1 2 Previous Next 15 Replies Latest reply on Dec 15, 2006 11:36 AM by Thomas Heute

    401 error on selecting dashboard....

    Paul McMillan Newbie

      Hi,

      I am trying to secure access to the portal using NTLM and Active Directory. So far I have manged to create my own servlet based on JCIFs NtlmServlet and created my own LoginModule to authenticate the user against AD and it all work fine; i can successfully log in to the portal.

      I have changed the BASIC auth to FORM auth in the web.xml in jboss-portal.sar\portal-core.war\WEB-INF, configured the login page to point to my servlet, that deals with the post to j_security_check after forcing a log in through NTLM. My custom LoginModule then gets called with the username from j_security_check, they are checked against AD and their roles populated, one of which is AUTHENTICATED, user logs in.

      The problem is; having been lgged in, when I click on My Dashboard. I get a 401 error:

      This request requires HTTP authentication ()

      It seems that going to this location, BASIC authentication is being applied. Having already successfully logged in to the portal, I'm not sure why this is happening?

      If anyone could point me int he right direction that would be great.

      Thanks,
      Paul

        • 1. Re: 401 error on selecting dashboard....
          Paul McMillan Newbie

          Apologies; forgot to state that I am trying this in portal 2.6.0-DR1, however I have tried it in 2.4 and get the same thing when I try to hit the Admin page after logging in.

          Thanks

          • 2. Re: 401 error on selecting dashboard....
            Paul McMillan Newbie

            OK,

            Not much feedback here :) However, I have made some progress. The default portal page that I log in to contains a number of custom pages and portlets that I have deployed. If I add a security constraint to any of these pages (in the object.xml of the page definiton) where I do not have the stated security role, the page is no longer visible on login. However, in the 'pages' portlet on the default page I can still see a link to the secured page. If I click that link, I get the Http 401 error experienced when trying to open the Admin page. If I change the security setting to be a role I have in LDAP, I can see the pages again as tabs in the default page, all good.

            This 401 error seems to be returned when I do not have the required role to access the page/resource, a strange error to receive, I thought this error was thrown for BASIC authentication, which I didn't know was being used. I use FORM authentication on portal login.

            The problem is, I still can't access the Admin page. Now, I'd like to change the role for the Admin page in portal 2.4 to 'Authenticated' to test the security, but can't find an object.xml that defines that page? Without this, I don't know how to change the required role for the admin page.

            Does anyone know where the Admin page is configured and where the security constraint is for that page? Or, does anyone know the name of the required role (probably Admin?) so I can maybe create that group in LDAP so I can log in to the admin page.

            Any help would be appreciated.

            Thanks

            • 3. Re: 401 error on selecting dashboard....
              Peter Johnson Master

              The Admin page is defined in jboss-portal.sar/conf/data/default-object.xml.

              • 4. Re: 401 error on selecting dashboard....
                Paul McMillan Newbie

                Hi,

                Thanks for the reply. That was stupid of me not to search for *-object.xml!

                Anyway, I have changed the security constraints there to match with a role I know works in the portal; so changed from Admin to WorkingRole, and I still don't seem to log in with the admin page available :


                <deployment>
                 <if-exists>keep</if-exists>
                 <parent-ref>default</parent-ref>
                 <page>
                 <page-name>Admin</page-name>
                 <window>
                 <window-name>NavigationPortletWindow</window-name>
                 <instance-ref>NavigationPortletInstance</instance-ref>
                 <region>navigation</region>
                 <height>0</height>
                 <!-- keep portal and page properties for this window -->
                 <properties>
                 <!-- use the window renderer from the emptyRenderer renderSet -->
                 <property>
                 <name>theme.windowRendererId</name>
                 <value>emptyRenderer</value>
                 </property>
                 <!-- use the decoration renderer from the emptyRenderer renderSet -->
                 <property>
                 <name>theme.decorationRendererId</name>
                 <value>emptyRenderer</value>
                 </property>
                 <!-- use the portlet renderer from the emptyRenderer renderSet -->
                 <property>
                 <name>theme.portletRendererId</name>
                 <value>emptyRenderer</value>
                 </property>
                 </properties>
                 </window>
                 <window>
                 <window-name>UserPortletWindow</window-name>
                 <instance-ref>UserPortletInstance</instance-ref>
                 <region>left</region>
                 <height>0</height>
                 </window>
                 <window>
                 <window-name>RolePortletWindow</window-name>
                 <instance-ref>RolePortletInstance</instance-ref>
                 <region>left</region>
                 <height>1</height>
                 </window>
                 <window>
                 <window-name>CatalogPortletWindow</window-name>
                 <instance-ref>CatalogPortletInstance</instance-ref>
                 <region>left</region>
                 <height>2</height>
                 </window>
                 <window>
                 <window-name>ManagementPortletWindow</window-name>
                 <instance-ref>ManagementPortletInstance</instance-ref>
                 <region>center</region>
                 <height>0</height>
                 </window>
                 <window>
                 <window-name>CMSAdminPortletWindow</window-name>
                 <instance-ref>CMSAdminPortletInstance</instance-ref>
                 <region>center</region>
                 <height>1</height>
                 </window>
                 <security-constraint>
                 <policy-permission>
                 <role-name>WorkingRole</role-name>
                 <action-name>viewrecursive</action-name>
                 </policy-permission>
                 </security-constraint>
                 </page>
                 </deployment>
                


                Do you know if changing the values in that file and restarting the server would take effect, or anything else that is required?

