开发者

Spring Security LDAP Bind Authenticator Verifies Only First 8 Characters of a Password

My web application uses Spring Security for authentication and authorisation. The authentication is pre-authenticated via a corporate SSO. However, as a fallback, the application uses a form based login for authentication otherwise. This too is achieved using Spring Security by having a list of Authentication Providers configured in the deployment descriptor. Consider a typical scenario as described by a sequence as follows.

  1. If the corporate SSO pre-authentication fails, the login page is presented to the user.
  2. The entered credentials are submitted and since the SSOPreAuthentication Provider cannot find the principal (assuming SSO failure), the request is forwarded to the next Authentication Provider which is LdapAuthenticationProvider.

Here, what I have accidentally come across is that the LdapAuthenticationProvider that uses a BindAuthenticator, binds a username to the LDAP even if the password is partially correct (Only first 8 characters of the password are matched. The remaining are ignored).

Following is the configuration in my deployment descriptor, relevant to the discussion

<?xml version="1.0" encoding="UTF-8"?>
<!-- DO NOT EDIT FILE GENERATED BY BUILD SCRIPT (edit the config template version) -->
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"><security:http auto-config="false" access-denied-page="/accessDenied.htm" access-decision-manager-ref="accessDecisionManager">
    <security:form-login login-page="/login.htm" authentication-failure-url="/login.htm?error=true" />
    <security:logout logout-success-url="/login.htm" />
    <security:intercept-url pattern="/**/*" access="ROLE_DENIED" />
</security:http>

<bean id="preauthSSOFilter" class="MySSOProcessingFilter">
    <security:custom-filter position="PRE_AUTH_FILTER" />
    <property name="principalRequestHeader" value="XX1" />
    <property name="credentialsRequestHeader" value="XX2" />
    <property name="ldapUserIdRequestHeader" value="XX3" />
    <property name="ldapDNRequestHeader" value="XX4" />
    <property name="ldapAuthenticator" ref="ldapBindAuthenticator" />
    <property name="anonymousUserIfPrincipalRequestHeaderMissing" value="[none]" />
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="ldapContextValidator" class="org.springframework.ldap.pool.validation.DefaultDirContextValidator" />

<bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldap://myLDAP.com:983/o=something.com"/>
</bean>

<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
    <security:custom-authentication-provider />
    <constructor-arg ref="ldapBindAuthenticator" />
    <constructor-arg ref="ldapAuthoritiesPopulator" />
</bean>

<bean id="ldapBindAuthenticator" class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
    <constructor-arg ref="ldapContextSource"/>
    <property name="userSearch" ref="ldapUserSearch" />
</bean>


<bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <constructor-arg index="0" value=""/>
    <constructor-arg index="1" value="(uid={0})"/>
    <constructor-arg index="2" ref="ldapContextSource" />
</bean>

<bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.populator.UserDetailsServiceLdapAuthoritiesPopulator">
    <constructor-arg ref="userDetailsService" />
</bean>

And here is a trace of the logs for two scenarios:

  1. When the password is completely wrong (All characters wrong)

18:34:13,599 DEBUG [FilterChainProxy] /j_spring_security_check at position 4 of 8 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]' 18:34:13,599 DEBUG [AuthenticationProcessingFilter] Request is to process authentication 18:34:13,599 DEBUG [ProviderManager] Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider 18:34:13,599 DEBUG [FilterBasedLdapUserSearch] Searching for user '@username@', with user search [ searchFilter: '(uid={0})', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ] 18:34:13,599 DEBUG [AbstractContextSource] Principal: '' 18:34:13,943 DEBUG [AbstractContextSource] Got Ldap context on server 'ldap://myLDAP.com:983/o=something.com' 18:34:14,130 DEBUG [DefaultSpringSecurityContextSource] Creating context with principal: 'uid=@username@, ou=people, l=AP, o=somthing.com' 18:34:14,458 DEBUG [BindAuthenticator] Failed to bind as uid=@username@, ou=people, l=AP: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

  1. When the password is correct or partially(only first 8 characters match) correct

18:30:11,849 DEBUG [FilterChainProxy] /j_spring_security_check at position 4 of 8 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]' 18:30:11,849 DEBUG [AuthenticationProcessingFilter] Request is to process authentication 18:30:11,849 DEBUG [ProviderManager] Authentication attempt using org.springframework.security.providers.ldap.L开发者_开发问答dapAuthenticationProvider 18:30:11,849 DEBUG [FilterBasedLdapUserSearch] Searching for user '@username@', with user search [ searchFilter: '(uid={0})', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ] 18:30:11,849 DEBUG [AbstractContextSource] Principal: '' 18:30:12,193 DEBUG [AbstractContextSource] Got Ldap context on server 'ldap://myLDAP.com:983/o=something.com' 18:30:12,365 DEBUG [DefaultSpringSecurityContextSource] Creating context with principal: 'uid=@username@, ou=people, l=AP, o=something.com' 18:30:12,708 DEBUG [AbstractContextSource] Got Ldap context on server 'ldap://myLDAP.com:983/o=something.com'

Can someone explain this mysterious behavior ?

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