Shiro 与 LDAP

Posted

技术标签:

【中文标题】Shiro 与 LDAP【英文标题】:Shiro with LDAP 【发布时间】:2015-01-04 10:20:38 【问题描述】:

我正在尝试使用 LDAP 验证用户,但以下设置不起作用(Shiro.ini)

[main]
authc.loginUrl = /login.xhtml
authc.usernameParam = login.username
authc.passwordParam = login.password
authc.rememberMeParam = login.rememberMe

user = co.com.xxx.yyy.filters.FacesAjaxAwareUserFilter
user.loginUrl = /login.xhtml

builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $builtInCacheManager

ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = uid=0,ou=Users,ou=Accounts,dc=aaa,dc=ggg,dc=com,dc=co
ldapRealm.contextFactory.url = ldap://ldap_server:389
ldapRealm.contextFactory.environment[java.naming.security.credentials] = ldap_password

securityManager.realms= $ldapRealm
authcStrategy = org.apache.shiro.authc.pam.AllSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy

[urls]
/javax.faces.resource/** = anon
/login.xhtml = user
/** = user

认证方式:

SecurityUtils.getSubject().login(new UsernamePasswordToken(username, password));

我收到此错误:

LDAP: error code 32 - No Such Object

框架:

Shiro 1.2.3
Mojarra 2.1.7
Primefaces 5.1
JDK 1.7
JBoss 7.1.1

怎么了?

08:49:45,489 ERROR [co.com.xxxxxxxx.secxxxxx.user.SecxxxxBB] (http-localhost-127.0.0.1-443-5) : org.apache.shiro.authc.AuthenticationException: LDAP naming error while attempting to authenticate user.
    at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:303) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) [shiro-core-1.2.3.jar:1.2.3]
    at co.com.xxxxxxxx.secxxxxx.user.SecxxxxBB.login(SecxxxxBB.java:109) [classes:]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45]
    at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
    at org.apache.el.parser.AstValue.invoke(AstValue.java:262) [jbossweb-7.0.13.Final.jar:]
    at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:278) [jbossweb-7.0.13.Final.jar:]
    at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:39) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
    at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
    at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [jsf-impl-2.1.7-jbossorg-2.jar:]
    at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88) [jboss-jsf-api_2.1_spec-2.0.1.Final.jar:2.0.1.Final]
    at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) [jsf-impl-2.1.7-jbossorg-2.jar:]
    at net.bull.javamelody.JsfActionListener.processAction(JsfActionListener.java:65) [javamelody-core-1.46.0.jar:1.46.0]
    at javax.faces.component.UICommand.broadcast(UICommand.java:315) [jboss-jsf-api_2.1_spec-2.0.1.Final.jar:2.0.1.Final]
    at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:794) [jboss-jsf-api_2.1_spec-2.0.1.Final.jar:2.0.1.Final]
    at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1259) [jboss-jsf-api_2.1_spec-2.0.1.Final.jar:2.0.1.Final]
    at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) [jsf-impl-2.1.7-jbossorg-2.jar:]
    at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.1.7-jbossorg-2.jar:]
    at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118) [jsf-impl-2.1.7-jbossorg-2.jar:]
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:593) [jboss-jsf-api_2.1_spec-2.0.1.Final.jar:2.0.1.Final]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
    at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
    at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:165) [javamelody-core-1.46.0.jar:1.46.0]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) [shiro-web-1.2.3.jar:1.2.3]
    at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) [shiro-web-1.2.3.jar:1.2.3]
    at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) [shiro-web-1.2.3.jar:1.2.3]
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3]
    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [shiro-web-1.2.3.jar:1.2.3]
    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) [shiro-web-1.2.3.jar:1.2.3]
    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) [shiro-web-1.2.3.jar:1.2.3]
    at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) [shiro-web-1.2.3.jar:1.2.3]
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
    at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:208) [javamelody-core-1.46.0.jar:1.46.0]
    at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:181) [javamelody-core-1.46.0.jar:1.46.0]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:489) [jbossweb-7.0.13.Final.jar:]
    at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
    at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
Caused by: javax.naming.CommunicationException: ldap.forumsys.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1608) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) [rt.jar:1.7.0_45]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.7.0_45]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) [rt.jar:1.7.0_45]
    at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_45]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_45]
    at org.apache.shiro.realm.ldap.JndiLdapContextFactory.createLdapContext(JndiLdapContextFactory.java:508) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.realm.ldap.JndiLdapContextFactory.getLdapContext(JndiLdapContextFactory.java:495) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:375) [shiro-core-1.2.3.jar:1.2.3]
    at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295) [shiro-core-1.2.3.jar:1.2.3]
    ... 64 more
Caused by: java.net.ConnectException: Connection refused: connect
    at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method) [rt.jar:1.7.0_45]
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) [rt.jar:1.7.0_45]
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) [rt.jar:1.7.0_45]
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) [rt.jar:1.7.0_45]
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) [rt.jar:1.7.0_45]
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) [rt.jar:1.7.0_45]
    at java.net.Socket.connect(Socket.java:579) [rt.jar:1.7.0_45]
    at java.net.Socket.connect(Socket.java:528) [rt.jar:1.7.0_45]
    at java.net.Socket.<init>(Socket.java:425) [rt.jar:1.7.0_45]
    at java.net.Socket.<init>(Socket.java:208) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:368) [rt.jar:1.7.0_45]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) [rt.jar:1.7.0_45]
    ... 80 more

