I have problem with Active Directory authentication in simple Spring web application. I'm using ActiveDirectoryLdapAuthenticationProvider and it seems to work fine for empty login fields and correct credentials. The problem is with invalid credentials (wrong login/pass or both). The application throws exception (error 500) to browser:
Error processing request
Context Path: /MYAPPNAME
Servlet Path: /login_check
Path Info: null
Query String: null
Stack Trace:
org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.MYAPPNAME.war:main" from Service Module Loader [Root exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece]] (...)
The console root error is:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece]
If the credentials are incorrect, shouldn't Spring send user to authentication-failure-url? I don't have any "manager" account to use for ldap BIND, I believe ActiveDirectoryLdapAuthenticationProvider is supposed to bind using credentials from login form. Spring documentation doesn't have anything about binding to AD.
It can probably be solved using custom authentication provider, but I was hoping there is an out-of-the-box solution. There are some similar questions, but none of them very precise or with any useful answer.
How to approach this error?
Is there a way to configure it in XML? Perhaps, to tell AD provider to tread binding error as failed login attempt?
Is custom authentication provider the only solution?
spring-security.xml
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg name="decisionVoters" ref="roleVoter" />
</bean>
<s:http authentication-manager-ref="ldap-auth" access-decision-manager-ref="accessDecisionManager" use-expressions="false">
<s:intercept-url pattern="/list**" access="ADGROUP-XYZ" />
<s:form-login
login-page="/login"
login-processing-url="/login_check"
username-parameter="username"
password-parameter="password"
default-target-url="/list"
authentication-failure-url="/login?fail" />
<s:logout
invalidate-session="true"
logout-success-url="/login?logout"
logout-url="/logout"
delete-cookies="JSESSIONID" />
<s:csrf />
</s:http>
<s:authentication-manager id="ldap-auth">
<s:authentication-provider ref="adAuthenticationProvider" />
</s:authentication-manager>
<bean id="adAuthenticationProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="company.local" />
<constructor-arg value="ldap://server.company.local:389/" />
<property name="useAuthenticationRequestCredentials" value="true"/>
<property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>
EDIT: One ugly fix is to override ActiveDirectoryLdapAuthenticationProvider and change throw LdapUtils.convertLdapException(e); to throw badCredentials(e);.
There is a issue with JBoss EAP initial context.This has been fixed in the latest wildfly versions.check the below links