OpenGeoportal security

Security in OpenGeoportal:

OpenGeoportal uses Spring Security for authentication. Spring Security is powerful and
flexible with support for a large number of authentication schemes built in.
See: http://static.springsource.org/spring-security/site/index.html
and: http://static.springsource.org/spring-security/site/docs/3.2.x/reference/springsecurity.html

Straight from the repository, it is configured with username/password authentication with these defaults:

 user: user
 password: jumbo
 user: admin
 password: pachyderm

The admin role doesn’t currently do anything special. It’s a place holder for now.

The default security-app-context.xml appears below. The name and location for this file is
defined in web.xml.  Note that /login* urls require https.

 <beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
 xmlns:security="http://www.springframework.org/schema/security"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd


http://www.springframework.org/schema/security

 http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 
 <security:http pattern="/resources/**" security="none" />
 <security:http use-expressions="true">
 <security:intercept-url pattern="/login*" access="permitAll" requires-channel="https" />
 <security:intercept-url pattern="/restricted/**" access="isAuthenticated()" />
 <security:form-login login-page="/logout"
 login-processing-url="/j_spring_security_logout" />
 <security:intercept-url pattern="/**" access="permitAll" />
 </security:http>
 
 
 <!--<security:ldap-server url="${ldap.url}" />-->
 <security:authentication-manager alias="authenticationManager" >
 <!--<security:ldap-authentication-provider user-search-filter="${ldap.userSearchFilter}"
 user-context-mapper-ref="userDetailsMapper.custom" />-->
 <security:authentication-provider>
 <security:user-service>
 <security:user name="admin" password="pachyderm" authorities="ROLE_ADMIN,ROLE_USER" />
 <security:user name="user" password="jumbo" authorities="ROLE_USER" />
 </security:user-service>
 </security:authentication-provider>
 </security:authentication-manager>
 </beans:beans>

Enabling LDAP:

Enabling LDAP is straightforward. Comment out the authentication-provider section that contains usernames and passwords and uncomment “ldap-server” and “ldap-authentication-provider”. You will need to set the property “ldap.url” in your ogp.properties file to point the url of your ldap server, and provide a user-search-filter for the “ldap.userSearchFilter” property.

We are not using LDAP groups to map roles, so we have provided a custom user details mapper. The bean name “userDetailsMapper.custom” refers to this section in applicationContext.xml:

<beans:bean id="userDetailsMapper.custom" class="org.OpenGeoPortal.Security.SimpleLdapUserDetailsMapper" >
 <beans:property name="admins" value="${admins}" />
 </beans:bean>

From the bean definition, you can see the implementing class org.OpenGeoPortal.Security.SimpleLdapUserDetailsMapper, and that the property “admins” is injected with the value ${admins}, which is retrieved from ogp.properties. The value of the admins property is simply a comma separated list of usernames that we want to assign the admin role to.

UserDetailsMapper:

 public class SimpleLdapUserDetailsMapper extends LdapUserDetailsMapper {
 protected String admins;
 protected String[] adminList;
 final Logger logger = LoggerFactory.getLogger(this.getClass());

 public void setAdmins(String admins){
 admins = admins.replace(" ", "");
 adminList = admins.split(",");
 }
 
 
 protected Boolean isAdmin(String username){
 return ArrayUtils.contains(adminList, username);
 }
 
 
 @Override
 public UserDetails mapUserFromContext( DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authority ){

 UserDetails originalUser = super.mapUserFromContext( ctx, username, authority );
 
 
 // Current authorities come from LDAP groups
 Set authorities = new HashSet();
 authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
 
 
 if(isAdmin(originalUser.getUsername())){
 authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
 }
 logger.debug(originalUser.getUsername());
 logger.debug(originalUser.getPassword());
 logger.debug(authorities.toString());
 User newUser = new User(originalUser.getUsername(), "password", authorities);
 
 
 return newUser;
 }
 }

The user details mapper here is very simple, since we only need to know for our system if a user is authenticated or not. In this case, we gather user details from LDAP into the user context and add the role “ROLE_USER”. If the username is found in the admins list, we also add ”ROLE_ADMIN”. If we were going to map LDAP authorities to OGP roles, we could iterate over the collection of GrantedAuthorities and match them up with “ROLE_USER” and “ROLE_ADMIN” as appropriate. Another possibility is to set up a database with usernames and roles to map against.

