SEC-2405: BadLdapGrammarException with search result from referral #2625

Closed
spring-issuemaster opened this Issue Oct 17, 2012 · 8 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster

Tom Field (Migrated from SEC-2405) said:

org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6. Encountered: <EOF> after : ""

within DirContextOperations searchForSingleEntryInternal

we have a search result where searchResult.getName() = ldap://blahblah

LdapUtils.convertCompositeNameToString() within the DistinguishedName constructor for this gives "ldap:"

then DistinguishedName blows up with this exception.

@spring-issuemaster

This comment has been minimized.

Show comment Hide comment
@spring-issuemaster

spring-issuemaster Nov 16, 2012

Patrick Wong said:

I get the exact same error message.

I am using Artifactory, which uses Spring LDAP, to connect to an ActiveDirectory server. It is able to authenticate users who are stored directly on that AD server. However, when it tries to authenticate users who are referred by the first AD server to a second AD server, it seems like Spring LDAP cannot handle the response and spits out the error:

org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:224) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:199) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:222) [spring-security-ldap-3.1.0.RELEASE.jar:3.1.0.RELEASE]
    at org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198) [spring-security-ldap-3.1.0.RELEASE.jar:3.1.0.RELEASE]
    at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196) [spring-security-ldap-3.1.0.RELEASE.jar:3.1.0.RELEASE]
    at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116) [spring-security-ldap-3.1.0.RELEASE.jar:3.1.0.RELEASE]
    at org.artifactory.security.ldap.ArtifactoryBindAuthenticator.authenticate(ArtifactoryBindAuthenticator.java:144) [artifactory-core-2.6.5.jar:na]
    at org.artifactory.security.ldap.LdapServiceImpl.testLdapConnection(LdapServiceImpl.java:67) [artifactory-core-2.6.5.jar:na]
    at org.artifactory.security.SecurityServiceImpl.testLdapConnection(SecurityServiceImpl.java:1413) [artifactory-core-2.6.5.jar:na]
    at sun.reflect.GeneratedMethodAccessor86.invoke(Unknown Source) [na:na]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [na:1.7.0_07]
    at java.lang.reflect.Method.invoke(Method.java:601) [na:1.7.0_07]
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318) [spring-aop-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:196) [spring-aop-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at $Proxy64.testLdapConnection(Unknown Source) [na:na]
    at sun.reflect.GeneratedMethodAccessor86.invoke(Unknown Source) [na:na]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [na:1.7.0_07]
    at java.lang.reflect.Method.invoke(Method.java:601) [na:1.7.0_07]
    at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:416) [wicket-ioc-1.5.3.jar:1.5.3]
    at org.apache.wicket.proxy.$Proxy188.testLdapConnection(Unknown Source) [na:1.5.3]
    at org.artifactory.webapp.wicket.page.config.security.LdapCreateUpdatePanel$2.onSubmit(LdapCreateUpdatePanel.java:232) [artifactory-web-application-2.6.5.jar:na]
    at org.artifactory.common.wicket.component.links.TitledAjaxSubmitLink$1.onSubmit(TitledAjaxSubmitLink.java:60) [artifactory-web-common-2.6.5.jar:na]
    at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior$1.onSubmit(AjaxFormSubmitBehavior.java:172) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.markup.html.form.Form.delegateSubmit(Form.java:1174) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.markup.html.form.Form.process(Form.java:838) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:762) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior.onEvent(AjaxFormSubmitBehavior.java:158) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.ajax.AjaxEventBehavior.respond(AjaxEventBehavior.java:166) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.ajax.AbstractDefaultAjaxBehavior.onRequest(AbstractDefaultAjaxBehavior.java:316) [wicket-core-1.5.3.jar:1.5.3]
    at sun.reflect.GeneratedMethodAccessor90.invoke(Unknown Source) [na:na]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [na:1.7.0_07]
    at java.lang.reflect.Method.invoke(Method.java:601) [na:1.7.0_07]
    at org.apache.wicket.RequestListenerInterface.internalInvoke(RequestListenerInterface.java:260) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:241) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.handler.ListenerInterfaceRequestHandler.invokeListener(ListenerInterfaceRequestHandler.java:255) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.handler.ListenerInterfaceRequestHandler.respond(ListenerInterfaceRequestHandler.java:234) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:750) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) [wicket-request-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:252) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:209) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:280) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:162) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:218) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.artifactory.webapp.servlet.RepoFilter.execute(RepoFilter.java:163) [artifactory-web-application-2.6.5.jar:na]
    at org.artifactory.webapp.servlet.RepoFilter.doFilter(RepoFilter.java:84) [artifactory-web-application-2.6.5.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.artifactory.webapp.servlet.AccessFilter.useAuthentication(AccessFilter.java:272) [artifactory-web-application-2.6.5.jar:na]
    at org.artifactory.webapp.servlet.AccessFilter.doFilterInternal(AccessFilter.java:181) [artifactory-web-application-2.6.5.jar:na]
    at org.artifactory.webapp.servlet.AccessFilter.doFilter(AccessFilter.java:143) [artifactory-web-application-2.6.5.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.artifactory.webapp.servlet.RequestFilter.doFilter(RequestFilter.java:57) [artifactory-web-application-2.6.5.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.artifactory.webapp.servlet.ArtifactoryFilter.doFilter(ArtifactoryFilter.java:72) [artifactory-web-application-2.6.5.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) [catalina.jar:7.0.30]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) [catalina.jar:7.0.30]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) [catalina.jar:7.0.30]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) [catalina.jar:7.0.30]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) [catalina.jar:7.0.30]
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929) [catalina.jar:7.0.30]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) [catalina.jar:7.0.30]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) [catalina.jar:7.0.30]
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002) [tomcat-coyote.jar:7.0.30]
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585) [tomcat-coyote.jar:7.0.30]
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1813) [tomcat-coyote.jar:7.0.30]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [na:1.7.0_07]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [na:1.7.0_07]
    at java.lang.Thread.run(Thread.java:722) [na:1.7.0_07]
Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""
    at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:678) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:231) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:218) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    ... 75 common frames omitted