                Thanks


                • 5. Re: 401 error on selecting dashboard....
                  Thomas Heute Master

                  You need to specify:

                  <if-exists>overwrite</if-exists>
                  


                  instead of:
                  <if-exists>keep</if-exists>
                  



                  • 6. Re: 401 error on selecting dashboard....
                    Paul McMillan Newbie

                    Thanks,

                    I can now see the Admin Page! However :) I don't have access to the portlets on the page!! I just get access denied on two of the portlets and


                    Sorry, you do not have access to this function.



                    on the Role Management portlet

                    If anyone has changed the role of the portlets before and knows how to do that it would be much appreciated. I will search around to see what I can find. I am seriously hoping that having logged in using JAAS that I don't have to do some other security step just to gain access to these portlets.

                    Step by Step,
                    Cheers,
                    Paul

                    • 7. Re: 401 error on selecting dashboard....
                      Peter Johnson Master

                      To be on the safe side, I would reinstall the portal from scratch. Sometimes changes made in the *-object.xml file just don't get reflected because the database already contains other settings.

                      • 8. Re: 401 error on selecting dashboard....
                        Peter Johnson Master

                        The Role Management portlet has the "Admin" role hard-coded. You would have to change this line in the file ./core/src/main/org/jboss/portal/core/portlet/role/RolePortlet.java:

                        private static final String ADMIN_ROLE = "Admin";

                        As far as I know, that is the only place where the "Admin" role is hard-coded.

                        • 9. Re: 401 error on selecting dashboard....
                          Paul McMillan Newbie

                          Thanks for that,

                          I can't believe a role is hardcoded in there! :) I wonder how other people have dealt with this if they have used AD/LDAP to hold the roles for the portal? You can't be expected to create a role in the AD of an organisation called Admin!

                          All the best

                          • 10. Re: 401 error on selecting dashboard....
                            Thomas Heute Master

                            You are mixing application roles and user roles.

                            Your defined roles to your users, let's say "Managers" and then you need to map those roles to the application roles (here "Admin").

                            See JAAS and the portlet spec to see how you can map your roles

                            (This is not the best design here though since you need to modify internal configuration files but you don't need to touch the java file)

                            • 11. Re: 401 error on selecting dashboard....
                              Paul McMillan Newbie

                              Hey,

                              I was previously using the built in HSQL db, so to test out whether the db config was causing the security issues I swapped the portal datasource to MSSQL, when the portal rebuilt the db I can now access all portlets in the admin page, with the exception of the Role Portlet, which fits with Peter's comment that the portlet has a hard coded role in there and the existing db config meant the changed -object.xml's settings were being ignored. So, I am very close to having what I want! :)

                              Thomas, I'm not sure I follow your point? I don't want application roles and user roles. I want one set of roles (groups), configured in AD to place users in so they have access to portal resources. The way I am doing that is working fine; my custom AD module gets the roles the user belongs to on login and they are used to protect/grant access to the appropriate resources in the portal. The problem is the hard coded role in the role portlet?

                              If you could elaborate that would be great. I will however look in to JAAS and its use in portlets :)

                              Thanks,
                              Paul

                              • 12. Re: 401 error on selecting dashboard....
                                Peter Johnson Master

                                Julien or Roy, do you mind if I open a JIRA to make the administrator role for the Role Management portlet a read-only preference? It would default to "Admin" but could be easily changed by modifying the appropriate portal.xml file.

                                • 13. Re: 401 error on selecting dashboard....
                                  Peter Johnson Master

                                  Never mind regarding the JIRA, didn't see Thomas' reply before I sent my post.

                                  • 14. Re: 401 error on selecting dashboard....
                                    Paul McMillan Newbie

                                    Had a think about this; are you talking about using security-role-ref's?

                                    So, use something like:

                                    <security-role-ref>
                                     <role-name>MyLDAPRoleToCheck</role-name>
                                     <role-link>Admin</role-link>
                                     </security-role-ref>
                                    


                                    If so, where would that go? In the web.xml in jboss-portal.sar\portal-server.war\WEB-INF? Against which servlet?

                                    Thanks,
                                    Paul

                                    1 2 Previous Next