To write your own mapper, simply code the class, add a bean definition to applicationContext.xml, then reference the bean id in the security-app-context.xml.

Login: Form-based:

Direct form-based login is the default setting for OpenGeoportal. (I’m making a distinction here between form based login, where the user can login directly to the application, vs. SSO schemes that use a remote web page for authentication, like Shibboleth or CAS) ogpConfig.json tells the client which authentication scheme is being used. Here is the entry for Tufts:


 "institutions": {"Tufts": {"login": {"loginType": "form", "authenticationPage": "login"},
 "proxy": {"id": "proxy.Restricted.Tufts", "accessLevel": ["restricted"], "wms": "restricted/wms", "wfs": "restricted/wfs"},
 "graphics":{"sourceIcon":{"resourceLocation": "resources/media/src_tufts.png", "altDisplay": "Tufts", "tooltipText": "Tufts University"}}},
 ...

With “loginType”: “form”, when the user makes a request to login, s/he is presented with a simple web form with fields for username and password. That form is POST’ed over SSL to a login controller, which is specified at “authenticationPage”: “login”. The login controller attempts to authenticate using a login service and returns a JSON object with a success value and granted role information. CORS is used as a solution to avoid same origin policy issues with http/https.

NOTE: Older versions of OpenGeoportal pass login information over SSL using “GET”, with a jsonp response to avoid same origin policy issues. While this ensures that usernames and passwords are not sent in plain text, apache may be configured to log all GET requests. In this case, the username and password may be visible in plain text in your apache logs as part of the query string, which may be a violation of your local IT policy. (This is not an issue for folks using remote web forms.)

NOTE:
Q: Why not just use https for the entire site? Aren’t you open to session side-jacking?
A: Even though Google maps, with v3, allows https access, most map services we encounter do not support https. While Firefox accepts “insecure content” in an https page silently, IE throws a warning, and Chrome fails silently (warnings appear in the console). In other words, to use https for everything, we must proxy all non SSL content, which is too heavy handed for us right now.

Unfortunately, this does leave us open to session side-jacking attacks. In this type of attack, the session id cookie of an authenticated user is stolen via packet-sniffing. The thief then has the same access as an authenticated user for the duration of the session.

However, we feel that the risk is low for several reasons:

  • Usernames and passwords are passed securely. Passwords are deleted directly after authentication.
  • The risk from a cookie being intercepted via packet sniffing is highest in unsecured Wi-Fi networks. Happily, roving bands of script kiddies are not currently known to hang out at Starbucks to steal GIS data. A similar type of attack could happen on a wired network, but any authenticated user on a shared wired network is almost certainly on campus, where all other users have the same access to restricted data.
  • Our restricted data is restricted because of licensing agreements. While we take this restriction quite seriously, it is not a national security issue.
  • No user data persists across sessions at this time, so there is no risk to the user in terms of lost data, altered profiles, or access to private information.
  • An authenticated session only allows access to layers on a single “local” GeoServer. The account this GeoServer uses to access our datastore is read-only. As an additional precaution, transactions are turned off at the GeoServer level. An interloper has no opportunity to change or corrupt data.

Despite this, we are examining different ways to increase security to eliminate or minimize the window of opportunity for these kinds of threats.

Accessing restricted layers from GeoServer:

At Tufts, we have 2 GeoServers set up for the OpenGeoportal. One contains public layers and the other contains restricted layers.

The ‘restricted’ GeoServer is set up with an LDAP reverse proxy at the apache level for direct
access (Not via OpenGeoportal …. this is also the address we provide to restricted layers in solr).
The GeoServer is also available at a second path/port without authentication.  This path/port is ip restricted to the server hosting OpenGeoportal using apache.

On the server, ogp.properties defines ogp.proxyToWMS, ogp.proxyToWFS, and ogp.proxyToWCS. The values for these properties should be the respective service endpoints for the “restricted” GeoServer as accessible to OpenGeoportal.

ex: ogp.proxyToWMS=http://your-restricted-geoserver:special-port/wms

Requests for local data marked as “restricted” in the solr index are intercepted by the client and sent to /restricted/* . If the user has logged in, the request is forwarded to the path defined in ogp.properties and the response forwarded to the client.

