Problem with LDAP security-
khensel Jan 30, 2013 6:44 PMWe are trying to access LDAP for a simple authorization in a small web application running in jboss-as-7.1.3.
Here is the LDAP security-domain:
<security-domain name="tranreq-login-realm" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.provider.url" value="ldaps://myurl:port/dc=berkeley,dc=edu"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="java.naming.security.credentials" value="password"/>
<module-option name="principalDNPrefix" value="uid=myId,ou=applications,dc=berkeley,dc=edu"/>
<module-option name="allowEmptyPasswords" value="false"/>
</login-module>
</authentication>
</security-domain>
The jboss-web.xml is such:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain flushOnSessionInvalidation="true">
tranreq-login-realm
</security-domain>
</jboss-web>
Here is the web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>transcript-request</display-name>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<filter>
<filter-name>guiceFilter</filter-name>
<filter-class>com.google.inject.servlet.GuiceFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>guiceFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>edu.berkeley.eas.enrollment.transcriptrequest.servlet.ServletContext</listener-class>
</listener>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
Here is the META-INF/context.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/tranreq">
<ResourceLink name="ldap"
global="ldapContext"
type="javax.naming.ldap.InitialLdapContext"/>
</Context>
The programmer that did this made it so that a parameter will be read containing the jndi name. I have tried all combinations and got the best results with this:
jndi.ldap.name=java:jboss/jaas/tranreq-login-realm
Here is the Java Class that is trying to access LDAP. For some reason, he set it up to read ldap.properties file OR use JNDI. I don't think his JNDI usage is correct. The error is below the code:
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
package edu.berkeley.eas.enrollment.transcriptrequest.servlet;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.name.Named;
import java.util.Properties;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.naming.ldap.InitialLdapContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author boris
*/
public class InitialLdapContextProvider implements Provider<InitialLdapContext> {
private static Logger logger = LoggerFactory.getLogger(InitialLdapContextProvider.class);
@Inject(optional = true)
@Named("edu.berkeley.ist.ldap.initCtxFactory")
protected String initCtxFactory;
@Inject(optional = true)
@Named("edu.berkeley.ist.ldap.providerURL")
protected String providerURL;
@Inject(optional = true)
@Named("edu.berkeley.ist.ldap.principalDNPrefix")
protected String principalDNPrefix;
@Inject(optional = true)
@Named("edu.berkeley.ist.ldap.pwd")
protected String passwd;
@Inject(optional = true)
@Named("jndi.ldap.name")
protected String jndiLdapName;
@Override
public InitialLdapContext get() {
if (jndiLdapName != null) {
try {
logger.info("using {}", jndiLdapName);
InitialContext initialContext = new InitialContext();
return (InitialLdapContext) initialContext.lookup(jndiLdapName);
} catch (NamingException e) {
logger.error("+++ Caught namingException: {}", e.getMessage());
logger.error("+++ jndiLdapName: {},", jndiLdapName);
return null;
}
}
logger.info("loading external properties...");
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, initCtxFactory);
env.put(Context.PROVIDER_URL, providerURL);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, principalDNPrefix);
env.put(Context.SECURITY_CREDENTIALS, passwd);
try {
return new InitialLdapContext(env, null);
} catch (Throwable t) {
logger.error("+++ caught Exception: {}", t.getMessage());
return null;
}
}
}
Here are the errors from the log when trying to deploy the war file:
15:15:57,609 INFO [edu.berkeley.eas.enrollment.transcriptrequest.servlet.InitialLdapContextProvider] (MSC service thread 1-3) using java:jboss/jaas/tranreq-login-realm
15:15:57,611 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/tranreq]] (MSC service thread 1-3) Exception starting filter guiceFilter: com.google.inject.ProvisionException: Guice provision errors:
1) Error in custom provider, java.lang.ClassCastException: org.jboss.security.authentication.JBossCachedAuthenticationManager cannot be cast to javax.naming.ldap.InitialLdapContext
while locating edu.berkeley.eas.enrollment.transcriptrequest.servlet.InitialLdapContextProvider
at edu.berkeley.eas.enrollment.transcriptrequest.servlet.ConfigurationModule.configure(ConfigurationModule.java:33)
while locating javax.naming.ldap.InitialLdapContext
for field at edu.berkeley.eas.enrollment.transcriptrequest.servlet.LdapClient.initialLdapContext(LdapClient.java:25)
at edu.berkeley.eas.enrollment.transcriptrequest.servlet.ConfigurationModule.configure(ConfigurationModule.java:34)
while locating edu.berkeley.eas.enrollment.transcriptrequest.servlet.LdapClient
for field at edu.berkeley.eas.enrollment.transcriptrequest.servlet.TranReqFilter.ldapClient(TranReqFilter.java:30)
at edu.berkeley.eas.enrollment.transcriptrequest.servlet.ServletContext$1.configureServlets(ServletContext.java:96)
while locating edu.berkeley.eas.enrollment.transcriptrequest.servlet.TranReqFilter
1 error
at com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:987) [guice-3.0.jar:]
at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1009) [guice-3.0.jar:]
at com.google.inject.servlet.FilterDefinition.init(FilterDefinition.java:104) [guice-servlet-3.0.jar:]
at com.google.inject.servlet.ManagedFilterPipeline.initPipeline(ManagedFilterPipeline.java:98) [guice-servlet-3.0.jar:]
at com.google.inject.servlet.GuiceFilter.init(GuiceFilter.java:172) [guice-servlet-3.0.jar:]
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:447) [jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3269) [jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3865) [jbossweb-7.0.17.Final.jar:]
at org.jboss.as.web.deployment.WebDeploymentService.start(WebDeploymentService.java:89) [jboss-as-web-7.1.3.Final.jar:7.1.3.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_33]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_33]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
Caused by: java.lang.ClassCastException: org.jboss.security.authentication.JBossCachedAuthenticationManager cannot be cast to javax.naming.ldap.InitialLdapContext
at edu.berkeley.eas.enrollment.transcriptrequest.servlet.InitialLdapContextProvider.get(InitialLdapContextProvider.java:49) [classes:]
at edu.berkeley.eas.enrollment.transcriptrequest.servlet.InitialLdapContextProvider.get(InitialLdapContextProvider.java:23) [classes:]
at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:55) [guice-3.0.jar:]
at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [guice-3.0.jar:]
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1031) [guice-3.0.jar:]
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [guice-3.0.jar:]
at com.google.inject.Scopes$1$1.get(Scopes.java:65) [guice-3.0.jar:]
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:40) [guice-3.0.jar:]
at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:53) [guice-3.0.jar:]
at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:110) [guice-3.0.jar:]
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:94) [guice-3.0.jar:]
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:254) [guice-3.0.jar:]
at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [guice-3.0.jar:]
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1031) [guice-3.0.jar:]
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [guice-3.0.jar:]
at com.google.inject.Scopes$1$1.get(Scopes.java:65) [guice-3.0.jar:]
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:40) [guice-3.0.jar:]
at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:53) [guice-3.0.jar:]
at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:110) [guice-3.0.jar:]
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:94) [guice-3.0.jar:]
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:254) [guice-3.0.jar:]
at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [guice-3.0.jar:]
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1031) [guice-3.0.jar:]
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [guice-3.0.jar:]
at com.google.inject.Scopes$1$1.get(Scopes.java:65) [guice-3.0.jar:]
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:40) [guice-3.0.jar:]
at com.google.inject.internal.InjectorImpl$4$1.call(InjectorImpl.java:978) [guice-3.0.jar:]
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1024) [guice-3.0.jar:]
at com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:974) [guice-3.0.jar:]
... 13 more
15:15:57,618 ERROR [org.apache.catalina.core.StandardContext] (MSC service thread 1-3) Error filterStart
15:15:57,618 ERROR [org.apache.catalina.core.StandardContext] (MSC service thread 1-3) Context [/tranreq] startup failed due to previous errors
15:15:57,619 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC00001: Failed to start service jboss.web.deployment.default-host./tranreq: org.jboss.msc.service.StartException in service jboss.web.deployment.default-host./tranreq: JBAS018040: Failed to start context
at org.jboss.as.web.deployment.WebDeploymentService.start(WebDeploymentService.java:94)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_33]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_33]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
15:15:57,824 INFO [org.jboss.as.server] (DeploymentScanner-threads - 1) JBAS015870: Deploy of deployment "tranreq.war" was rolled back with failure message {"JBAS014671: Failed services" => {"jboss.web.deployment.default-host./tranreq" => "org.jboss.msc.service.StartException in service jboss.web.deployment.default-host./tranreq: JBAS018040: Failed to start context"},"JBAS014771: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"tranreq.war\".jboss.security.jacc Missing[JBAS014861: <one or more transitive dependencies>]"]}
15:15:57,825 INFO [org.jboss.as.controller] (DeploymentScanner-threads - 1) JBAS014774: Service status report
JBAS014777: Services which failed to start: service jboss.web.deployment.default-host./tranreq: org.jboss.msc.service.StartException in service jboss.web.deployment.default-host./tranreq: JBAS018040: Failed to start context
15:15:57,826 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 2) {"JBAS014653: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"JBAS014671: Failed services" => {"jboss.web.deployment.default-host./tranreq" => "org.jboss.msc.service.StartException in service jboss.web.deployment.default-host./tranreq: JBAS018040: Failed to start context"},"JBAS014771: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"tranreq.war\".jboss.security.jacc Missing[JBAS014861: <one or more transitive dependencies>]"]}}}
15:15:57,829 INFO [org.jboss.as.osgi] (MSC service thread 1-4) JBAS011908: Unregister module: Module "deployment.tranreq.war:main" from Service Module Loader
15:15:57,830 DEBUG [org.jboss.osgi.resolver] (MSC service thread 1-4) Uninstall resource: AbstractResource[deployment.tranreq.war:0.0.0]
15:15:57,850 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) JBAS015877: Stopped deployment tranreq.war in 24ms
Any help would be greatly appreciated.
Thanks, Ken