通过 Spring security ldap 对用户进行身份验证时未授予任何权限错误

Posted 2023-02-27

【中文标题】通过 Spring security ldap 对用户进行身份验证时未授予任何权限错误

【英文标题】：Not granted any authorities error while authenticating user via Spring security ldap

【发布时间】：2020-03-27 00:45:47

【问题描述】：

我正在尝试使用我已成功配置 LDAP 的 Spring Boot 通过 LDAP 服务器对用户进行身份验证。现在，当我使用 authenticationManager() 验证用户凭据时，我收到了not granted any authorities 错误。 我已经尝试了几个代码，但没有找到任何合适的解决方案，或者我可能错过了整个身份验证过程的一些重要点。

控制器：

@RequestMapping(value = "/login", method = RequestMethod.POST)
//  public ResponseEntity<?> authenticateUser(@Valid @RequestBody LoginRequest loginRequest, BindingResult result)

    public ResponseEntity<?> authenticateUser(@Valid @ModelAttribute LoginRequest loginRequest, BindingResult result)
        ResponseEntity<?> errorMap = mapValidationErrorService.getMapValidationErrors(result);
        if(errorMap != null) return errorMap;
        String jwt = null;

        try 
                Authentication authentication = authenticationManager.authenticate(
                new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword()) );
                System.out.println("test : "+authentication.toString());
                SecurityContextHolder.getContext().setAuthentication(authentication);
                jwt = TOKEN_PREFIX + tokenProvider.generateToken(authentication);
        catch (Exception e) 
                return new ResponseEntity<>("Not Authorized", HttpStatus.FORBIDDEN);
        

安全配置

public class SecurityConfig extends WebSecurityConfigurerAdapter 

    @Value("$ldap-url")
    private String url;

    @Value("$ldap-basedn")
    private String baseDn;

    @Value("$ldap-user-password")
    private String userPassword;

    @Value("$ldap-user-dnpattern")
    private String userDnPattern;

    @Value("$ldap.password")
    private String ldapPrincipalPassword;

    @Value("$ldap.username")
    private String ldapSecurityPrincipal;

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedhandler;

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    @Bean
    public JwtAuthenticationFilter jwtAuthenticationFilter()  return new JwtAuthenticationFilter();

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception 
        auth
        .ldapAuthentication()
            .userDnPatterns(userDnPattern)
            .contextSource()
                .url(url+baseDn)
                .managerDn(ldapSecurityPrincipal)
                .managerPassword(ldapPrincipalPassword)
                .and()
                .passwordCompare()
                .passwordEncoder(new LdapShaPasswordEncoder())
                .passwordAttribute("userPassword");


//      super.configure(auth);
//      auth.userDetailsService(customUserDetailsService).passwordEncoder(bCryptPasswordEncoder);
    


    @Override
    @Bean(BeanIds.AUTHENTICATION_MANAGER)
    protected AuthenticationManager authenticationManager() throws Exception 
        // TODO Auto-generated method stub
        return super.authenticationManager();
    

    @Override
    protected void configure(HttpSecurity http) throws Exception 

        http.cors();
        http.csrf().disable()
            .exceptionHandling().authenticationEntryPoint(null).and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .headers().frameOptions().sameOrigin()
            .and()
            .authorizeRequests()
            .antMatchers(
                    "/",
                    "favicon.ico",
                    "/**/*.png",
                    "/**/*.gif",
                    "/**/*.svg",
                    "/**/*.jpg",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js"
            ).permitAll()
            .antMatchers("/api/users/**").permitAll()
            .anyRequest().fullyAuthenticated();

//          .antMatchers(SIGN_UP_URLS).permitAll()
//          .anyRequest()
//          .authenticated();


            http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

        super.configure(http);
    

     @Bean
    public BCryptPasswordEncoder passwordEncoder() 
        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
        return bCryptPasswordEncoder;
    

认证结果为：

test : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@58d6c26a: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@a7293dae: Dn: mail=email@gmail.com,ou=projectName,o=companyName; Username: email@gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities

请帮我解决这个问题。如何避免未授予权限错误。 提前致谢！

【问题讨论】：

您能解决问题吗？我也面临同样的问题。

是的，我能够解决这个问题。我更改了安全配置，尝试使用 ldapAuthoritiesPopulator。

非常感谢

【参考方案1】：

更新安全配置类而不是第一个配置方法（AuthenticationManagerBuilder）使用：

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 

             auth.ldapAuthentication()
             .userDnPatterns(userDnPattern)
                .contextSource()
                    .url(url+baseDn)
                    .managerDn(ldapSecurityPrincipal)
                    .managerPassword(ldapPrincipalPassword)
                    .and()
                    .ldapAuthoritiesPopulator(myAuthPopulator);
         

另外，自动装配 LdapAuthoritiesPopulator