我使用以下配置設置了ldap身份驗證。我需要用戶使用LDAP數據存儲進行身份驗證,並且已將pwdMaxFailure設置爲2.Spring Security LDAP身份驗證錯誤 - 身份驗證異常而不是密碼鎖
但是,每次使用錯誤密碼登錄時,身份驗證都正常工作我收到以下異常而不是密碼鎖異常。我不認爲Spring LDAP在驗證用戶的同時檢查PwdPolicy(計數密碼嘗試)。
ne = (javax.naming.AuthenticationException) javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user cn=admin,ou=users,o=organisation]
我LDIF文件
dn: cn=admin,ou=users,o=organization objectClass: inetOrgPerson
objectClass: organizationalPerson objectClass: person objectClass: top cn: admin sn: Admin uid: admin userPassword:: e1NTSEF9bEtlTUNzLy9OK1JsV2hCWEM2U2ZZNDh0Lzd0OHBlbjFrdjkxN3c9P Q==
createTimestamp: 20141003000008.689Z creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system entryCSN: 20141020004319.002000Z#000000#001#000000 entryDN: cn=admin,ou=users,o=organization entryParentId: 8204b2df-ff5a-413a-a063-4ac30d35bee4 entryUUID:: N2I1MTFlNjYtMDhjZS00YjA3LWIxYzItNTkyOTI3ZGE3ZTBi modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system modifyTimestamp: 20141020004319.002Z pwdFailureTime: 20141020003207.120Z pwdHistory:: MjAxNDEwMDMwMDAwMDguNjgxWiMxLjMuNi4xLjQuMS4xNDY2LjExNS4xMjEuMS4
0MCM4I1lXUnRhVzQ9 pwdPolicySubentry: cn=default,ou=pwdPolicy,o=organizationdn: cn=default,ou=pwdPolicy,o=organization objectClass: device
objectClass: pwdPolicy objectClass: top cn: default
pwdAttribute: userPassword pwdExpireWarning: 3600 pwdGraceExpire: 1 pwdLockout: TRUE pwdLockoutDuration: 120 pwdMaxAge: 2592000
pwdMaxFailure: 2
和Spring配置文件如下
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="jdbcProviderManager" />
<authentication-provider ref="ldapProviderManager" />
</authentication-manager>
<bean id="jdbcProviderManager" class="au.com.spring.handler.DBLoginAuthentication">
<property name="userDetailsService" ref="daoAuthenticationProvider" />
</bean>
<bean id="ldapProviderManager" class="au.com.spring.handler.LDAPLoginAuthentication">
<property name="userDetailsService" ref="ldapAuthenticationProvider" />
</bean>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="JdbcUserDetailsManager" />
<property name="passwordEncoder" ref="encoder" />
</bean>
<bean id="ldapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch" ref="ldapUserSearch" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="au.com.spring.handler.CustomLDAPAuthoritiesPopulator">
<constructor-arg ref="contextSource" />
<constructor-arg value="${group.search}" />
<property name="groupSearchFilter" value="${group.search.filter}" />
<property name="groupRoleAttribute" value="${group.role.att}" />
<property name="rolePrefix" value="ROLE_" />
<property name="searchSubtree" value="true" />
<property name="convertToUpperCase" value="true" />
</bean>
</constructor-arg>
<property name="hideUserNotFoundExceptions" value="false" />
<property name="useAuthenticationRequestCredentials" value="true" />
<property name="userDetailsContextMapper" ref="inetOrgPersonContextMapper" />
</bean>
<bean id="inetOrgPersonContextMapper" class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" />
<bean id="defaultLdapUsernameToDnMapper" class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper">
<constructor-arg value="${users.search}" />
<constructor-arg value="${uid.att}" />
</bean>
<!--<bean id="authenticationSuccessListener" class="prpa.athos.security.listener.AuthenticationSuccessListener" />-->
<!--<bean id="contextSource" class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">-->
<bean id="contextSource" class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">
<constructor-arg value="ldap://localhost:10389/o=organization" />
<!--<property name=""/>-->
</bean>
感謝您的快速回復。 登錄無法創建上下文(使用錯誤的密碼)後,在類PasswordPolicyAwareContextSource 的catch塊中,它調用了PasswordControllerExtractor.extractControl,其中responseControl爲null。 如果不爲空,則檢查ctrl是否被鎖定。不知道我是否做得正確,有沒有辦法讓responseControl不爲空。 – Swathi 2014-10-20 06:01:56
我對Spring沒有什麼瞭解,但是在LDAP中,您必須在請求中附加'密碼策略請求控制'以獲得響應的'密碼策略響應控制'。 – EJP 2014-10-20 06:22:19