SEC-1938: Add ActiveDirectoryAuthenticationException as caused by for ActiveDirectoryAuthenticationProvider

Previously there was no way to extract the original exception or to easily
obtain details about the failure if Spring Security was not able to translate
the exception into a Spring Security AuthenticationException.

Now the caused by is an ActiveDirectoryAuthenticationException which contains
the original Active Directory error code.
This commit is contained in:
Rob Winch 2012-07-31 09:34:06 -05:00
parent 734188206d
commit 37aed0660d
3 changed files with 120 additions and 10 deletions

View File

@ -0,0 +1,48 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.ldap.authentication.ad;
import org.springframework.security.core.AuthenticationException;
/**
* <p>
* Thrown as a translation of an {@link javax.naming.AuthenticationException} when attempting to authenticate against
* Active Directory using {@link ActiveDirectoryLdapAuthenticationProvider}. Typically this error is wrapped by an
* {@link AuthenticationException} since it does not provide a user friendly message. When wrapped, the original
* Exception can be caught and {@link ActiveDirectoryAuthenticationException} can be accessed using
* {@link AuthenticationException#getCause()} for custom error handling.
* </p>
* <p>
* The {@link #getDataCode()} will return the error code associated with the data portion of the error message. For
* example, the following error message would return 773 for {@link #getDataCode()}.
* </p>
*
* <pre>
* javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece ]
* </pre>
*
* @author Rob Winch
*/
@SuppressWarnings("serial")
public final class ActiveDirectoryAuthenticationException extends AuthenticationException {
private final String dataCode;
ActiveDirectoryAuthenticationException(String dataCode, String message, Throwable cause) {
super(message, cause);
this.dataCode = dataCode;
}
public String getDataCode() {
return dataCode;
}
}

View File

@ -1,3 +1,15 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.ldap.authentication.ad; package org.springframework.security.ldap.authentication.ad;
import org.springframework.ldap.core.DirContextOperations; import org.springframework.ldap.core.DirContextOperations;
@ -61,6 +73,7 @@ import java.util.regex.Pattern;
* {@code true}, the codes will also be used to control the exception raised. * {@code true}, the codes will also be used to control the exception raised.
* *
* @author Luke Taylor * @author Luke Taylor
* @author Rob Winch
* @since 3.1 * @since 3.1
*/ */
public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLdapAuthenticationProvider { public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLdapAuthenticationProvider {
@ -115,7 +128,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
} catch (NamingException e) { } catch (NamingException e) {
logger.error("Failed to locate directory entry for authenticated user: " + username, e); logger.error("Failed to locate directory entry for authenticated user: " + username, e);
throw badCredentials(); throw badCredentials(e);
} finally { } finally {
LdapUtils.closeContext(ctx); LdapUtils.closeContext(ctx);
} }
@ -165,7 +178,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
} catch (NamingException e) { } catch (NamingException e) {
if ((e instanceof AuthenticationException) || (e instanceof OperationNotSupportedException)) { if ((e instanceof AuthenticationException) || (e instanceof OperationNotSupportedException)) {
handleBindException(bindPrincipal, e); handleBindException(bindPrincipal, e);
throw badCredentials(); throw badCredentials(e);
} else { } else {
throw LdapUtils.convertLdapException(e); throw LdapUtils.convertLdapException(e);
} }
@ -183,7 +196,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
logger.info("Active Directory authentication failed: " + subCodeToLogMessage(subErrorCode)); logger.info("Active Directory authentication failed: " + subCodeToLogMessage(subErrorCode));
if (convertSubErrorCodesToExceptions) { if (convertSubErrorCodesToExceptions) {
raiseExceptionForErrorCode(subErrorCode); raiseExceptionForErrorCode(subErrorCode, exception);
} }
} else { } else {
logger.debug("Failed to locate AD-specific sub-error code in message"); logger.debug("Failed to locate AD-specific sub-error code in message");
@ -200,20 +213,24 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
return -1; return -1;
} }
void raiseExceptionForErrorCode(int code) { void raiseExceptionForErrorCode(int code, NamingException exception) {
String hexString = Integer.toHexString(code);
Throwable cause = new ActiveDirectoryAuthenticationException(hexString, exception.getMessage(), exception);
switch (code) { switch (code) {
case PASSWORD_EXPIRED: case PASSWORD_EXPIRED:
throw new CredentialsExpiredException(messages.getMessage("LdapAuthenticationProvider.credentialsExpired", throw new CredentialsExpiredException(messages.getMessage("LdapAuthenticationProvider.credentialsExpired",
"User credentials have expired")); "User credentials have expired"), cause);
case ACCOUNT_DISABLED: case ACCOUNT_DISABLED:
throw new DisabledException(messages.getMessage("LdapAuthenticationProvider.disabled", throw new DisabledException(messages.getMessage("LdapAuthenticationProvider.disabled",
"User is disabled")); "User is disabled"), cause);
case ACCOUNT_EXPIRED: case ACCOUNT_EXPIRED:
throw new AccountExpiredException(messages.getMessage("LdapAuthenticationProvider.expired", throw new AccountExpiredException(messages.getMessage("LdapAuthenticationProvider.expired",
"User account has expired")); "User account has expired"), cause);
case ACCOUNT_LOCKED: case ACCOUNT_LOCKED:
throw new LockedException(messages.getMessage("LdapAuthenticationProvider.locked", throw new LockedException(messages.getMessage("LdapAuthenticationProvider.locked",
"User account is locked")); "User account is locked"), cause);
default:
throw badCredentials(cause);
} }
} }
@ -245,6 +262,10 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
"LdapAuthenticationProvider.badCredentials", "Bad credentials")); "LdapAuthenticationProvider.badCredentials", "Bad credentials"));
} }
private BadCredentialsException badCredentials(Throwable cause) {
return (BadCredentialsException) badCredentials().initCause(cause);
}
private DirContextOperations searchForUser(DirContext ctx, String username) throws NamingException { private DirContextOperations searchForUser(DirContext ctx, String username) throws NamingException {
SearchControls searchCtls = new SearchControls(); SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE); searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

