I am using Spring Security and Active Directly for authentication. Below my configuration
registry
.ldapAuthentication()
.ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)
.userDnPatterns("cn={0},cn=Users")
.contextSource() .managerDn("cn=Administrator,cn=Users,cn=COMPANY,cn=COM,cn=TN")
.managerPassword("xxxxxxx")
.url("ldap://xxx.xxx.xxx.xxxx:389/cn=COMPANY,cn=COM,cn=TN") ;
When I am trying to connect with a valid user I've got this log:
23:30:49.321 [http-bio-8080-exec-8] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
23:30:49.322 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.LdapAuthenticationProvider - Processing authentication request for user: ben
23:30:49.344 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.BindAuthenticator - Attempting to bind as cn=ben,cn=Users,cn=COMPANY,cn=COM,cn=TN
23:30:49.345 [http-bio-8080-exec-8] DEBUG o.s.s.l.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=ben,cn=Users,cn=COMPANY,cn=COM,cn=TN
23:30:52.371 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.BindAuthenticator - Failed to bind as cn=ben,cn=Users: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580
Sorry, it was a stupid mistake: I used CN instead of DC.
Related
I'm trying to connect to an Azure DB via JDBC using authentication mode ActiveDirectoryServicePrincipal.
Connection string: jdbc:sqlserver://xxx.database.windows.net:1433;Database=abcd;Authentication=ActiveDirectoryServicePrincipal;
Used Java components:
mssql-jdbc-11.1.1.jre8-preview.jar
msal4j-1.11.3.jar
oauth2-oidc-sdk-9.22.1.jar
json-smart-2.4.7.jar
When trying to connect, the attempt fails with the following error:
2022-04-28 15:23:50 INFO - Connecting to Source Database jdbc:sqlserver://xxx.database.windows.net:1433;Database=abcd;Authentication=ActiveDirectoryServicePrincipal; ...
2022-04-28 15:23:50 INFO - Connecting to Source JDBC data source jdbc:sqlserver://xxx.database.windows.net:1433;Database=abcd;Authentication=ActiveDirectoryServicePrincipal; ...
2022-04-28 15:23:51 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:51 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:51 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:51 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:51 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:51 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:52 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:52 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:53 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:53 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:54 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:54 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:55 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:55 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:56 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:56 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:57 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:57 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:59 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:59 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:00 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:00 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:01 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:01 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:02 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:02 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:03 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:03 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:04 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:04 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:04 ERROR - Error establishing database connection to Source DB (URL: jdbc:sqlserver://xxx.database.windows.net:1433;Database=abcd;Authentication=ActiveDirectoryServicePrincipal;)
com.microsoft.sqlserver.jdbc.SQLServerException: Failed to authenticate the user yyy in Active Directory (Authentication=ActiveDirectoryServicePrincipal). com/nimbusds/common/contenttype/ContentType
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:240)
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getSqlFedAuthTokenPrincipal(SQLServerMSAL4JUtils.java:97)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:5440)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:5388)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:5275)
at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:305)
at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:128)
at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:37)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:6262)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:4880)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:90)
at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:4818)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7601)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:3885)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3331)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2923)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2763)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1657)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1063)
at com.synabi.dqnconnect2jdbc.util.DriverShim.connect(DriverShim.java:19)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:208)
at com.synabi.dqnconnect2jdbc.Importer.run(Importer.java:484)
at com.synabi.dqnconnect.App.main(App.java:621)
Caused by: java.util.concurrent.ExecutionException: java.lang.RuntimeException: com/nimbusds/common/contenttype/ContentType
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:238)
... 23 more
Caused by: java.lang.RuntimeException: com/nimbusds/common/contenttype/ContentType
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:230)
... 23 more
However, when trying to connect using authentication mode SqlPassword, it's working without a problem (different user, of course, but with the same rights). Additionally, the username and password of the Service Principal user works as well when trying to connect using Powershell.
So there seems to be a problem with the JDBC components. Does anyone have any idea how to solve this?
Edit (for clarification): I've read the official documentation (https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-using-azure-active-directory-authentication) and followed the described steps to set up the connection.
Are you using simple Java or Spring framework for making the Microsoft SQL connection? In place of the JDBC string, set parameters in the com.microsoft.sqlserver.jdbc.SQLServerDataSource object.
I got a very similar error and in my case it was a missing jar.
Caused by: java.lang.RuntimeException: com/nimbusds/common/contenttype/ContentType
is SQLServerMSAL4JUtils.getCorrectedException's way of swallowing the true cause of the exception:
java.lang.NoClassDefFoundError: com/nimbusds/common/contenttype/ContentType
at com.nimbusds.oauth2.sdk.http.HTTPMessage.setContentType(HTTPMessage.java:98)
at com.nimbusds.oauth2.sdk.http.HTTPRequest.setContentType(HTTPRequest.java:73)
at com.microsoft.aad.msal4j.TokenRequestExecutor.createOauthHttpRequest(TokenRequestExecutor.java:41)
at com.microsoft.aad.msal4j.TokenRequestExecutor.executeTokenRequest(TokenRequestExecutor.java:31)
at com.microsoft.aad.msal4j.AbstractClientApplicationBase.acquireTokenCommon(AbstractClientApplicationBase.java:128)
at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:63)
at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:71)
at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:20)
at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.ClassNotFoundException: com.nimbusds.common.contenttype.ContentType
at java.net.URLClassLoader.findClass(URLClassLoader.java:387)
at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
... 12 more
In this case the class can be found in: content-type-2.2.jar
which is a dependency of oauth2-oidc-sdk.
I ended up getting this log as a result of running my Spring Boot App with a jsp.
