invoke(FilterSecurityInterceptor.java:104)
    at org.acegisecurity.intercept.web.FilterSecurityInte rceptor.doFilter(FilterSecurityInterceptor.java:72 )
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.ui.ExceptionTranslationFilter.do Filter(ExceptionTranslationFilter.java:124)
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.providers.anonymous.AnonymousPro cessingFilter.doFilter(AnonymousProcessingFilter.j ava:125)
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.ui.rememberme.RememberMeProcessi ngFilter.doFilter(RememberMeProcessingFilter.java: 142)
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.wrapper.SecurityContextHolderAwa reRequestFilter.doFilter(SecurityContextHolderAwar eRequestFilter.java:81)
    at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:275)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFi lter(AbstractProcessingFilter.java:271)


    ------

    As you can see from above, the GrantedAuthorities for this principal is "ROLE_CN=ROLE_IMPORTER,OU=DEVELOPMENT,OU=SERVI CE ACCOUNTS,OU=ACMESEA,DC=ACME,DC=LOCAL". However, this is wrong, this is the DN of the authenticated user. as can be seen from output of ldp.exe:

    Expanding base 'CN=ROLE_IMPORTER,OU=Development,OU=Service Accounts,OU=ACMESEA,DC=ACME,DC=LOCAL'...
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:
    >> Dn: CN=ROLE_IMPORTER,OU=Development,OU=Service Accounts,OU=ACMESEA,DC=ACME,DC=LOCAL
    4> objectClass: top; person; organizationalPerson; user;
    1> cn: ROLE_IMPORTER;
    1> givenName: ROLE_IMPORTER;
    1> distinguishedName: CN=ROLE_IMPORTER,OU=Development,OU=Service Accounts,OU=ACMESEA,DC=ACME,DC=LOCAL;


    here is my filterinvocationinterceptor:

    <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecur ityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager">
    <bean class="org.acegisecurity.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions" value="false"/>
    <property name="decisionVoters">
    <list>
    <bean class="org.acegisecurity.vote.RoleVoter"/>
    <bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
    </list>
    </property>
    </bean>
    </property>
    <property name="objectDefinitionSource">
    <value><![CDATA[
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /tasks=ROLE_IMPORTER
    /import=ROLE_IMPORTER
    /bvt=ROLE_IMPORTER
    /process=ROLE_IMPORTER_GROUP
    /workflow=ROLE_IMPORTER_GROUP
    /listauditlog=ROLE_IMPORTER_GROUP
    /editpropertytransaction=ROLE_PROPERTY_TRANSACTION_
    ]]></value>
    </property>
    </bean>


    ------

    Here is my LDAP conf:

    <bean id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthen ticationProvider">
    <constructor-arg>
    <!-- bind authenticator uses the details of the LDAP server bean, and the userSearch bean -->
    <bean class="org.acegisecurity.providers.ldap.authentica tor.BindAuthenticator">
    <constructor-arg>
    <ref local="initialDirContextFactory"/>
    </constructor-arg>
    <property name="userSearch" ref="userSearch"/>
    </bean>
    </constructor-arg>
    <constructor-arg>
    <bean class="org.acegisecurity.providers.ldap.populator. DefaultLdapAuthoritiesPopulator">
    <constructor-arg>
    <ref local="initialDirContextFactory"/>
    </constructor-arg>
    <constructor-arg>
    <value>OU=Development,OU=Security Groups,OU=ACMESEA,DC=ACME,DC=LOCAL</value>
    </constructor-arg>
    <property name="groupRoleAttribute">
    <value>member</value>
    </property>
    <!-- the following properties are shown with their default values -->
    <property name="searchSubtree"><value>false</value></property>
    <property name="rolePrefix"><value>ROLE_</value></property>
    <property name="convertToUpperCase"><value>true</value></property>
    </bean>
    </constructor-arg>
    </bean>


    ------

    As you can see, there is a group with that name, that has the user as it's member:

    -------

    Expanding base 'CN=ROLE_IMPORTER_GROUP,OU=Development,OU=Security Groups,OU=ACMESEA,DC=ACME,DC=LOCAL'...
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:
    >> Dn: CN=ROLE_IMPORTER_GROUP,OU=Development,OU=Security Groups,OU=ACMESEA,DC=ACME,DC=LOCAL
    2> objectClass: top; group; 1> cn: ROLE_IMPORTER_GROUP;
    1> member: CN=ROLE_IMPORTER,OU=Development,OU=Service Accounts,OU=ACMESEA,DC=ACME,DC=LOCAL;
    1> distinguishedName: CN=ROLE_IMPORTER_GROUP,OU=Development,OU=Security Groups,OU=ACMESEA,DC=ACME,DC=LOCAL;


    -----

    To summarize:

    Expecting Granted authority = ROLE_IMPORTER_GROUP (of type group)
    Received Granted Authority = ROLE_IMPORTER (of type person)

    Any idea what I am doing wrong?

    Thanks

    feroze.
    Reply With Quote Reply With Quote
  2. Jul 17th, 2009, 01:09 AM #2
    ulsa
    ulsa is offline Senior Member
    Join Date
    Jul 2005
    Location
    Helsingborg, Sweden
    Posts
    504

    Default

    Try the Spring Security forum.
    Ulrik Sandberg
    Jayway (www.jayway.com)
    Spring LDAP project member
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules