1 Reply Latest reply on Apr 13, 2009 12:26 PM by parivesh11

    Debugging an Active Directory JAAS configuration

    troy.sellers
    troy.sellers Mar 30, 2009 3:59 AM

      Hi All,


      I am not sure if this is a SEAM problem or simply a JAAS problem, but will start here.


      I am trying to setup AD authentication for a Seam 2.1.1.GA application.


      login-config.xml



           <application-policy name="activeDirectory">
          <authentication>
               <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                    <module-option name="java.naming.factory.initial">
                         com.sun.jndi.ldap.LdapCtxFactory
                    </module-option>
                    <module-option name="java.naming.provider.url">
                         ldap://10.1.128.113/
                    </module-option>
                    <module-option name="java.naming.security.authentication">simple</module-option>
                    <module-option name="bindDN">binduser@axedev.local</module-option>
                    <module-option name="bindCredential">Bindpassword</module-option>
                      
                    <module-option name="baseCtxDN">
                         ,OU=Test Users,DC=axedev,DC=local
                    </module-option>
                    <module-option name="baseFilter">(sAMAccountName={0})</module-option>
                    <!--
                    <module-option name="rolesCtxDN">
                         ,OU=Test Users,DC=axedev,DC=local
                    </module-option>
                    <module-option name="roleFilter">(sAMAccountName={0})</module-option>
                    <module-option name="roleAttributeID">memberOf</module-option>
                    <module-option name="roleAttributeIsDN">true</module-option>
                    <module-option name="roleNameAttributeID">cn</module-option>
                    <module-option name="roleRecursion">1</module-option>
                    <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                    -->                    
               </login-module>
          </authentication>
     </application-policy>



      components.xml entry for identity store



      <security:identity jaas-config-name="activeDirectory" />



      The really strange thing (well, it seems strange to me!) that is happening is that using the Bind User in the applications login form will authentication, however using a different user will fail.


      The bind user is setup in the same OU as three other test users.


      Setting debug logging on the security stuff and I get 


      12:51:20,388 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=User 2
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece



      I get no information in this log when I use the Bind User and sucessfully login.


      I am curious if anyone has any tips on how to figure out what is going on here? How is it that the Bind User user is the only one that I can actually use to login through the application.  This suggests to me that the AD configuration is correct, but that just confuses the issue further when trying to use the user2 credentials. (These have been confirmed to work using Apache Directory Studio)


      I originally tried to set this up as per the
      JBoss docs however in this configuration I couldn't even authenticate the bind user.


      If someone has a configuration that works for this, or at least a method of debugging where this is failing, I would be most grateful.


      Cheers,
      Troy

      • 487 Views
      • Tags:
        • 1. Re: Debugging an Active Directory JAAS configuration
          parivesh11
          parivesh11 Apr 13, 2009 12:26 PM (in response to troy.sellers)
          I was trying to configure Active Directory authentication in Seam. I have added following line in components.xml
          <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="activeDirectory"
                                  remember-me="true"   security-rules="#{securityRules}"/>
          and following in login-config.xml

          <application-policy name="activeDirectory">
                          <authentication>
                                  <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                                          <module-option name="java.naming.factory.initial">
                                                  com.sun.jndi.ldap.LdapCtxFactory
                                          </module-option>
                                          <module-option name="java.naming.provider.url">
                                                  ldap://43.88.62.92:389/
                                          </module-option>
                                          <module-option name="java.naming.security.authentication">simple</module-option>
                                          <module-option name="bindDN">OU=IN,DC=ap,DC=sony,DC=com</module-option>
                                         
                                           
                                          <module-option name="baseCtxDN">
                                                  ,OU=IN,DC=ap,DC=sony,DC=com
                                          </module-option>
                                          <module-option name="baseFilter">(&(objectClass=Person) (&(sAMAccountName={0})))</module-option>
                                          <!--
                                          <module-option name="rolesCtxDN">
                                                  ,OU=Test Users,DC=axedev,DC=local
                                          </module-option>
                                          <module-option name="roleFilter">(sAMAccountName={0})</module-option>
                                          <module-option name="roleAttributeID">memberOf</module-option>
                                          <module-option name="roleAttributeIsDN">true</module-option>
                                          <module-option name="roleNameAttributeID">cn</module-option>
                                          <module-option name="roleRecursion">1</module-option>
                                          <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                                          -->                         
                                  </login-module>
                          </authentication>
                  </application-policy>


          then I got following error. is there any one who can give me complete configuration details.




          15:50:47,850 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
          java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
                  at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
                  at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
                  at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
                  at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at javax.security.auth.login.LoginContext.invoke(Unknown Source)
                  at javax.security.auth.login.LoginContext.access$000(Unknown Source)
                  at javax.security.auth.login.LoginContext$4.run(Unknown Source)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
                  at javax.security.auth.login.LoginContext.login(Unknown Source)
                  at org.jboss.seam.security.Identity.authenticate(Identity.java:254)
                  at org.jboss.seam.security.Identity.authenticate(Identity.java:243)
                  at org.jboss.seam.security.Identity.quietLogin(Identity.java:232)
                  at org.jboss.seam.security.Identity.isLoggedIn(Identity.java:140)
                  at org.jboss.seam.security.Identity.hasRole(Identity.java:358)
                  at org.jboss.seam.security.RuleBasedIdentity.hasRole(RuleBasedIdentity.java:177)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)
                  at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:274)
                  at org.jboss.el.parser.AstMethodSuffix.getValue(AstMethodSuffix.java:59)
                  at org.jboss.el.parser.AstValue.getValue(AstValue.java:67)
                  at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)
                  at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
                  at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:370)
                  at javax.faces.component.UIComponentBase.processUpdates(UIComponentBase.java:1048)
                  at javax.faces.component.UIComponentBase.processUpdates(UIComponentBase.java:1056)
                  at javax.faces.component.UIComponentBase.processUpdates(UIComponentBase.java:1056)
                  at javax.faces.component.UIForm.processUpdates(UIForm.java:255)
                  at javax.faces.component.UIComponentBase.processUpdates(UIComponentBase.java:1056)
                  at javax.faces.component.UIViewRoot.processUpdates(UIViewRoot.java:706)
                  at org.ajax4jsf.component.AjaxViewRoot.access$101(AjaxViewRoot.java:57)
                  at org.ajax4jsf.component.AjaxViewRoot$2.invokeRoot(AjaxViewRoot.java:291)
                  at org.ajax4jsf.context.JsfOneOneInvoker.invokeOnRegionOrRoot(JsfOneOneInvoker.java:56)
                  at org.ajax4jsf.context.AjaxContextImpl.invokeOnRegionOrRoot(AjaxContextImpl.java:170)
                  at org.ajax4jsf.component.AjaxViewRoot.processUpdates(AjaxViewRoot.java:305)
                  at com.sun.faces.lifecycle.UpdateModelValuesPhase.execute(UpdateModelValuesPhase.java:101)
                  at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
                  at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:117)
                  at javax.faces.webapp.FacesServlet.service(FacesServlet.java:244)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
                  at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:68)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:85)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
                  at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
                  at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
                  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
                  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
                  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
                  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
                  at java.lang.Thread.run(Unknown Source)
          15:50:47,866 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
          java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
                  at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
                  at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
                  at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
                  at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at javax.security.auth.login.LoginContext.invoke(Unknown Source)
                  at javax.security.auth.login.LoginContext.access$000(Unknown Source)
                  at javax.security.auth.login.LoginContext$4.run(Unknown Source)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
                  at javax.security.auth.login.LoginContext.login(Unknown Source)
                  at org.jboss.seam.security.Identity.authenticate(Identity.java:254)
                  at org.jboss.seam.security.Identity.authenticate(Identity.java:243)
                  at org.jboss.seam.security.Identity.login(Identity.java:200)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)
                  at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
                  at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
                  at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
                  at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
                  at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
                  at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:77)
                  at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:91)
                  at javax.faces.component.UICommand.broadcast(UICommand.java:383)
                  at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
                  at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
                  at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
                  at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:97)
                  at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
                  at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:117)
                  at javax.faces.webapp.FacesServlet.service(FacesServlet.java:244)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
                  at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:68)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:85)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
                  at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
                  at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                  at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
                  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
                  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
                  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
                  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
                  at java.lang.Thread.run(Unknown Source)
            • Actions