通过 Spring security ldap 对用户进行身份验证时未授予任何权限错误

Posted

技术标签:

【中文标题】通过 Spring security ldap 对用户进行身份验证时未授予任何权限错误【英文标题】:Not granted any authorities error while authenticating user via Spring security ldap 【发布时间】:2020-03-27 00:45:47 【问题描述】:

我正在尝试使用我已成功配置 LDAP 的 Spring Boot 通过 LDAP 服务器对用户进行身份验证。现在,当我使用 authenticationManager() 验证用户凭据时,我收到了not granted any authorities 错误。 我已经尝试了几个代码,但没有找到任何合适的解决方案,或者我可能错过了整个身份验证过程的一些重要点。

控制器:

@RequestMapping(value = "/login", method = RequestMethod.POST)
//  public ResponseEntity<?> authenticateUser(@Valid @RequestBody LoginRequest loginRequest, BindingResult result)

    public ResponseEntity<?> authenticateUser(@Valid @ModelAttribute LoginRequest loginRequest, BindingResult result)
        ResponseEntity<?> errorMap = mapValidationErrorService.getMapValidationErrors(result);
        if(errorMap != null) return errorMap;
        String jwt = null;

        try 
                Authentication authentication = authenticationManager.authenticate(
                new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword()) );
                System.out.println("test : "+authentication.toString());
                SecurityContextHolder.getContext().setAuthentication(authentication);
                jwt = TOKEN_PREFIX + tokenProvider.generateToken(authentication);
        catch (Exception e) 
                return new ResponseEntity<>("Not Authorized", HttpStatus.FORBIDDEN);
        

安全配置

public class SecurityConfig extends WebSecurityConfigurerAdapter 

    @Value("$ldap-url")
    private String url;

    @Value("$ldap-basedn")
    private String baseDn;

    @Value("$ldap-user-password")
    private String userPassword;

    @Value("$ldap-user-dnpattern")
    private String userDnPattern;

    @Value("$ldap.password")
    private String ldapPrincipalPassword;

    @Value("$ldap.username")
    private String ldapSecurityPrincipal;

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedhandler;

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    @Bean
    public JwtAuthenticationFilter jwtAuthenticationFilter()  return new JwtAuthenticationFilter();

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception 
        auth
        .ldapAuthentication()
            .userDnPatterns(userDnPattern)
            .contextSource()
                .url(url+baseDn)
                .managerDn(ldapSecurityPrincipal)
                .managerPassword(ldapPrincipalPassword)
                .and()
                .passwordCompare()
                .passwordEncoder(new LdapShaPasswordEncoder())
                .passwordAttribute("userPassword");


//      super.configure(auth);
//      auth.userDetailsService(customUserDetailsService).passwordEncoder(bCryptPasswordEncoder);
    


    @Override
    @Bean(BeanIds.AUTHENTICATION_MANAGER)
    protected AuthenticationManager authenticationManager() throws Exception 
        // TODO Auto-generated method stub
        return super.authenticationManager();
    

    @Override
    protected void configure(HttpSecurity http) throws Exception 

        http.cors();
        http.csrf().disable()
            .exceptionHandling().authenticationEntryPoint(null).and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .headers().frameOptions().sameOrigin()
            .and()
            .authorizeRequests()
            .antMatchers(
                    "/",
                    "favicon.ico",
                    "/**/*.png",
                    "/**/*.gif",
                    "/**/*.svg",
                    "/**/*.jpg",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js"
            ).permitAll()
            .antMatchers("/api/users/**").permitAll()
            .anyRequest().fullyAuthenticated();

//          .antMatchers(SIGN_UP_URLS).permitAll()
//          .anyRequest()
//          .authenticated();


            http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

        super.configure(http);
    

     @Bean
    public BCryptPasswordEncoder passwordEncoder() 
        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
        return bCryptPasswordEncoder;
    


认证结果为:

test : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@58d6c26a: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@a7293dae: Dn: mail=email@gmail.com,ou=projectName,o=companyName; Username: email@gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities

请帮我解决这个问题。如何避免未授予权限错误。 提前致谢!

【问题讨论】:

您能解决问题吗?我也面临同样的问题。 是的,我能够解决这个问题。我更改了安全配置,尝试使用 ldapAuthoritiesPopulator。 非常感谢 【参考方案1】:

更新安全配置类而不是第一个配置方法(AuthenticationManagerBuilder)使用:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 

             auth.ldapAuthentication()
             .userDnPatterns(userDnPattern)
                .contextSource()
                    .url(url+baseDn)
                    .managerDn(ldapSecurityPrincipal)
                    .managerPassword(ldapPrincipalPassword)
                    .and()
                    .ldapAuthoritiesPopulator(myAuthPopulator);
         

另外,自动装配 LdapAuthoritiesPopulator

【讨论】:

以上是关于通过 Spring security ldap 对用户进行身份验证时未授予任何权限错误的主要内容,如果未能解决你的问题,请参考以下文章

Spring Security OAuth2 和 Ldap 对同一资源的身份验证

使用 Spring Security 3 进行 LDAP 身份验证

使用 Spring Boot/Spring Security 对 LDAP 进行证书身份验证

Spring Security Active Directory LDAP 身份验证错误

Spring Security - 在Spring Boot中针对LDAP使用Active Directory对用户进行身份验证

使用 Spring Security 通过 MySQL-LDAP-Thymeleaf 登录