I tested using an intentionally-wrong username as well as an intentionally-wrong password, and the errors in those cases are different.

I also did a lot of testing with Tomcat - I set up a security realm in server.xml that uses the first AD server, set all successfully-authenticated users to be able to use the default Tomcat manager, and tested that it is able to handle referrals to the second AD server. Therefore, the problem does not seem to be with the AD servers (unless Tomcat's way of handling them is smoothing out other errors)

Patrick Wong said:

I get the exact same error message.

I am using Artifactory, which uses Spring LDAP, to connect to an ActiveDirectory server. It is able to authenticate users who are stored directly on that AD server. However, when it tries to authenticate users who are referred by the first AD server to a second AD server, it seems like Spring LDAP cannot handle the response and spits out the error:

org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:224) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:199) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:222) [spring-security-ldap-3.1.0.RELEASE.jar:3.1.0.RELEASE]
    at org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198) [spring-security-ldap-3.1.0.RELEASE.jar:3.1.0.RELEASE]
    at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196) [spring-security-ldap-3.1.0.RELEASE.jar:3.1.0.RELEASE]
    at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116) [spring-security-ldap-3.1.0.RELEASE.jar:3.1.0.RELEASE]
    at org.artifactory.security.ldap.ArtifactoryBindAuthenticator.authenticate(ArtifactoryBindAuthenticator.java:144) [artifactory-core-2.6.5.jar:na]
    at org.artifactory.security.ldap.LdapServiceImpl.testLdapConnection(LdapServiceImpl.java:67) [artifactory-core-2.6.5.jar:na]
    at org.artifactory.security.SecurityServiceImpl.testLdapConnection(SecurityServiceImpl.java:1413) [artifactory-core-2.6.5.jar:na]
    at sun.reflect.GeneratedMethodAccessor86.invoke(Unknown Source) [na:na]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [na:1.7.0_07]
    at java.lang.reflect.Method.invoke(Method.java:601) [na:1.7.0_07]
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318) [spring-aop-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:196) [spring-aop-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at $Proxy64.testLdapConnection(Unknown Source) [na:na]
    at sun.reflect.GeneratedMethodAccessor86.invoke(Unknown Source) [na:na]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [na:1.7.0_07]
    at java.lang.reflect.Method.invoke(Method.java:601) [na:1.7.0_07]
    at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:416) [wicket-ioc-1.5.3.jar:1.5.3]
    at org.apache.wicket.proxy.$Proxy188.testLdapConnection(Unknown Source) [na:1.5.3]
    at org.artifactory.webapp.wicket.page.config.security.LdapCreateUpdatePanel$2.onSubmit(LdapCreateUpdatePanel.java:232) [artifactory-web-application-2.6.5.jar:na]
    at org.artifactory.common.wicket.component.links.TitledAjaxSubmitLink$1.onSubmit(TitledAjaxSubmitLink.java:60) [artifactory-web-common-2.6.5.jar:na]
    at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior$1.onSubmit(AjaxFormSubmitBehavior.java:172) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.markup.html.form.Form.delegateSubmit(Form.java:1174) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.markup.html.form.Form.process(Form.java:838) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:762) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior.onEvent(AjaxFormSubmitBehavior.java:158) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.ajax.AjaxEventBehavior.respond(AjaxEventBehavior.java:166) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.ajax.AbstractDefaultAjaxBehavior.onRequest(AbstractDefaultAjaxBehavior.java:316) [wicket-core-1.5.3.jar:1.5.3]
    at sun.reflect.GeneratedMethodAccessor90.invoke(Unknown Source) [na:na]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [na:1.7.0_07]
    at java.lang.reflect.Method.invoke(Method.java:601) [na:1.7.0_07]