View File

@ -1,10 +1,27 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.ldap.authentication.ad; package org.springframework.security.ldap.authentication.ad;
import static org.junit.Assert.*; import static org.junit.Assert.*;
import static org.mockito.Mockito.*; import static org.mockito.Mockito.*;
import static org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.ContextFactory; import static org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.ContextFactory;
import org.hamcrest.BaseMatcher;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Description;
import org.hamcrest.Matcher;
import org.junit.*; import org.junit.*;
import org.junit.rules.ExpectedException;
import org.springframework.ldap.core.DirContextAdapter; import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DistinguishedName; import org.springframework.ldap.core.DistinguishedName;
import org.springframework.security.authentication.AccountExpiredException; import org.springframework.security.authentication.AccountExpiredException;
@ -29,8 +46,12 @@ import java.util.*;
/** /**
* @author Luke Taylor * @author Luke Taylor
* @author Rob Winch
*/ */
public class ActiveDirectoryLdapAuthenticationProviderTests { public class ActiveDirectoryLdapAuthenticationProviderTests {
@Rule
public ExpectedException thrown = ExpectedException.none();
ActiveDirectoryLdapAuthenticationProvider provider; ActiveDirectoryLdapAuthenticationProvider provider;
UsernamePasswordAuthenticationToken joe = new UsernamePasswordAuthenticationToken("joe", "password"); UsernamePasswordAuthenticationToken joe = new UsernamePasswordAuthenticationToken("joe", "password");
@ -127,10 +148,30 @@ public class ActiveDirectoryLdapAuthenticationProviderTests {
provider.authenticate(joe); provider.authenticate(joe);
} }
@Test(expected = BadCredentialsException.class) @Test
public void passwordNeedsResetIsCorrectlyMapped() { public void passwordNeedsResetIsCorrectlyMapped() {
provider.contextFactory = createContextFactoryThrowing(new AuthenticationException(msg + "773, xxxx]")); final String dataCode = "773";
provider.contextFactory = createContextFactoryThrowing(new AuthenticationException(msg + dataCode+", xxxx]"));
provider.setConvertSubErrorCodesToExceptions(true); provider.setConvertSubErrorCodesToExceptions(true);
thrown.expect(BadCredentialsException.class);
thrown.expect(new BaseMatcher<BadCredentialsException>() {
private Matcher<Object> causeInstance = CoreMatchers.instanceOf(ActiveDirectoryAuthenticationException.class);
private Matcher<String> causeDataCode = CoreMatchers.equalTo(dataCode);
public boolean matches(Object that) {
Throwable t = (Throwable) that;
ActiveDirectoryAuthenticationException cause = (ActiveDirectoryAuthenticationException) t.getCause();
return causeInstance.matches(cause) && causeDataCode.matches(cause.getDataCode());
}
public void describeTo(Description desc) {
desc.appendText("getCause() ");
causeInstance.describeTo(desc);
desc.appendText("getCause().getDataCode() ");
causeDataCode.describeTo(desc);
}
});
provider.authenticate(joe); provider.authenticate(joe);
} }