spring-bootspring-securityldapspring-security-ldap

Spring Security LDAPs authentication


i need help in Spring Security authentication with Ldap. I try lot of things found online but i'm going crazy on this. Basiclly i need to pass username and password to ldaps server

this is my pom.xml for security

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-test</artifactId>
    <scope>test</scope>
</dependency>
<dependency>
    <groupId>org.springframework.ldap</groupId>
    <artifactId>spring-ldap-core</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
    <groupId>com.unboundid</groupId>
    <artifactId>unboundid-ldapsdk</artifactId>
</dependency>

and this is my SecurityConfig.java

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated()
                .and().formLogin()
                .permitAll().and().logout();
    }
    
    @Bean
    ActiveDirectoryLdapAuthenticationProvider authenticationProvider() {
        return new ActiveDirectoryLdapAuthenticationProvider("@DOMAIN.it", "ldaps://NAME.DOMAIN.it:636/");
    }

}

whrn i try to login i recive this errors

mw.a.UsernamePasswordAuthenticationFilter: An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: Connection to LDAP server failed.
    at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badLdapConnection(ActiveDirectoryLdapAuthenticationProvider.java:312) ~[spring-security-ldap-5.7.7.jar:5.7.7]
    at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:171) ~[spring-security-ldap-5.7.7.jar:5.7.7]
    at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:79) ~[spring-security-ldap-5.7.7.jar:5.7.7]
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.7.7.jar:5.7.7]
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201) ~[spring-security-core-5.7.7.jar:5.7.7]
    at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:85) ~[spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:132) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.26.jar:5.3.26]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.26.jar:5.3.26]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.26.jar:5.3.26]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.26.jar:5.3.26]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:221) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186) [spring-security-web-5.7.7.jar:5.7.7]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) [spring-web-5.3.26.jar:5.3.26]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) [spring-web-5.3.26.jar:5.3.26]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.3.26.jar:5.3.26]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.26.jar:5.3.26]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.3.26.jar:5.3.26]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.26.jar:5.3.26]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.3.26.jar:5.3.26]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.26.jar:5.3.26]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.73.jar:9.0.73]
    at java.lang.Thread.run(Unknown Source) [na:1.8.0_341]
Caused by: org.springframework.ldap.CommunicationException: simple bind failed: NAME.DOMAIN.it:636; nested exception is javax.naming.CommunicationException: simple bind failed: NAME.DOMAIN.it:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108) ~[spring-ldap-core-2.4.1.jar:2.4.1]
    at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:224) ~[spring-security-ldap-5.7.7.jar:5.7.7]
    at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:167) ~[spring-security-ldap-5.7.7.jar:5.7.7]
    ... 60 common frames omitted
Caused by: javax.naming.CommunicationException: simple bind failed: NAME.DOMAIN.it:636
    at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source) ~[na:1.8.0_341]
    at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) ~[na:1.8.0_341]
    at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) ~[na:1.8.0_341]
    at javax.naming.InitialContext.init(Unknown Source) ~[na:1.8.0_341]
    at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source) ~[na:1.8.0_341]
    at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider$ContextFactory.createContext(ActiveDirectoryLdapAuthenticationProvider.java:416) ~[spring-security-ldap-5.7.7.jar:5.7.7]
    at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:217) ~[spring-security-ldap-5.7.7.jar:5.7.7]
    ... 61 common frames omitted
Caused by: java.net.SocketException: Connection or outbound has closed
    at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(Unknown Source) ~[na:1.8.0_341]
    at java.io.BufferedOutputStream.flushBuffer(Unknown Source) ~[na:1.8.0_341]
    at java.io.BufferedOutputStream.flush(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.Connection.writeRequest(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.Connection.writeRequest(Unknown Source) ~[na:1.8.0_341]
    at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source) ~[na:1.8.0_341]
    ... 75 common frames omitted

Ldaps server work fine because in a simple java application i can check if user is authenticated or not by simple boolean function.


Solution

  • Ok, the problem was that the certificate wasn't import correctly. Thanks to importcert i recovered the correct certificate and now i can authenticate an user. This helped for me: https://javarevisited.blogspot.com/2018/07/ldap-authentication-active-directory-authentication-java-spring-security-example.html#axzz7zyBjZQeo

    EDIT also this help beause certificate change after a few months. In this case certificate is ever trusted. Link: https://stackoverflow.com/a/17205582/21640328