    at org.apache.wicket.RequestListenerInterface.internalInvoke(RequestListenerInterface.java:260) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:241) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.handler.ListenerInterfaceRequestHandler.invokeListener(ListenerInterfaceRequestHandler.java:255) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.handler.ListenerInterfaceRequestHandler.respond(ListenerInterfaceRequestHandler.java:234) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:750) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) [wicket-request-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:252) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:209) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:280) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:162) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:218) [wicket-core-1.5.3.jar:1.5.3]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.artifactory.webapp.servlet.RepoFilter.execute(RepoFilter.java:163) [artifactory-web-application-2.6.5.jar:na]
    at org.artifactory.webapp.servlet.RepoFilter.doFilter(RepoFilter.java:84) [artifactory-web-application-2.6.5.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.artifactory.webapp.servlet.AccessFilter.useAuthentication(AccessFilter.java:272) [artifactory-web-application-2.6.5.jar:na]
    at org.artifactory.webapp.servlet.AccessFilter.doFilterInternal(AccessFilter.java:181) [artifactory-web-application-2.6.5.jar:na]
    at org.artifactory.webapp.servlet.AccessFilter.doFilter(AccessFilter.java:143) [artifactory-web-application-2.6.5.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.artifactory.webapp.servlet.RequestFilter.doFilter(RequestFilter.java:57) [artifactory-web-application-2.6.5.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.artifactory.webapp.servlet.ArtifactoryFilter.doFilter(ArtifactoryFilter.java:72) [artifactory-web-application-2.6.5.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.30]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.30]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) [catalina.jar:7.0.30]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) [catalina.jar:7.0.30]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) [catalina.jar:7.0.30]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) [catalina.jar:7.0.30]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) [catalina.jar:7.0.30]
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929) [catalina.jar:7.0.30]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) [catalina.jar:7.0.30]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) [catalina.jar:7.0.30]
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002) [tomcat-coyote.jar:7.0.30]
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585) [tomcat-coyote.jar:7.0.30]
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1813) [tomcat-coyote.jar:7.0.30]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [na:1.7.0_07]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [na:1.7.0_07]
    at java.lang.Thread.run(Thread.java:722) [na:1.7.0_07]
Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""
    at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:678) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:231) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:218) [spring-ldap-core-1.3.1.RELEASE.jar:1.3.1.RELEASE]
    ... 75 common frames omitted

I tested using an intentionally-wrong username as well as an intentionally-wrong password, and the errors in those cases are different.

I also did a lot of testing with Tomcat - I set up a security realm in server.xml that uses the first AD server, set all successfully-authenticated users to be able to use the default Tomcat manager, and tested that it is able to handle referrals to the second AD server. Therefore, the problem does not seem to be with the AD servers (unless Tomcat's way of handling them is smoothing out other errors)

@spring-issuemaster

This comment has been minimized.