2017-12-29 13:30:52.412 WARN 12631 --- [nio-8080-exec-2]
o.s.web.servlet.PageNotFound No mapping found for HTTP
request with URI [/SpringBootTrial/] in DispatcherServlet with name
'dispatcherServlet'
2017-12-29 13:30:56.463 WARN 12631 --- [nio-8080-exec-3]
o.s.web.servlet.PageNotFound No mapping found for HTTP
request with URI [/SpringBootTrial/display] in DispatcherServlet with
name 'dispatcherServlet'
2017-12-29 13:30:56.464 ERROR 12631 --- [nio-8080-exec-3]
o.s.boot.web.support.ErrorPageFilter : Cannot forward to error
page for request [/welcome] as the response has already been
committed. As a result, the response may have the wrong status code.
If your application is running on WebSphere Application Server you may
be able to resolve this problem by setting
com.ibm.ws.webcontainer.invokeFlushAfterService to false
It's evident that in Spring Boot, manual configuration is not needed. So, how should I fix this error?
I am clueless how to fix. I configured the jsp resolver in application.properties.
spring.mvc.view.prefix=/WEB-INF/view/
spring.mvc.view.suffix=.jsp
I have tomcat-embedded-jasper in the pom.xml.
I am new to Spring boot and Spring oauth2 and somehow after googling got examples using spring boot 1.2.4 with mongodb. The following are the setup:
Spring boot 1.2.4 and Spring oauth2 2.0.7 for Authorization Server
Spring boot 1.5.4 and spring oauth2 2.0.7 for Resource Server
The controller code snippet for Resource Server is as below :
#RequestMapping("/hello")
#ResponseBody
#PreAuthorize("hasRole('Dev')")
//#PreAuthorize("hasRole('Dev')")
public String helloWorld() {
return "Hello World.";
}
When resource and authorization servers were spring boot 1.2.4 authorization were working FINE but with different versions it seems to be incompatible, as it throws an error :
{
"error": "access_denied",
"error_description": "Access is denied"
}
When i put the logging in 1.5.4 this is the log result :
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public java.lang.String st.malike.auth.client.http.DemoController.helloWorld(); target is of class [st.malike.auth.client.http.DemoController]; Attributes: [[authorize: '#oauth2.throwOnError(hasRole('Dev'))', filter: 'null', filterTarget: 'null']]
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication#1c32aba2: Principal: null; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: Dev
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter#6d6b90, returned: -1
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter#1deeabb9, returned: 0
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter#1c3cd0b, returned: 0
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.w.s.m.m.a.ExceptionHandlerExceptionResolver - Resolving exception from handler [public java.lang.String st.malike.auth.client.http.DemoController.helloWorld()]: org.springframework.security.access.AccessDeniedException: Access is denied
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.w.s.m.a.ResponseStatusExceptionResolver - Resolving exception from handler [public java.lang.String st.malike.auth.client.http.DemoController.helloWorld()]: org.springframework.security.access.AccessDeniedException: Access is denied
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.w.s.m.s.DefaultHandlerExceptionResolver - Resolving exception from handler [public java.lang.String st.malike.auth.client.http.DemoController.helloWorld()]: org.springframework.security.access.AccessDeniedException: Access is denied
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - Could not complete request
org.springframework.security.access.AccessDeniedException: Access is denied
Now I know the line is causing trouble in Spring-boot-1.5.3
o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter#6d6b90, returned: -1
Please help how to make authorizations with the above setups or how to make the authorization work.
I changed spring-security version to 3.2.10.RELEASE in Resource Server with spring-boot 1.5.3 , all working fine. It seems that spring-security logic in 4.x is changed and is not compatible.
I've configured grails ldap plugin as follows in application.yml and added dependencies of spring security core and ldap in build.gradle.
grails:
plugin:
springsecurity:
providerNames: ['ldapAuthProvider', 'anonymousAuthenticationProvider']
ldap:
context:
managerDn: "CN=ldapreader_website,CN=Users,DC=corp,DC=domain,DC=com"
managerPassword: '[secret]'
server: 'ldap://mydomain.com:389/'
authorities:
groupSearchBase: '[CN=Users,DC=corp,DC=domain,DC=com]'
groupSearchFilter: 'member={0}'
search:
base: '[CN=Users,DC=corp,DC=domain,DC=com]'
filter: '(&(objectCategory=user)(sAMAccountName={0}))'
But when I try to login getting error message as:
Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
comment: AcceptSecurityContext error, data 52e, v1d
eption is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
comment: AcceptSecurityContext error, data 52e, v1db1 ]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:191)
Can anyone help me in this issue.
Error code 49/52e seems to indicate invalid credentials, reference here
Indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. This is the AD equivalent of LDAP error code 49.
I have configured Shibboleth IdP 3 to authenticate against LDAP (AD).
When I access the following URL
https://FDQN-of-the-IdP/idp/status
I see the following page.
Logs from the IdP show
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-11-24 10:39:43,394 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:108] - Message Handler: No metadata returned for http://google.com/enterprise/gsa/xxxx in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer http://google.com/enterprise/gsa/xxxxx
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:284] - Resolving relying party configuration
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:290] - Profile request is unverified, returning configuration shibboleth.UnverifiedRelyingParty
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.UnverifiedRelyingParty for request
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'IDP'
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'SP'
2015-11-24 10:39:43,394 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty
2015-11-24 10:43:17,231 - INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:327] - Default key version has not changed, still secret1
Why can't I get access to the status page ?
Make sure that you have set your config\access-control.xml configuration correctly. The default access control is IP-based:
<entry key="AccessByIPAddress">
<bean parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '192.0.0.0/32','::1/128', '192.168.120.148/32'} }" />
</entry>
make sure that you allow the IP to access the IDP, it has to be in CIDR format as well