I am using the below code:
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDnPatterns("uid={0},OU=b")
.groupSearchBase("OU=Service Account")
.contextSource()
.url("ldaps://AD.b.com:636/DC=b,DC=com")
.and()
.passwordCompare()
.passwordEncoder(new BCryptPasswordEncoder())
.passwordAttribute("userPassword");
}
I am getting errors after inserting username and password which are provided by Admin.
Error log:
2022-04-11 10:05:09.086 ERROR 1969 --- [nio-8083-exec-9] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.
org.springframework.security.authentication.InternalAuthenticationServiceException: Connection or outbound has closed; nested exception is javax.naming.CommunicationException: Connection or outbound has closed [Root exception is java.net.SocketException: Connection or outbound has closed]; remaining name 'uid=test,OU=b'
Related
For some reason I'm getting a 403 Forbidden error from Spring Boot when I try to do anything with it. I currently have the following in my configure method of my SecurityConfiguration class:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/*", "/console").permitAll()
.antMatchers(HttpMethod.POST, "/login").permitAll()
.anyRequest().authenticated()
.and().addFilterBefore(new LoginFilter("/login", authenticationManager()),
UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(new AuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
I'm new to this part of Spring boot so not sure if this is what's causing it.
Turns out... I'm an idiot. This isn't caused by CSRF at all... It was caused by the fact I'm British and I spell what should be Authorization as Authorisation in my AuthenticationFilter which was choking up everything else.
Spring boot-2.3.10, Spring Cloud Gcp: 1.2.8
I'm trying to access specific image pattern **(/resources/images/specific_folder/****) from GC Storage. For that I wrote the resource handler as shown below:
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
log.info("Setting the resource location {}", gcStorageLocation);
registry.addResourceHandler("/resources/images/specific_folder/**").addResourceLocations("gs:bucket_name/storage/images/specific_folder/").setCachePeriod(3600).resourceChain(true)
.addResolver(new GcStorageResolver());
}
GcStorageResolver.java extends AbstractResourceResolver.java
#Override
protected Resource resolveResourceInternal(#Nullable HttpServletRequest request, String requestPath, List<? extends Resource> locations,
ResourceResolverChain chain) {
log.info("resolveResourceInternal called for request: {}, requestPath: {}", request.getRequestURL(), requestPath);
return getResource(requestPath, request, locations);
}
I verified that a valid GoogleStorageResource is being returned along with credential. But somewhere in the spring chain, I'm getting the below error:
2021-06-25 15:40:23.366 ERROR 4676 --- [nio-8080-exec-1]
o.a.c.c.C.[.[.[.[dispatcherServlet] 175 : Servlet.service() for
servlet [dispatcherServlet] in context with path [] threw exception
[Request processing failed; nested exception is
com.google.cloud.storage.StorageException: Error parsing token refresh
response. Expected value access_token not found.] with root cause
java.io.IOException: Error parsing token refresh response. Expected
value access_token not found. at
com.google.auth.oauth2.OAuth2Utils.validateString(OAuth2Utils.java:113)
~[google-auth-library-oauth2-http-0.22.1.jar:?] at
com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:449)
~[google-auth-library-oauth2-http-0.22.1.jar:?] at
com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:157)
~[google-auth-library-oauth2-http-0.22.1.jar:?] at
com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:145)
~[google-auth-library-oauth2-http-0.22.1.jar:?] at
com.google.auth.oauth2.ServiceAccountCredentials.getRequestMetadata(ServiceAccountCredentials.java:603)
~[google-auth-library-oauth2-http-0.22.1.jar:?] at
com.google.auth.http.HttpCredentialsAdapter.initialize(HttpCredentialsAdapter.java:91)
~[google-auth-library-oauth2-http-0.22.1.jar:?] at
com.google.cloud.http.HttpTransportOptions$1.initialize(HttpTransportOptions.java:159)
~[google-cloud-core-http-1.94.0.jar:1.94.0] at
com.google.cloud.http.CensusHttpModule$CensusHttpRequestInitializer.initialize(CensusHttpModule.java:109)
~[google-cloud-core-http-1.94.0.jar:1.94.0] at
com.google.api.client.http.HttpRequestFactory.buildRequest(HttpRequestFactory.java:88)
~[google-http-client-1.38.0.jar:1.38.0]
Not sure what's going on here. Any pointers?
I want to convert a normal Spring LDAP integration to Spring Security application. I have the application context as this.
<ldap:context-source
url="ldap://euro.mo.xyz.com:389"
base="ou=prod,dc=euro,dc=mo,dc=xyz,dc=com"
username="mydomain\mohan06"
password="hotStar56" />
When I used passwordCompare and userDn, then I got the following exception
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]
After seeing some advice online
I tried using managerDn like the following
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication()
.userDnPatterns("OU=prod,DC=euro,DC=mo,DC=xyz,DC=com")
.userSearchFilter("sAMAccountName={0}")
.userSearchBase("OU=prod,DC=euro,DC=mo,DC=xyz,DC=com")
.contextSource()
.url("ldap://ptklt.euro.mo.xyz.com:389")
.managerDn("CN=mydomain\\\\mohan06,OU=prod,DC=euro,DC=mo,DC=xyz,DC=com")
.managerPassword("hotStar56")
.root("OU=prod,DC=euro,DC=mo,DC=xyz,DC=com");
But now I get the following error, even though my credentials are fine.
