JSF login using Active Directory issue
stephane.wantiez Jun 13, 2013 8:39 AMThe application I'm developing will be used via JSF pages secured with a login system that will validate the user credentials via Active Directory.
In order to do that, I've a /login.xhtml page, and the applications pages in the /sec/ directory like /sec/index.xhtml. The web.xml is as follows:
<display-name>testWeb</display-name>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<listener>
<listener-class>com.sun.faces.config.ConfigureListener</listener-class>
</listener>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/sec/index.faces</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>SecurePages</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<url-pattern>/sec/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ad_security_domain</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login-error.xhtml</form-error-page>
</form-login-config>
</login-config>
My JBoss AS 7.1 (EAP 6.1) is configured as follows:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Disabled" flag="required"/>
</authentication>
</security-domain>
<security-domain name="ad_security_domain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="debug" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://mycompany:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="MYGROUP\mylogin"/>
<module-option name="bindCredential" value="mypassword"/>
<module-option name="baseCtxDN" value="OU=User,OU=City1,DC=mycompany"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="OU=Groups,DC=mycompany"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="sAMAccountName"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="roleRecursion" value="5"/>
<!--<module-option name="searchTimeLimit" value="100000"/>-->
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
I've checked the AD settings with tools like LdapSearch and JXplorer, they seem correct. My problem is that whenever I try to login, I get an error. And by redirecting all the security traces to the same file, I get only this :
14:22:49,462 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Security checking request GET /testWeb/sec/index.faces
14:22:49,463 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-1) Checking constraint 'SecurityConstraint[SecurePages]' against GET /sec/index.faces --> true
14:22:49,463 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-1) Checking constraint 'SecurityConstraint[SecurePages]' against GET /sec/index.faces --> true
14:22:49,463 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Calling hasUserDataPermission()
14:22:49,463 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-1) User data constraint has no restrictions
14:22:49,463 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Calling authenticate()
14:22:49,464 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Save request in session 'SK5o6Rm7dLQF1iUNyylYQpht'
14:22:49,465 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb].[default]] (http-localhost/127.0.0.1:8080-1) Disabling the response for futher output
14:22:49,465 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb].[default]] (http-localhost/127.0.0.1:8080-1) The Response is vehiculed using a wrapper: org.apache.catalina.connector.Response
14:22:49,466 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Failed authenticate() test
14:22:49,466 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000354: Setting security roles ThreadLocal: null
14:22:56,007 DEBUG [org.apache.catalina.session] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1371126176007 sessioncount 0
14:22:56,007 DEBUG [org.apache.catalina.session] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
14:22:56,007 DEBUG [org.apache.catalina.session] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1371126176007 sessioncount 1
14:22:56,007 DEBUG [org.apache.catalina.session] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
14:23:07,983 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Security checking request POST /testWeb/sec/j_security_check
14:23:07,985 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Authenticating username 'wantist'
14:23:07,986 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: wantist, cache entry: null
14:23:07,986 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: wantist
14:23:07,989 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(other), size: 4
14:23:07,996 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.DisabledLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
14:23:08,000 ERROR [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000265: The security domain other has been disabled. All authentication will fail
14:23:08,002 DEBUG [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000206: Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:935) [rt.jar:1.7.0_11]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_11]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_11]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_11]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_11]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_11]
at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_11]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:216) [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:373) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_11]
14:23:08,007 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000201: End isValid, result = false
14:23:08,007 TRACE [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb]] (http-localhost/127.0.0.1:8080-1) JBWEB000013: Username [wantist] NOT successfully authenticated
14:23:08,009 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb].[default]] (http-localhost/127.0.0.1:8080-1) Disabling the response for futher output
14:23:08,009 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb].[default]] (http-localhost/127.0.0.1:8080-1) The Response is vehiculed using a wrapper: org.apache.catalina.connector.Response
14:23:08,010 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Failed authenticate() test ??/testWeb/sec/j_security_check
14:23:08,010 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000354: Setting security roles ThreadLocal: null
It seems that my credentials are never handled by the LDAP login module, and just go to the Disabled one... How can I make them being validated by AD ? The security domain name is correctly written in the web.xml file, why isn't it going there?