【问题讨论】:

您的 LDAP 服务器中是否存在“uid=,ou=Users,ou=Accounts,dc=aaa,dc=ggg,dc=com,dc=co”?同一个用户可以读取该 LDAP 条目吗? 当我输入用户名而不是 0 时出现错误 那么,LDAP 条目是否存在?该用户可以阅读吗? 我该如何测试呢?还有其他应用程序使用特定用户并正常运行但使用spring,当我将特定用户放入shiro时,它向我显示此错误:javax.naming.AuthenticationException:[LDAP:错误代码32 - 无此类对象]。如果我输入一个未知用户,我会收到此错误:javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] 使用 LDAP 客户端并使用 uid=...,ou=...,... 和密码连接到服务器,并查找条目 uid=...,ou=。 ..,... 【参考方案1】:

根据要求提供带有 LDAP 领域的 Shiro 配置示例:

src/main/resources/shiro.ini:

ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = uid=0,dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
securityManager.realms = $ldapRealm

src/main/java/ShiroLdap.java:

import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.util.Factory;

public class ShiroLdap 
    public static void main(String[] args) 
        Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
        SecurityManager securityManager = factory.getInstance();

        AuthenticationInfo authenticationInfo = securityManager.authenticate(new UsernamePasswordToken("riemann", "password"));

        System.out.println(authenticationInfo);
    

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>sample</groupId>
    <artifactId>shiro-ldap-realm</artifactId>
    <version>0.0.1-SNAPSHOT</version>

    <dependencies>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.2.3</version>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>jcl-over-slf4j</artifactId>
            <version>1.7.7</version>
        </dependency>
        <dependency>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-classic</artifactId>
            <version>1.1.2</version>
        </dependency>
    </dependencies>
</project>

【讨论】:

我收到以下错误:org.apache.shiro.authc.AuthenticationException: LDAP naming error while attempting to authenticate user. 这真是一个惊喜。您是否认为您可以提供完整的控制台日志或整个堆栈跟踪,在没有任何线索了解实际错误的情况下很难帮助您。你知道吗,我认为你可以从阅读How To s The Smart Way 中受益。 根异常是由以下原因引起的:javax.naming.CommunicationException: ldap.forumsys.com:389 [根异常是 java.net.ConnectException:连接被拒绝:连接] 你是在代理还是防火墙后面这不允许您连接到 ldap.forumsys.com 的端口 389 ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389 需要设置为我的 ldap 服务器:ldap://:389 很好的例子!只是想补充一点,从 ini 文件中删除 userDnTemplate 行会从专有名称更改为 Principal - 用户名变成一个简单的电子邮件地址。【参考方案2】:

通过查看您的错误详细信息,似乎 ldap 服务器拒绝连接。只是为了确保从您的本地开发环境到 ldap 服务器没有连接问题,请安装 Jexplorer(开源 ldap 浏览器)并尝试使用您拥有的凭据进行连接。

【讨论】:

请查看URL这将有助于提升您的内容质量

以上是关于Shiro 与 LDAP的主要内容,如果未能解决你的问题,请参考以下文章

Shiro - Shiro简介;Shiro与Spring Security区别;Spring Boot集成Shiro

Shiro学习与笔记

shiro与springSecurity

shiro集成 --《springboot与shiro整合》

【Shiro】一步步的看Shiro 【Shiro与Spring Security区别】

(转) shiro权限框架详解06-shiro与web项目整合(上)