Show comment Hide comment
@spring-issuemaster

spring-issuemaster May 9, 2013

Virgilio Rey said:

We have the same problem.

We have a OpenLDAP server with a tree referred to other OpenLDAP server.

Using tcpdump, I can see the searching process its correct, the referral its been followed, and there is a successfull response, but then we get that exception on the log, and the authentication is aborted.

Here is the log:

2013-05-09 13:25:34,427 DEBUG --> Searching for user 'virgilio.rey.ext', with user search [ searchFilter: '(uid={0})', searchBase: 'o=empleados', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ] <-- (org.springframework.security.ldap.search.FilterBasedLdapUserSearch:107)
2013-05-09 13:25:34,431 DEBUG --> Got Ldap context on server 'ldap://server:389/o=xxx,c=es' <-- (org.springframework.ldap.core.support.AbstractContextSource:259)
2013-05-09 13:25:34,695 DEBUG --> Searching for entry under DN 'o=xxx,c=es', base = 'o=empleados', filter = '(uid={0})' <-- (org.springframework.security.ldap.SpringSecurityLdapTemplate:213)
2013-05-09 13:25:34,697 DEBUG --> No event was found for the exception org.springframework.security.authentication.InternalAuthenticationServiceException <-- (org.springframework.security.authentication.DefaultAuthenticationEventPublisher:94)
2013-05-09 13:25:34,697 ERROR --> An internal error occurred while trying to authenticate the user. <-- (org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter:202)
org.springframework.security.authentication.InternalAuthenticationServiceException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""

        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:191)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
        at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
        at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:615)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:662)

Caused by: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""
        at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:224)
        at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:199)
        at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:222)
        at org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198)
        at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807)
        at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793)
        at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196)
        at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116)
        at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:90)
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178)
        ... 31 more

Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""
        at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:678)
        at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:231)
        at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114)
        at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94)
        at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58)
        at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23)
        at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:218)
        ... 40 more

2013-05-09 13:25:34,698 DEBUG --> Authentication request failed: org.springframework.security.authentication.InternalAuthenticationServiceException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : "" <-- (org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter:346)

There is any workarround? I think this bug is important, and priority should be higher.

Thanks!

Virgilio Rey said:

We have the same problem.

We have a OpenLDAP server with a tree referred to other OpenLDAP server.

Using tcpdump, I can see the searching process its correct, the referral its been followed, and there is a successfull response, but then we get that exception on the log, and the authentication is aborted.

Here is the log:

2013-05-09 13:25:34,427 DEBUG --> Searching for user 'virgilio.rey.ext', with user search [ searchFilter: '(uid={0})', searchBase: 'o=empleados', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ] <-- (org.springframework.security.ldap.search.FilterBasedLdapUserSearch:107)
2013-05-09 13:25:34,431 DEBUG --> Got Ldap context on server 'ldap://server:389/o=xxx,c=es' <-- (org.springframework.ldap.core.support.AbstractContextSource:259)
2013-05-09 13:25:34,695 DEBUG --> Searching for entry under DN 'o=xxx,c=es', base = 'o=empleados', filter = '(uid={0})' <-- (org.springframework.security.ldap.SpringSecurityLdapTemplate:213)
2013-05-09 13:25:34,697 DEBUG --> No event was found for the exception org.springframework.security.authentication.InternalAuthenticationServiceException <-- (org.springframework.security.authentication.DefaultAuthenticationEventPublisher:94)
2013-05-09 13:25:34,697 ERROR --> An internal error occurred while trying to authenticate the user. <-- (org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter:202)
org.springframework.security.authentication.InternalAuthenticationServiceException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""

        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:191)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
        at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
        at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:615)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:662)

Caused by: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""
        at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:224)
        at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:199)
        at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:222)
        at org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198)
        at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807)
        at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793)
        at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196)
        at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116)
        at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:90)
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178)
        ... 31 more

Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : ""
        at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:678)
        at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:231)
        at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114)
        at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94)
        at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58)
        at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23)
        at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:218)
        ... 40 more

2013-05-09 13:25:34,698 DEBUG --> Authentication request failed: org.springframework.security.authentication.InternalAuthenticationServiceException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 6.  Encountered: <EOF> after : "" <-- (org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter:346)

There is any workarround? I think this bug is important, and priority should be higher.

