-
Notifications
You must be signed in to change notification settings - Fork 6.1k
BadCredentialsException is not serializable when using LDAP Authentication #5378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Also, on the note of LDAP, I'm looking to be able to take the error message and pass it through to the UI but I can't find any docs on that. Should I open a new issue regarding this? Thanks |
I am experiencing the same issue on v2.0.5.RELEASE. Is there any workaround for this? |
Thanks for the report.
It is generally recommended that you do not pass any details along to the UI about why authentication failed. Instead, you should give a generic message. Something like "The username/password combination you provided was not valid. Try again or click Forgot password to reset it." You could access it via a session attribute name of
I cannot think of a simple one off the top of my head at the moment. However, if someone can put a complete and minimal sample together perhaps we can come up with a fix and/or workaround. |
Just investigated a little futher. But I am off for holidays now. I will try to provide a quick example or possible solution after I return. I ended up copying ActiveDirectoryLdapAuthenticationProvider and removing .initCause on badCredentials so the BadCredentialsException won't include the com.sun.jndi.ldap.LdapCtx as quick fix for now. Shame on me :( Though the code is not in production yet |
That seems like a reasonable workaround to me. What is the type of Exception that is being passed into initCause? |
|
@rwinch I'm looking to obtain the failure reason for logging purposes and also to let the client know if he is providing incorrect credentials or of his account is locked (a common occurrence). I did figure out how to do this, though:
This was a while ago, but I believe this solution both fixes my serialization issue and helps me pass on the error message. |
@iKrushYou Yeah that should do aswell because |
Thanks for the reply. It is surprising that is the root cause. Do you have the complete stacktrace of BadCredentialsException and its causes when the problem occurs? If we are the ones throwing the Exception perhaps we can replace the original exception with Spring LDAP's NamingException since it handles the resolvedObj during serialization. |
@rwinch let me see if i can remove this handler and see if I can get the stack trace for you. |
|
|
It appears the JDK is throwing the Exception that is not https://github.com/rwinch/spring-security/tree/gh-5378-ldap-serialization-issue |
@rwinch forgive my ignorance, but what is the easiest way to replace my maven dependency with your current branch? |
@iKrushYou Not a problem. You would clone my repository, switch to the correct branch, and run a |
@rwinch is that a gradle command? I can install gradle if i have to, but is there a maven command too? |
It is a gradle command, but you don't need to install Gradle since it has the Gradle wrapper which automatically downloads the correct version of Gradle for you. |
one last question.. sorry I've got these security dependencies.. which one?
|
No problem. The spring-security-ldap dependency is probably the most important, but you should do all of them. For Spring Boot, you can do this by specifying a property |
To preface: I'm on a firewalled network So the I installed gradle manually and tried |
Are you able to connect to |
My IntelliJ has proxies that should work.. I also have a proxy in terminal so I'm not sure why it's not working. |
I'm not sure IntelliJ will use those settings. Have you tried configuring Gradle to use those settings? https://docs.gradle.org/current/userguide/build_environment.html#sec:accessing_the_web_via_a_proxy |
Don't think so.. |
or, i get this with ./gradlew
|
I'm not sure what to do to fix your issue since I'm not in your environment. If I were to build the jars for you, I'd publish them to repo.spring.io which is the same place the build is trying to download them from. If you install gradle manually you can use
However, all gradlew is doing is trying to download the file automatically for you. It sounds like that is failing because it is downloading Gradle and the proxy is performing a MITM which means the certificate is invalid. |
sorry for all the frustration.. it sucks being on a closed environment. I have already installed gradle and i tried to do |
I deployed it to https://repo.spring.io/snapshot/ with the version of |
okay i was wrong.. I don't have a proxy for maven I only have an internal mirror.. also is there an easier way to communicate instead of github comments? |
@iKrushYou I think that is the best way. We could potentially chat on Gitter too, but it quickly becomes too much for me to handle with getting stuff done too |
I totally understand, i'm working on one project right now meanwhile this is something i was trying to figure out a few months ago. I tried adding just the jar (it did not work) but i feel like there's more to it than that. Maven probably does a whole bunch of wizardry (throughout all the different dependencies) |
You need to update the version by specifying a property |
@rwinch I can confirm that your bugfix works. |
Thanks for the confirmation @jbollacke! This is now fixed in master |
Summary
When using Spring Security (using LDAP) and Spring Session (jdbc) in combination, I'm running into a serialization error only when authentication fails. When the user logs in with correct credentials, everything works as expected. Session is duplicated across all nodes. But when the user enters invalid credentials, the server throws up an exception that I'm not sure how to catch (or mitigate)
Actual Behavior
The user logs in incorrectly and this error is thrown:
Failed to convert from type [java.lang.Object] to type [byte[]] for value 'org.springframework.security.authentication.BadCredentialsException: Bad credentials'; nested exception is org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer; nested exception is java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx
Expected Behavior
The LdapCtx object should be serialized or ignored
Configuration
spring.session.store-type=jdbc
Version
Spring Boot Starter version 1.5.10.RELEASE
I have been redirected here from the spring session repo
spring-projects/spring-session#685
The text was updated successfully, but these errors were encountered: