Eric,
I actually tracked down what the problem was and just got it working. I had to
modify AuthenticatedLdapContextSource to check the error there against the
regular expressions and then throw the appropriate error to
BindLdapAuthenticationHandler which catches each error and re-throws it to be
caught by AuthenticationViaFormAction. Without those modifications,
AuthenticatedLdapContextSource always threw DataAccessResourceFailureException.
I have pasted the relevant chunks of code below. To answer your other
question, I am using Microsoft Active Directory.
AuthenticatedLdapContextSource Code:
try {
return getDirContextInstance(environment);
} catch (final NamingException e) {
String details = e.getMessage();
// see if the password has expired
Pattern pattern = Pattern
.compile(ExpiredPasswordException.EXPIRED_PASSWORD_ERROR_REGEX);
Matcher matcher = pattern.matcher(details);
if (matcher.find()) {
throw new ExpiredPasswordException();
} else {
// see if the account is locked
pattern = Pattern
.compile(AccountLockedException.ACCOUNT_LOCKED_ERROR_REGEX);
matcher = pattern.matcher(details);
if (matcher.find()) {
throw new AccountLockedException();
} else {
// see if the account is disabled
pattern = Pattern
.compile(AccountDisabledException.ACCOUNT_DISABLED_ERROR_REGEX);
matcher = pattern.matcher(details);
}if (matcher.find()) {
throw new AccountDisabledException();
}
}
throw new DataAccessResourceFailureException("Unable to create
DirContext");
}
BindLdapAuthenticationHandler code:
for (final String dn : cns) {
DirContext test = null;
String finalDn = composeCompleteDnToCheck(dn, credentials);
try {
test = this.getContextSource().getDirContext(
finalDn,
credentials.getPassword());
if (test != null) {
return true;
}
} catch (final ExpiredPasswordException e) {
throw e;
} catch (final AccountLockedException e) {
throw e;
} catch (final AccountDisabledException e) {
throw e;
} catch (final Exception e) {
// if we catch any other exception, just try the next cn
} finally {
LdapUtils.closeContext(test);
}
}
Hope that helps someone else.
Thanks,
Kris

Kristopher Borchers
Web Application Developer - Content Analyst
Saint Xavier University
Ph. 773-298-3924
[email protected]
www.sxu.edu
Saint Xavier University - Success with Purpose.
Saint Xavier University, a Catholic institution inspired by the heritage of the
Sisters of Mercy, educates men and women to search for truth, to think
critically, to communicate effectively, and to serve wisely and compassionately
in support of human dignity and the common good.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Eric
Pierce
Sent: Monday, April 06, 2009 1:42 PM
To: [email protected]
Subject: Re: [cas-user] Password Expiration Revisited
All of the changes are in BindLdapAuthenticationHandler and
AuthenticationViaFormAction:
In BindLdapAuthenticationHandler, if there was an exception creating a
new LDAP Context, it grabs the error message in the exception and
compares it to the regular expressions for each of the new exception
types(AccountLockedException, ExpiredPassException, etc). If the
message matches a pattern, that exception is thrown.
AuthenticationViaFormAction then checks the error code included in the
exception and sets the webflow endpoint to show the appropiate error
message.
If the error message that your LDAP server sent doesn't match the
REGEX, you'll just get back a BadCredentialsAuthenticationException ,
so that might be the issue. Can you turn logging up to DEBUG for
Spring-LDAP and let me know what the error from your server is? By
the way, what LDAP server are you using?
-Eric
Eric Pierce, RHCE -- University of South Florida -- (813) 974-8868
-- [email protected]
On Mon, Apr 6, 2009 at 10:48 AM, Borchers, Kristopher C.
<[email protected]> wrote:
>
> Eric,
>
>
>
> I am attempting to implement the changes you have made to detect LDAP errors
> but have run into a snag.
>
>
>
> Did you make any modifications to the authenticate method in
> org.jasig.cas.authentication.AuthenticationManagerImpl? The reason I ask is
> that I am always getting BadCredentialsAuthenticationException which is to be
> expected since that method is designed to return that exception for any
> exception that happens in order to continue processing other handlers. Did
> you have to make modification to catch the new exceptions you are throwing
> from org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler?
>
>
>
> Sorry if this doesn't make sense as I am still pretty new to Java and CAS but
> feel like I have a pretty good grip on it and can't understand where your new
> exceptions are caught.
>
>
>
> Thanks,
>
> Kris
>
>
>
> Kristopher Borchers
> Web Application Developer - Content Analyst
> Saint Xavier University
> Ph. 773-298-3924
> [email protected]
> www.sxu.edu
>
> Saint Xavier University - Success with Purpose.
>
> Saint Xavier University, a Catholic institution inspired by the heritage of
> the Sisters of Mercy, educates men and women to search for truth, to think
> critically, to communicate effectively, and to serve wisely and
> compassionately in support of human dignity and the common good.
>
> ________________________________
>
> From: [email protected] [mailto:[email protected]] On Behalf Of Eric
> Pierce
> Sent: Thursday, April 02, 2009 11:05 AM
> To: [email protected]
> Subject: [cas-user] Password Expiration Revisited
>
>
>
> --
>
> You are currently subscribed to [email protected] as: [email protected]
>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
