我的Web应用程序使用Spring Security进行身份验证和授权 . 身份验证通过公司SSO进行预身份验证 . 但是,作为后备,应用程序使用基于表单的登录进行身份验证 . 这也可以通过在部署描述符中配置身份验证提供程序列表来使用Spring Security实现 . 考虑如下序列所描述的典型场景 .
-
如果企业SSO预身份验证失败,则会向用户显示登录页面 .
-
输入的凭据已提交,并且由于SSOPreAuthentication Provider无法找到主体(假设SSO失败),请求将转发到下一个身份验证提供程序LdapAuthenticationProvider .
在这里,我偶然遇到的是使用BindAuthenticator的LdapAuthenticationProvider,即使密码部分正确,也会将用户名绑定到LDAP(只有密码的前8个字符匹配 . 其余的被忽略) .
以下是我的部署描述符中与讨论相关的配置
<?xml version="1.0" encoding="UTF-8"?>
<!-- DO NOT EDIT FILE GENERATED BY BUILD SCRIPT (edit the config template version) -->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"><security:http auto-config="false" access-denied-page="/accessDenied.htm" access-decision-manager-ref="accessDecisionManager">
<security:form-login login-page="/login.htm" authentication-failure-url="/login.htm?error=true" />
<security:logout logout-success-url="/login.htm" />
<security:intercept-url pattern="/**/*" access="ROLE_DENIED" />
</security:http>
<bean id="preauthSSOFilter" class="MySSOProcessingFilter">
<security:custom-filter position="PRE_AUTH_FILTER" />
<property name="principalRequestHeader" value="XX1" />
<property name="credentialsRequestHeader" value="XX2" />
<property name="ldapUserIdRequestHeader" value="XX3" />
<property name="ldapDNRequestHeader" value="XX4" />
<property name="ldapAuthenticator" ref="ldapBindAuthenticator" />
<property name="anonymousUserIfPrincipalRequestHeaderMissing" value="[none]" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="ldapContextValidator" class="org.springframework.ldap.pool.validation.DefaultDirContextValidator" />
<bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://myLDAP.com:983/o=something.com"/>
</bean>
<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<security:custom-authentication-provider />
<constructor-arg ref="ldapBindAuthenticator" />
<constructor-arg ref="ldapAuthoritiesPopulator" />
</bean>
<bean id="ldapBindAuthenticator" class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="ldapContextSource"/>
<property name="userSearch" ref="ldapUserSearch" />
</bean>
<bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value=""/>
<constructor-arg index="1" value="(uid={0})"/>
<constructor-arg index="2" ref="ldapContextSource" />
</bean>
<bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.populator.UserDetailsServiceLdapAuthoritiesPopulator">
<constructor-arg ref="userDetailsService" />
</bean>
以下是两种情况的日志跟踪:
- 当密码完全错误时(所有字符都错误)
18:34:13,599 DEBUG [FilterChainProxy] / j_spring_security_check位于第4位,共8个附加过滤链;触发过滤器:'org.springframework.security.ui.webapp.AuthenticationProcessingFilter [order = 700; ] '18:34:13,599 DEBUG [AuthenticationProcessingFilter]请求处理身份验证18:34:13,599 DEBUG [ProviderManager]使用org.springframework.security.providers.ldap.LdapAuthenticationProvider进行身份验证尝试18:34:13,599 DEBUG [FilterBasedLdapUserSearch]正在搜索user'@ username @',用户搜索[searchFilter:'(uid = {0})',searchBase:'',scope:subtree,searchTimeLimit:0,derefLinkFlag:false] 18:34:13,599 DEBUG [AbstractContextSource] Principal :''18:34:13,943 DEBUG [AbstractContextSource]在服务器上获得Ldap上下文'ldap://myLDAP.com:983 / o = something.com'18:34:14,130 DEBUG [DefaultSpringSecurityContextSource]使用principal创建上下文:'uid = @ username @,ou = people,l = AP,o = somthing.com'18:34:14,458 DEBUG [BindAuthenticator]无法绑定为uid = @ username @,ou = people,l = AP:org.springframework . ldap.AuthenticationException:[LDAP:错误代码49 - 证书无效];嵌套异常是javax.naming.AuthenticationException:[LDAP:错误代码49 - 无效的凭据]
- 当密码正确或部分(仅前8个字符匹配)正确时
18:30:11,849 DEBUG [FilterChainProxy] / j_spring_security_check位于第4位的8位额外过滤链;触发过滤器:'org.springframework.security.ui.webapp.AuthenticationProcessingFilter [order = 700; ] '18:30:11,849 DEBUG [AuthenticationProcessingFilter]请求处理身份验证18:30:11,849 DEBUG [ProviderManager]使用org.springframework.security.providers.ldap.LdapAuthenticationProvider验证尝试18:30:11,849 DEBUG [FilterBasedLdapUserSearch]正在搜索user'@ username @',用户搜索[searchFilter:'(uid = {0})',searchBase:'',scope:subtree,searchTimeLimit:0,derefLinkFlag:false] 18:30:11,849 DEBUG [AbstractContextSource] Principal :''18:30:12,193 DEBUG [AbstractContextSource]在服务器上获得Ldap上下文'ldap://myLDAP.com:983 / o = something.com'18:30:12,365 DEBUG [DefaultSpringSecurityContextSource]使用principal创建上下文:'uid = @ username @,ou = people,l = AP,o = something.com'18:30:12,708 DEBUG [AbstractContextSource]在服务器上获得Ldap上下文'ldap://myLDAP.com:983 / o = something.com'
有人可以解释这种神秘的行为吗?