AcceptSecurityContext error, data 52e, v1db1 ]; nested exception is javax.naming.AuthenticationException
Should I need to use different credentials for password compare and managerDn?
I'm new with Spring Security and trying to develop Spring Boot app with Google login using OAuth2 which runs under hostname:8080. This app is behind Apache reverse proxy server https://url.com.
Spring Boot version 2.1.0
Spring Security version 5.1.1
build.gradle:
dependencies {
implementation("org.springframework.boot:spring-boot-starter-web")
implementation("org.springframework.boot:spring-boot-starter-security")
implementation("org.springframework.security:spring-security-oauth2-client")
implementation("org.springframework.security:spring-security-oauth2-jose")
}
application.yml:
oauth2:
client:
registration:
google:
clientId: <clientId>
clientSecret: <clientSecret>
scope: profile, email, openid
server:
use-forward-headers: true
servlet:
session:
cookie:
http-only: false
Spring Security config:
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.oauth2Login();
}
}
I request https://url.com
Get redirected to https://accounts.google.com/signin/oauth/
When authenticated get redirected back to
https://url.com/login/oauth2/code/google?state={state}&code={code}&scope=openid+email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.me&authuser=0&session_state={session_state}&prompt=none which timed out with error:
[invalid_token_response] An error occurred while attempting to
retrieve the OAuth 2.0 Access Token Response: I/O error on POST
request for "https://www.googleapis.com/oauth2/v4/token": Connection
timed out (Connection timed out); nested exception is
java.net.ConnectException: Connection timed out (Connection timed out)
Is this error caused by the proxy server settings or boot app? Thanks for help.
Solved. I had to set the JVM parameters:
https.proxyHost=[host]
https.proxyPort=[port]
http.proxyHost=[host]
http.proxyPort=[port]
I've managed to successfully use LDAP to retrieve users from an ActiveDirectory.
However, to do so I had to manually instantiate the BaseLdapPathContextSource like this:
Working Spring Security configuration:
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(ldapProperties.getServer());
contextSource.setUserDn(ldapProperties.getUserDN());
contextSource.setPassword(ldapProperties.getPassword());
contextSource.setBase(ldapProperties.getRootDN());
contextSource.afterPropertiesSet();
// #formatter:off
auth.ldapAuthentication()
.contextSource(contextSource)
.userDnPatterns(new String[]{ ldapProperties.getUserOU() })
.userSearchBase("")
.userSearchFilter("(sAMAccountName={0})")
.ldapAuthoritiesPopulator((userData, username) ->
Collections.singleton(new SimpleGrantedAuthority("CLIENT"))
);
// #formatter:on
}
If instead of this I use the methods provided by the builder, then every login attempt gets rejected.
Not working Spring Security configuration:
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication()
.contextSource()
.url(ldapProperties.getServer())
.managerDn(ldapProperties.getUserDN())
.managerPassword(ldapProperties.getPassword())
.root(ldapProperties.getRootDN())
.and()
.userDnPatterns(new String[]{ ldapProperties.getUserOU() })
.userSearchBase("")
.userSearchFilter("(sAMAccountName={0})")
.ldapAuthoritiesPopulator((userData, username) ->
Collections.singleton(new SimpleGrantedAuthority("CLIENT"))
);
}
I've debugged the ContextSourceBuilder, and it is building a DefaultSpringSecurityContextSource too, similarly of how I am doing it.
The only difference between the manually built context and the one provided by the builder seems to be that objectPostProcessors are applied to it after beign built. However, most of them just autowire beans.
Log provided on a failed authentication (that should have succeeded):
2018-09-25 15:45:25.679 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2018-09-25 15:45:25.680 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: mcurrao
2018-09-25 15:45:25.689 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.l.a.BindAuthenticator : Attempting to bind as ou=factory
2018-09-25 15:45:25.689 DEBUG 10784 --- [nio-8080-exec-3] s.s.l.DefaultSpringSecurityContextSource : Removing pooling flag for user ou=[my_ou]
2018-09-25 15:45:25.694 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.l.a.BindAuthenticator : Failed to bind as OU=[my_ou]: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1
Note: [my_ou] is actually being replaced as my own ou. But as I don't know how sensitive this is, better not risk it.
Note 2: This log is only provided by enabling Spring debug logging. No exception is thrown nor information is given on a login attempt if said debug is not enabled.
This error codes seem to be just "Couldn't find your user" errors.
TL;DR: LDAP authentication does not work if I use the provided contextSource() builder, forcing me to instantiate a context source.