LDAP authentication working but Bad credentials sometimes

[aukebefo]

I am using spring security 2.0.3.
I've set up an LDAP authentication which is working well on localhost with Windows XP. When I deploy it on my linux server (debian), it's working most of the time, but I sometimes get a BadCredentials exception. I've checked my login and password. What could be the reason ?

[EDIT]
Here is the error logged :

Code:

19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.intercept.AbstractSecurityInterceptor  - Secure object: FilterInvocation: URL: /logon.html?erreur=1; ConfigAttributes: [ROLE_LECTEUR, ROLE_COL, ROLE_CE, ROLE_CE_DIR, ROLE_ADMIN]
19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.ui.ExceptionTranslationFilter  - Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
	at org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
	at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
	at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
	at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
	at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
	at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:271)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
	at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
	at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:174)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:183)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.jstripe.tomcat.probe.Tomcat55AgentValve.invoke(Tomcat55AgentValve.java:20)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
	at java.lang.Thread.run(Thread.java:595)
19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.ui.ExceptionTranslationFilter  - Authentication entry point being called; SavedRequest added to Session: SavedRequest[http://172.XX.X.XX:8081/extranet-0.02/logon.html?erreur=1]
19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.context.HttpSessionContextIntegrationFilter  - HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.context.HttpSessionContextIntegrationFilter  - SecurityContextHolder now cleared, as request processing completed
19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.util.FilterChainProxy  - Converted URL to lowercase, from: '/logon.html'; to: '/logon.html'
19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.util.FilterChainProxy  - Candidate is: '/logon.html'; pattern is /logon.html; matched=true
19/08/2010 09:42:50 [Thread-0] DEBUG - org.springframework.security.util.FilterChainProxy  -  has an empty filter list

[/EDIT]

Here is a sample of my applicationContext-security.xml :

Code:

<bean id="contextSource"
		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
		<constructor-arg value="ldap://VS-DC01.mydomain.fr:389/DC=mydomain,DC=fr" />
		<property name="userDn"
			value="CN=adsearch,OU=Compte de service,OU=MyOU,DC=mydomain,DC=fr" />
		<property name="password" value="adsearch" />
		<property name="baseEnvironmentProperties">
			<map>
				<entry key="java.naming.referral">
					<value>follow</value>
				</entry>
			</map>
		</property>
	</bean>

Any help would be appreciated. Thank you!

[pmularien]

It's going to be impossible for us to help diagnose without logs illustrating the type of error you're seeing. Please attach logs on DEBUG showing one of these errors.

[pmularien]

Are you using bind authentication or password compare authentication in Spring Security?

[aukebefo]

I edited the first message, giving the error logs.

[aukebefo]

I use bindAuthenticator

Code:

<bean id="bindAuthenticator"
	class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
	<constructor-arg ref="contextSource" />
	<!-- Pour l'authentification -->
	<property name="userSearch">
		<bean id="userSearch"
			class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
			<constructor-arg index="0" value="" />
			<constructor-arg index="1" value="sAMAccountName={0}" />
			<constructor-arg index="2" ref="contextSource" />
		</bean>
	</property>
</bean>

[Luke Taylor]

I edited the first message, giving the error logs.

That isn't an error - check the FAQ.

You need to show the error from your LDAP server. Write a test case which only attempts to authenticate (i.e without running in a web application). Until you get that working it is just complicating matters and slowing down the debug process if you try to run a full application.

[aukebefo]

Until you get that working it is just complicating matters and slowing down the debug process if you try to run a full application.

I already got it working perfectly @ localhost. It's working well on my server as well, but sometimes, if I try to reconnect after my session expired, I get a bad credentials error. It's not every time and it's working perfectly when there is previous activity. I don't know where it's coming from .

[Luke Taylor]

If it's an LDAP login failure then the information should be in the debug log file.

[aukebefo]

It seems the ldap is not giving an answer fast enough, so the daoAuthenticator takes over.

Here is the sample debug when the authentication is working with ldap :

Code:

[...]
DEBUG - org.springframework.security.providers.ProviderManager  - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider
 DEBUG - org.springframework.security.ldap.search.FilterBasedLdapUserSearch  - Searching for user 'jodo', with user search [ searchFilter: 'sAMAccountName={0}', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
 DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Principal: 'CN=adsearch,OU=Compte de service,OU=Domain,DC=Domain,DC=fr'
 DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Got Ldap context on server 'ldap://VS-DC01.Domain.fr:389/dc=Domain,dc=fr'
 DEBUG - org.springframework.security.ldap.DefaultSpringSecurityContextSource  - Creating context with principal: 'cn=John Doe, ou=Utilisateurs, ou=Domain_Nantes, dc=domain, dc=fr'
 DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Got Ldap context on server 'ldap://VS-DC01.Domain.fr:389/dc=Domain,dc=fr'
 DEBUG - org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator  - Getting authorities for user cn=John Doe, ou=Utilisateurs, ou=Domain_Nantes, dc=Domain, dc=fr
[...]

Here is the sample when daoAuthenticator takes over :

Code:

[...]
DEBUG - org.springframework.security.providers.ProviderManager  - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider
DEBUG - org.springframework.security.ldap.search.FilterBasedLdapUserSearch  - Searching for user 'auke', with user search [ searchFilter: 'sAMAccountName={0}', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Principal: 'CN=adsearch,OU=Compte de service,OU=Domain,DC=Domain,DC=fr'
DEBUG - org.springframework.ldap.core.support.AbstractContextSource  - Got Ldap context on server 'ldap://VS-DC01.Domain.fr:389/dc=Domain,dc=fr'
DEBUG - org.springframework.security.providers.ProviderManager  - Authentication attempt using org.springframework.security.providers.dao.DaoAuthenticationProvider
DEBUG - org.springframework.jdbc.core.JdbcTemplate  - Executing prepared SQL query
DEBUG - org.springframework.jdbc.core.JdbcTemplate  - Executing prepared SQL statement [SELECT LOG_COL as username, PAS_COL as password, ACT_COL as enabled
				FROM COLLABORATEUR
				WHERE LOG_COL=?
				]
[...]

Is there something I can do to make the LdapAuthenticationProvider wait longer ? Or am I looking to the wrong way ?