Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP bind failures due to invalid credentials don't cause AuthenticationFailure events to be fired #3834

Closed
shawmanz32na opened this issue Apr 21, 2016 · 1 comment
Closed

LDAP bind failures due to invalid credentials don't cause AuthenticationFailure events to be fired #3834

shawmanz32na opened this issue Apr 21, 2016 · 1 comment
Assignees
@jzheaux
Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Milestone
6.4.0-M1

Comments

@shawmanz32na
Copy link

Summary

When configured to use LDAP Authentication in it's default (bind verification instead of password verification) setup, attempting to log in with invalid credentials, such as a bad password, does not lead to an AuthenticationFailureEvent as one would expect.

I've traced this issue to its source, and you could also more technically summarize this problem by saying that BindAuthenticator#bindWithDn should consider javax.naming.AuthenticationException a BadCredentialException

Background

Spring Security's org.springframework.security.authentication.DefaultAuthenticationEventPublisher#publishAuthenticationFaulure method is set up to fire AuthenticationFailureBadCredentialsEvents when BadCredentialsExceptions are thrown (similar behavior exists for other authentication-related exceptions) during the actual authentication process. However, when configured to use LDAP Authentication, the BindAuthenticator doesn't appropriately handle LDAP Exceptions, which means InternalAuthenticationServiceExceptions are thrown instead of an appropriate exception. As this incorrect exceptions bubbles up, the DefaultAuthenticationPublisher#publishAuthenticationFailure method ignores the exception and doesn't fire any events. What should happen is that the BindAuthenticator#bindUsingDn method should catch and convert exceptions (in my case a javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials])

Actual Behavior

BindAuthenticator#bindWithDn does not catch/convert javax.naming.AuthenticationExceptions, which then instead causes the thrown exception to get wrapped as a org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - Invalid Credentials], which does not cause the DefaultAuthenticationPublisher#publishAuthenticationFailure to fire a AuthenticationFailureBadCredentialsEvent

Expected Behavior

BindAuthenticator#bindWithDn should catch/convert javax.naming.AuthenticationExceptions, such that the DefaultAuthenticationPublisher#publishAuthenticationFailure will know to fire appropriate AuthenticationFailureEvents

Configuration

public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .ldapAuthentication()
                .userDnPatterns(env.getProperty("com.acme.userDnPattern"))
                .groupSearchBase(env.getProperty("com.acme.groupSearchBase"))
                .groupSearchFilter(env.getProperty("com.acme.groupSearchFilter"))
                .contextSource(tlsSpringSecurityContextSource());
    }

protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .formLogin()
            .loginProcessingUrl("/api/authentication")
            .successHandler(ajaxAuthenticationSuccessHandler)
            .failureHandler(ajaxAuthenticationFailureHandler)
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .permitAll()
        .and()
            .authorizeRequests()
            .antMatchers("/api/authenticate").permitAll()
    }

Version

Running with Spring Boot v1.2.5.RELEASE, Spring v4.1.7.RELEASE, Spring Security 4.0.2.RELEASE

I've inspected the current code involved in this issue, and it hasn't changed, so this is still an issue.

Sample
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@heruan
Copy link
Contributor

heruan commented Oct 18, 2019

Any update on this?

@jzheaux jzheaux self-assigned this Jun 18, 2024
@jzheaux jzheaux added type: enhancement A general enhancement in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 18, 2024
@jzheaux jzheaux added this to the 6.4.x milestone Jun 18, 2024
jzheaux added a commit that referenced this issue Jun 21, 2024
@jzheaux
Update Deprecated Usage
55895f3 
Issue gh-3834
jzheaux added a commit that referenced this issue Jun 21, 2024
@jzheaux
Polish LDAP Module
78d2be9 
Issue gh-3834
@jzheaux jzheaux modified the milestones: 6.4.x, 6.4.0-M1 Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
Spring Security Team
Status: No status
Milestone
6.4.0-M1
Development

No branches or pull requests
4 participants
@heruan @jzheaux @shawmanz32na @spring-projects-issues