Spring Security Active Directory LDAP身份验证错误

时间:2019-12-15 08:34:51

标签: spring spring-security active-directory ldap spring-security-ldap

当我使用Spring Security Active Directory LDAP Authentication时,在对用户进行身份验证时,出现错误消息 PartialResultException 。我也创建了一个测试运行程序文件,在其中对用户进行身份验证而没有错误,但是在对活动目录进行身份验证时,我无法进行身份验证。感谢您的宝贵帮助。

测试Runner2.java文件 

package com.company.test;

import java.util.Hashtable;

import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;


public class Runner2 {

    private static String providerUrl = "ldap://ADHO.COMPANY.NET:389";

    private static String principle = "@company.ad";

    public static final String SEARCH_BY_SAM_ACCOUNT_NAME = "(sAMAccountName=%s)";

    public static boolean authenticateAD(String user , String password) throws Exception {

        InitialDirContext context=null;
        Hashtable<String, String> env = new Hashtable<String, String>();
        String securityPrinciple = user + principle;
        System.out.println("Security principal to search ->"+securityPrinciple);

        // Configure our directory context environment.
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, providerUrl);
        env.put(Context.SECURITY_PRINCIPAL, securityPrinciple);
        env.put(Context.SECURITY_CREDENTIALS, password);
        try {

        context = new InitialDirContext(env);       
        return true;

        }catch(AuthenticationException e) {

         throw new AuthenticationException();

        }catch(Exception e) {

            throw new Exception();
        }
        finally { 
            try {
                if (context != null) {
                    context.close();
                }
            } catch (NamingException e) {

            } 
        } 

    }

    public static void main(String[] args) throws Exception {

        String r1 = "USRXXXX;
        String r2 = "Pass#word102";
        authenticateAD(r1,r2);
    }

}

ldap.properties文件 

ad.domain=company.ad
ad.url=ldap://ADHO.COMPANY.NET:389/

SpringSecurityConfig.java文件 

package com.company.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.core.env.Environment;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;

import com.onezero.config.AuthenticationEntryPoint;

import java.util.Arrays;

@Configuration
@EnableWebSecurity
@PropertySource("classpath:ldap.properties")
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private Environment env;

    @Bean
    public AuthenticationEntryPoint customAuthenticationEntry() throws Exception {
      return new AuthenticationEntryPoint();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {


        http.authorizeRequests()
           .antMatchers("/welcome","/atm/**","/atm2/**","/**","/survey/**","/usrauth/**").authenticated()
           .and()
           .httpBasic()
           .authenticationEntryPoint(customAuthenticationEntry())
           .and()
           .exceptionHandling()
           .and()
           .csrf().disable()
           .sessionManagement()
           .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    }


    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
    }

    @Bean
    public AuthenticationManager authenticationManager() {
        return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
    }

    @Bean
    public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
    ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(
    env.getProperty("ad.domain"), env.getProperty("ad.url"));

        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setUseAuthenticationRequestCredentials(true);




        return provider;

    }


}

1 个答案:

答案 0 :(得分:0)

服务器返回引荐时,可以引发PartialResultException。这就是服务器所说的“我不知道您在说什么,但我知道谁在说”。 this answer中对选项有很好的解释。一种是设置:

env.put(Context.REFERRAL, "follow");

这将告诉它将请求发送到服务器告诉我们去的任何地方。但是我认为这不是一个好的解决方案。当只有一个网络请求时,您将最终发出两个网络请求。更改配置以指向正确的位置是一个更好的选择。

找出其抱怨的一种方法是检查PartialResultException对象的resolvedName属性。那应该告诉您它将邮件发送到哪里,您可以更改配置以首先指向该位置。

我不是Java开发人员,所以有很多猜测,但是我知道AD的工作原理。仍然尝试一下。

相关问题
最新问题