Thanks!

@spring-issuemaster

This comment has been minimized.

Show comment Hide comment
@spring-issuemaster

spring-issuemaster Jun 27, 2013

leroy nicolas said:

Have you any solution for this issue ?

leroy nicolas said:

Have you any solution for this issue ?

@spring-issuemaster

This comment has been minimized.

Show comment Hide comment
@spring-issuemaster

spring-issuemaster Aug 1, 2013

Mattias Hellborg Arthursson said:

Terribly sorry for the long response time. The problem with referrals in Spring LDAP is discussed in LDAP-136; in all LdapTemplate methods that construct DirContextAdapter instances, this is automatically handled out of the box (if the appropriate property is set on the ContextSource to follow referrals). The problem here is that they are not using these methods in the specific subclass of LdapTemplate used in Spring Security. The name from the SearchResult is used as-is as an input to DistinguishedName. Since this string starts with ldap:// it's not a valid DistinguishedName and cannot be parsed.

I'm therefore tempted to say that this is not a problem bug in Spring LDAP; it should be handled in Spring Security.

As far as I can figure out, the simplest way to go about this would be for Spring Security to just use searchResult.getObject(), which can then be directly cast to a DirContextAdapter instance properly populated using the returned attributes and the DN of the found entry (due to DefaultDirContextFactory magic). Note that this requires the SearchControls to have the returningObjFlag set: searchControls.setReturningObjFlag(returningObjFlag).

I think that should do the trick.

Mattias Hellborg Arthursson said:

Terribly sorry for the long response time. The problem with referrals in Spring LDAP is discussed in LDAP-136; in all LdapTemplate methods that construct DirContextAdapter instances, this is automatically handled out of the box (if the appropriate property is set on the ContextSource to follow referrals). The problem here is that they are not using these methods in the specific subclass of LdapTemplate used in Spring Security. The name from the SearchResult is used as-is as an input to DistinguishedName. Since this string starts with ldap:// it's not a valid DistinguishedName and cannot be parsed.

I'm therefore tempted to say that this is not a problem bug in Spring LDAP; it should be handled in Spring Security.

As far as I can figure out, the simplest way to go about this would be for Spring Security to just use searchResult.getObject(), which can then be directly cast to a DirContextAdapter instance properly populated using the returned attributes and the DN of the found entry (due to DefaultDirContextFactory magic). Note that this requires the SearchControls to have the returningObjFlag set: searchControls.setReturningObjFlag(returningObjFlag).

I think that should do the trick.

@spring-issuemaster

This comment has been minimized.

Show comment Hide comment
@spring-issuemaster

spring-issuemaster Nov 18, 2013

Mattias Hellborg Arthursson said:

rwinch: As suggested in my comment, I don't think this is a bug in Spring LDAP; the problem is solved in Spring LDAP, but Spring Security is not taking advantage of this. I think this issue should be moved to the Spring Security project.

Mattias Hellborg Arthursson said:

rwinch: As suggested in my comment, I don't think this is a bug in Spring LDAP; the problem is solved in Spring LDAP, but Spring Security is not taking advantage of this. I think this issue should be moved to the Spring Security project.

@spring-issuemaster

This comment has been minimized.

Show comment Hide comment
@spring-issuemaster

spring-issuemaster Nov 19, 2013

Mattias Hellborg Arthursson said:

I've started working on a fix for this one, will submit pull request shortly.

Mattias Hellborg Arthursson said:

I've started working on a fix for this one, will submit pull request shortly.

@spring-issuemaster

This comment has been minimized.

Show comment Hide comment
@spring-issuemaster

spring-issuemaster Nov 20, 2013

Mattias Hellborg Arthursson said:

Submitted pull request: #57

Mattias Hellborg Arthursson said:

Submitted pull request: #57

@spring-issuemaster

This comment has been minimized.

Show comment Hide comment
@spring-issuemaster

spring-issuemaster Nov 20, 2013

Rob Winch said:

Thanks this has been merged into master

Rob Winch said:

Thanks this has been merged into master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment