-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spring Security with Active Directory shows *Property 'userDn' not set - anonymous context will be used for read-write operations* INFO message even if anonymous is disabled in HttpSecurity settings #14079
Comments
Hi, @dbnex14.
I don't think that is right. If you take a look at the line that performs the log, you can see that it also set the
It is important to note that you are not allowing anonymous users to log in, it only means that read-only operations will be performed using an anonymous context. If you want to specify the username (DN) of the "manager" user identity used to authenticate to an LDAP server, you can configure it like so: @Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryAuthenticationProvider()).eraseCredentials(false);
auth.ldapAuthentication().contextSource().managerDn("uid=admin,ou=system").managerPassword("mypassword")
} You can also refer to the documentation for a more modern way of configuring LDAP authentication. |
Hi @marcusdacoregio and thank you for your reply. Unfortunately, the answer and provided documentation links are contradicting themselves as I will try to explain below. And to my point, a clear documentation in Spring showing how to auth using non-anonymous as well as anonymous way would help. I have spent days on this and all I can say, there is either no example explaining these 2 ways, of they are just debated in text but not in code examples therefore lacking clarity. This makes problems in enterprises and I will try to explain below by replying to your comments, please follow
I have to make 2 points on this:
Not exactly, my API does not allow anonymous user to to log in, It requires BasicAuth and sets anonymous.disabled(), I get that. But that is the API, not the AD. The AD context used is still anonymous as the LOG message clarly states and the message claims that AD context is anonymous for both read AND write, not only read. If you want to specify the username (DN) of the "manager" user identity used to authenticate to an LDAP server, you can configure it like so:
To comment on this, setting managerDn like this assumes you have the uid and password available at the startup of the application, but that is not where authentication happens. This is just where AuthenticationManagerBuilder is set up, the actuall Authentication hapens in Authentication Filter (onSuccessfulAuthenticiation or onUnsucessfulAuthentication). So, it also does not apply because you do not authenticate 1 user only by supplying these values here, you authenticate once user provides their username/password in the BasicAuth header. That happens after the app has started and when user hists a protected endpoint requiring authentication.
This article is exactly the problem as I stated - no clarity. Take a look at it, it has only very small portion about Active Directory at the bottom and my code uses exactly that what is in this article. The rest of the article is totally unrelated because it uses embedded ldap AND because it is LDAP specific, not Active Directory specific. Given that you stated above to use userId (DN) "managerId"... this tells me that your article in this link (and pretty much all articles out there explaining Spring Security with AD) are using anonymous context for read-write. Because that is what it means if specifying userDN is required for non-anonymous authentication. Again, expanding that article and providing sections like "Anonymous authentication with Active Directory", "Non-anonymous Authentication with Active Directory" with examples would help. I think this issue should be reopened as it is lacking clarity and explanation and this is raising eyebrows because once security debugging is enabled, it clearly logs a message that anonymous access in read-write form is allowed. No security team will go blind on this. Please reopen to allow others to contribute and thank you. |
So, I tried also setting this line in the AuthenticationManagerBuilder configuration in my code above. Regardless how I set it, I get same error back IllegalStateException: Embedded LDAP server is not provided. This seem to be only applicable if using Embeded LDAP but I am not using embedded LDAP, I am using AD. |
I am using exactly what this documentation is recommending, see bottom of that page. It has only small portion for Active Directory. The rest of the article is unrelated as it mostly allies to the embedded LDAP. The small section at the very botton named "Active Directory contains very limited details (which I already use) and does not cover how to prevent INFO log message stating that anonymous context will be used for read-write operations . It appears that all article talking about Spring Security with AD, are using anonymous context. |
Hi, @dbnex14. There is more documentation on the Spring LDAP Reference that you might want to check. Spring Security uses Spring LDAP under the hood, therefore everything that is not strictly related to authentication is in Spring LDAP docs.
I do not think that you are following what that property means. The manager credentials are used for creating an authentication
You are probably not setting the It seems to me that the problem here is just that the log message is providing a misleading message, instead of |
Thank you Marcus but ...
Yes, I checked that document as well. It mentions Active Directory only once and unrelated to the above reported issue. Again, I am talking about Active Directory LDAP which your documentation/examples lack context about. The above url is unrelated as it does not touch anything related to setting AD as described (very little and obscured way) in your documentation for example https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/ldap.html#_active_directory or https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/html/jc-authentication.html#java-ee-container-authentication and few other places.
Yes, but again, your documentation about Active Directory at the bottom of this document https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/ldap.html#_active_directory (and many more) does not use managerDN at all and if as you suggested I do set managerDN I get error about about "Embedded LDAP" which is not what I use. I am using AD.
Again, document about Active Directory use with Spring Security does not set this that way, see bottom https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/ldap.html#_active_directory. I am using exactly what your documentation states and also setting the AD LDAP url as the document suggests when using Spring Security with Active Directory. And in that case, the INFO log message shows that the anonymous context will be used for read-write operations if you enable security debug logging by use of @EnableWebSecurity(debug = true).
The problem is that the was setting Active Directory with Spring Security appears to be always anonymous regardless is it read or read-write but yes read-write is even more problem. I am unable to contribute as this is eating to much of my time but I think it is enough contribution already what I provided here. It appears clear that there is a disconnect when it commes with Spring Security and Active Directory documentation. I could only suggest how to improve, which in my opinion would be to: Update the Spring Security Active Directory section of the above document to provide
|
Hi, @dbnex14. I apologize for the confusion in this issue and I appreciate your effort in researching via the documentation. We are willing to update the documentation to make your use case easier to apply. Related to the log message, I opened spring-projects/spring-ldap#833 to check that on the Spring LDAP side. It seems to me that this ticket could be focused on improving the documentation around supported Active Directory configurations. It would be great if you could share a sample application or even submit a PR yourself that enhances the docs. In addition to that, I'll bring this to the team's attention and collect some more information to improve the docs. I'd like more clarification on the following:
What do you mean by accessing it anonymously? Is it that you have a protected endpoint and you are afraid that it could be accessed without authentication? I don't see how |
Thanks you @marcusdacoregio , please see below...
I will see if I get a chance to create a quick dummy project and share with you but the thing is really simple, just use your documentation from above comment, annotate the spring security class with @EnableWebSecurity(debug = true) annotation to enable security debugging and when you start up your app, watch the console log and you will see message like the anonymous context will be used for read-write operations . I will see if I get some time to create a very simple RESTAPI and share.
No, ignore this please. As I said my API is handling the authentication and authorization, so no one can access it anonymously. The sole problem I am bringing here is the above log message and the fact that Spring documentation is lacking context when it comes to Active Directory:
I feel your documentation is way to focused on embeded LDAP which no one will use really except for learning, then to standard LDAPs, and almost nothing about Active Directory. Thanks again, I appreciate your help and effort |
@marcusdacoregio Here is a very basic demo project using ADLdap demo. As you can see, it is setting all. The 3 application.properties for LDAP are not set to a real AD LDAP, but you dont even need it. Main think spring security debugging is enabled, see annotation in SecurityConfig class. Once you issue mvn clean install or run the application, the console output will show the INFO log message Property 'userDn' not set - anonymous context will be used for read-write operations https://github.com/dbnex14/ADLDAPDemo/blob/master/HELP.md Why is this problem and what is causing it? I hope the screenshot below showing spring-ldap AbstractContextSource.java explains it |