Look again at the Tufts entry in ogpConfig.json:

 "institutions": {"Tufts": {"login": {"loginType": "form", "authenticationPage": "login"}, "proxy": {"id": "proxy.Restricted.Tufts", "accessLevel": ["restricted"], "wms": "restricted/wms", "wfs": "restricted/wfs"}, "graphics":{"sourceIcon":{"resourceLocation": "resources/media/src_tufts.png", "altDisplay": "Tufts", "tooltipText": "Tufts University"}}}, ...

The “proxy” object is defined for “accessLevel”:["restricted"], which matches the “Access” string from the solr index. This is an entry for “Tufts”, which is our local institution, so client requests for layers which have been identified as “local” and “restricted” are intercepted and the path is replaced with “restricted/wms” for wms requests and “restricted/wfs” for wfs requests (I’m not sure that the client ever makes a wfs request directly.)

The login state of the client is never relied on. Any calls for restricted data check authentication state server-side. Download requests for data that is remote and restricted, even if manually constructed, are simply rejected, since there is currently no way to authenticate to a remote service.

NOTE: OpenGeoportal has not yet been modified to take advantage of the authentication mechanisms (also built on Spring Security) built in to newer versions of GeoServer. This will be included with the 2.0 release.

Solr security:

Certain paths in solr, like “/update” and “/admin” need to be secured. We currently do this by using apache mod_rewrite to ip restrict all but a few paths.
/term*
/select*
/replication*

5 thoughts on “OpenGeoportal security

  1. muhammad hamed

    i have a problem with enabling the authentication through form based login and i always get ssl error when pressing login even with tha default values – user for user name and jumbo for password – anyone can help please ?
    thanks in advance :)

  2. muhammad hamed

    thanks to mr chris barnette i solved the login problem but now i need help in the following :
    adding a new tab beside the cart tab to retrieve search results from solr , these search results will be independent on the zoom level ,i.e it will retrieve search results based on keyword or any other search filter in the advanced search without depending on zoom level , and of course the same thing with basic search .
    thanks in advance

  5. muhammad hamed

    this is the tomcat log when trying to start opengeoportal after following the instructions above
    30-Sep-2014 21:14:38.959 INFO [http-apr-8080-exec-39] org.apache.catalina.core.ApplicationContext.log No Spring WebApplicationInitializer types detected on classpath
    30-Sep-2014 21:14:39.139 INFO [http-apr-8080-exec-39] org.apache.catalina.core.ApplicationContext.log Initializing Spring root WebApplicationContext
    30-Sep-2014 21:14:43.925 SEVERE [http-apr-8080-exec-39] org.apache.catalina.core.StandardContext.listenerStart Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.filterChains’: Cannot resolve reference to bean ‘org.springframework.security.web.DefaultSecurityFilterChain#1′ while setting bean property ‘sourceList’ with key [1]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.web.DefaultSecurityFilterChain#1′: Cannot resolve reference to bean ‘org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0′ while setting constructor argument with key [4]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0′: Cannot resolve reference to bean ‘org.springframework.security.authentication.ProviderManager#0′ while setting bean property ‘authenticationManager’; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authentication.ProviderManager#0′: Cannot resolve reference to bean ‘org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0′ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0′: FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authenticationManager’: Cannot resolve reference to bean ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′ while setting constructor argument with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′: Cannot create inner bean ‘(inner bean)#814df5′ of type [org.springframework.security.ldap.authentication.BindAuthenticator] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘(inner bean)#814df5′: Cannot resolve reference to bean ‘org.springframework.security.securityContextSource’ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.securityContextSource’: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:336)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:359)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:157)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1456)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1197)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:537)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:304)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:300)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:684)
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:760)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:482)
    at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:403)
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:106)
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4751)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5175)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.manager.ManagerServlet.start(ManagerServlet.java:1265)
    at org.apache.catalina.manager.HTMLManagerServlet.start(HTMLManagerServlet.java:673)
    at org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:221)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:644)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:213)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:615)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:534)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1081)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
    at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:277)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2381)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2370)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.web.DefaultSecurityFilterChain#1′: Cannot resolve reference to bean ‘org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0′ while setting constructor argument with key [4]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0′: Cannot resolve reference to bean ‘org.springframework.security.authentication.ProviderManager#0′ while setting bean property ‘authenticationManager’; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authentication.ProviderManager#0′: Cannot resolve reference to bean ‘org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0′ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0′: FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authenticationManager’: Cannot resolve reference to bean ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′ while setting constructor argument with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′: Cannot create inner bean ‘(inner bean)#814df5′ of type [org.springframework.security.ldap.authentication.BindAuthenticator] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘(inner bean)#814df5′: Cannot resolve reference to bean ‘org.springframework.security.securityContextSource’ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.securityContextSource’: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:336)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:359)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:157)
    at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:632)
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1114)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1017)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:304)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:300)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
    … 53 more
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0′: Cannot resolve reference to bean ‘org.springframework.security.authentication.ProviderManager#0′ while setting bean property ‘authenticationManager’; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authentication.ProviderManager#0′: Cannot resolve reference to bean ‘org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0′ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0′: FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authenticationManager’: Cannot resolve reference to bean ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′ while setting constructor argument with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′: Cannot create inner bean ‘(inner bean)#814df5′ of type [org.springframework.security.ldap.authentication.BindAuthenticator] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘(inner bean)#814df5′: Cannot resolve reference to bean ‘org.springframework.security.securityContextSource’ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.securityContextSource’: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:336)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1456)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1197)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:537)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:304)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:300)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
    … 67 more
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authentication.ProviderManager#0′: Cannot resolve reference to bean ‘org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0′ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0′: FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authenticationManager’: Cannot resolve reference to bean ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′ while setting constructor argument with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′: Cannot create inner bean ‘(inner bean)#814df5′ of type [org.springframework.security.ldap.authentication.BindAuthenticator] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘(inner bean)#814df5′: Cannot resolve reference to bean ‘org.springframework.security.securityContextSource’ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.securityContextSource’: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:336)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
    at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:632)
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1114)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1017)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:304)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:300)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
    … 77 more
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0′: FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authenticationManager’: Cannot resolve reference to bean ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′ while setting constructor argument with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′: Cannot create inner bean ‘(inner bean)#814df5′ of type [org.springframework.security.ldap.authentication.BindAuthenticator] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘(inner bean)#814df5′: Cannot resolve reference to bean ‘org.springframework.security.securityContextSource’ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.securityContextSource’: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:151)
    at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1514)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
    … 89 more
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authenticationManager’: Cannot resolve reference to bean ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′ while setting constructor argument with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′: Cannot create inner bean ‘(inner bean)#814df5′ of type [org.springframework.security.ldap.authentication.BindAuthenticator] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘(inner bean)#814df5′: Cannot resolve reference to bean ‘org.springframework.security.securityContextSource’ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.securityContextSource’: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:336)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:359)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:157)
    at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:632)
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1114)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1017)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:304)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:300)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)
    at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:28)
    at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:20)
    at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:144)
    … 94 more
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.ldap.authentication.LdapAuthenticationProvider#0′: Cannot create inner bean ‘(inner bean)#814df5′ of type [org.springframework.security.ldap.authentication.BindAuthenticator] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘(inner bean)#814df5′: Cannot resolve reference to bean ‘org.springframework.security.securityContextSource’ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.securityContextSource’: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:290)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:129)
    at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:632)
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1114)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1017)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:304)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:300)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
    … 110 more
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘(inner bean)#814df5′: Cannot resolve reference to bean ‘org.springframework.security.securityContextSource’ while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.securityContextSource’: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:336)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
    at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:632)
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1114)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1017)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:276)
    … 122 more
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.securityContextSource’: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:278)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1114)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1017)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:304)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:300)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
    … 130 more
    Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:164)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:125)
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:270)
    … 139 more
    Caused by: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:226)
    at org.springframework.ldap.core.DistinguishedName.(DistinguishedName.java:176)
    at org.springframework.ldap.core.support.AbstractContextSource.setBase(AbstractContextSource.java:226)
    at org.springframework.security.ldap.DefaultSpringSecurityContextSource.(DefaultSpringSecurityContextSource.java:67)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:148)
    … 141 more
    Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: “:” (58), after : “”
    at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:665)
    at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:231)
    at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114)
    at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94)
    at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58)
    at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23)
    at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:220)
    … 149 more

    30-Sep-2014 21:14:43.952 INFO [http-apr-8080-exec-39] org.apache.catalina.core.ApplicationContext.log Closing Spring root WebApplicationContext

Leave a Reply