You do not need AD configuration or web security debug enabled for that log message to appear. If you have some common configuration with embedded LDAP server like the following: @Bean
AuthenticationManager authenticationManager(BaseLdapPathContextSource contextSource) {
LdapBindAuthenticationManagerFactory factory = new LdapBindAuthenticationManagerFactory(contextSource);
factory.setUserDnPatterns("uid={0},ou=people");
return factory.createAuthenticationManager();
}
@Bean
public EmbeddedLdapServerContextSourceFactoryBean contextSourceFactoryBean() {
EmbeddedLdapServerContextSourceFactoryBean contextSourceFactoryBean =
EmbeddedLdapServerContextSourceFactoryBean.fromEmbeddedLdapServer();
contextSourceFactoryBean.setPort(0);
contextSourceFactoryBean.setLdif("classpath:users.ldif");
return contextSourceFactoryBean;
} Then you will see:
Related to that, there is an issue open in Spring LDAP to fix the misleading message. The Note that the manager credentials are not the username and password of the currently authenticated user. However, you can specify a custom principal to create the authenticated
This concern will be taken care of by spring-projects/spring-ldap#833. If you do not want to use an anonymous context, you should provide the manager credentials as mentioned above and here. You can also opt into disabling the LDAP auto configuration by doing That being said, we are looking into how to improve the documentation to include the necessary information about all that. |
Closing in favor of spring-projects/spring-ldap#833 |
@marcusdacoregio This would be excellent addition to the documentation I was referring above. What really struck me in Spring Security documentation about this usage of "manager" (with quotation marks). As I said earlier, what does it even mean? Also usage of anonymous without explaining what does it exactly mean. Lots of documentation out there say simply anonymous users can do whatever they want. |
@marcusdacoregio Thanks Marcus, this line explained lot "You can also opt into disabling the LDAP auto configuration by doing @SpringBootApplication(exclude = LdapAutoConfiguration.class), since that is the configuration that creates the LdapContextSource and the ActiveDirectoryLdapAuthenticationProvider does not need a ContextSource.". ... but if you do this on application level (with However, and it is a common scenarios that an API might have to authenticate against multiple LDAPs. One of which might be AD but the 2nd one might be Oracle Unified Directory or IBM Tivoli or some other LDAP vendor. Wo, while opting out of it by use of For example, I use in addition to AD, Oracle Unified Directory LDAP. I have separete class handling Oracle Unified Directory LDAP configuration which will setup
I wonder if there is a way to opt in/out of using Thank you |
Describe the bug
I use AD to authenticate user which works as expected. I have class like below:
Note that I have enabled security debugging with
@EnableWebSecurity(debug=true)
in order to view security debugging informationAbove, I set my searchFilter to use this AD filter using AMAccountName like
(&(sAMAccountName={1})(objectClass=user))
(Same result happens if I use instead(&(userPrincipalName={0})(objectClass=user))
instead).My authentication/authorization mechanism works as expected and I am very happy about it. However, with enabled security degugging (above
@EnableWebSecurity(debug = true)
), I am seeing an INFO level message in the console when I run my application like this:Property 'userDn' not set - anonymous context will be used for read-write operations
This tells me clearly that the application will allow users to access it anonymously without having to authenticate. Someone recommended to add line to HttpSecurity configuration above which I did (see line
.anonymous().disable()
) but this makes no difference.I have spent days trying to figure out how to prevent this but I could not find any help on how to do this when connecting to AD.
To Reproduce
Steps to reproduce the behavior.
@EnableWebSecurity(debug = true)
like aboveExpected behavior
My understanding is that using
&(sAMAccountName={1})
and / or&(userPrincipalName={0})
will plug in the registered AD userId of the user trying to authenticate, into the place holders {1} and / or {0} above. If user is present in AD, authentication will be successful. Otherwise, it will fail. I have exactly this behavior, so all good.PROBLEM:
I do not understand whay the INFO message says that anonymous context will be used for read-write operations. I do not want to use anonymous mode so I do not want that INFO message to appear since it is raising questions as we do not want to allow anonymous (meaning unknown users) to log in.
Sample
A link to a GitHub repository with a minimal, reproducible sample.
I cannot provide access to our repositories, company policy.
Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.
The text was updated successfully, but these errors were encountered: