1 2 Previous Next 15 Replies Latest reply on Nov 23, 2007 7:16 AM by Boleslaw Dawidowicz

    Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)

    Brendan Farragher Newbie

      I have a custom JAAS LoginModule configured for JBP 2.6.1, running in AS 4.0.5. After logging in, everything looks alright with the page. The only problem is that when I click the Dashboard link, I get a 403 Access Denied error. I have added Authenticated, Users, & Admin roles to the user in my LoginModule, and I see "Logged in as 'my user'" and also I have the Dashboard | Admin |Logout links on the page after signing in.

      The Admin and Logout links work correctly. When I click on the Dashboard link, I get the 403 error, but there are no exceptions when I check the log.

      Is it possible that this is a bug in JBP 2.6.1? If not, is there any way to turn on a lower level trace? I do not see anything in the LoginModule examples that would imply that it is necessary to link a user with a dashboard, programmatically speaking.

      Here is my LoginModule. Can you please let me know if the 403 is due to a bug in the portal, or if I am doing something wrong when adding the roles (see getRoleSets())? Thank you for any light that you can shed.

      package test.custom.jaas.impl;
      
      import java.io.IOException;
      import java.security.Principal;
      import java.security.acl.Group;
      import java.util.Map;
      
      import javax.naming.NamingException;
      import javax.security.auth.Subject;
      import javax.security.auth.callback.Callback;
      import javax.security.auth.callback.CallbackHandler;
      import javax.security.auth.callback.NameCallback;
      import javax.security.auth.callback.PasswordCallback;
      import javax.security.auth.callback.UnsupportedCallbackException;
      import javax.security.auth.login.LoginException;
      
      import org.apache.log4j.Category;
      import org.jboss.security.SimpleGroup;
      import org.jboss.security.SimplePrincipal;
      import org.jboss.security.auth.spi.AbstractServerLoginModule;
      import test.jaas.LoginAuthenticator;
      import test.jaas.LoginAuthenticatorFactory;
      import test.login.exception.LoginConfigurationException;
      
      public class SsoPortalLoginModule extends AbstractServerLoginModule
      {
       private static final String SSO_USER_PROMPT_TEXT = "User Name: ";
       private static final String SSO_PASSWORD_PROMPT_TEXT = "Password: ";
      
       private static final Category logger = Category.getInstance(SsoPortalLoginModule.class);
      
       private CallbackHandler callbackHandler = null;
       private boolean successfulLogin = false;
       private String loginUser = null;
       private String loginPassword = null;
       private Principal identity = null;
      
       /**
       * Default constructor
       */
       public SsoPortalLoginModule(){logger.info("%%%%% CALLING SsoPortalLoginModule constructor from PORTAL %%%%%");}
      
       /**
       * Initialization method that is called by the container. Subject represents the user or service that is logging in
       * and will be populated automatically. Callbackhandler is also populated by the JBoss portal because this implementation
       * extends AbstractServerLoginModule
       *
       * @param Subject subject
       * @param CallbackHandler callbackHandler
       * @param Map sharedState
       * @param Map options
       */
       public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
       {
       logger.info("%%%%% CALLING SsoPortalLoginModule.initialize() method from PORTAL %%%%%");
      
       // Call base class constructor. This is a requirement.
      
       super.initialize(subject, callbackHandler, sharedState, options);
      
       // Set internal state
      
       setSubject(subject);
       setCallbackHandler(callbackHandler);
       setSharedState(sharedState);
       setOptions(options);
      
       // Set base class' loginOk variable. This flag must be set as
       // a requirement for successful login
      
       resetLoginOKInBaseClass();
       }
      
       /**
       * Set subject. This object represents the user or service that is logging in.
       *
       * @param Subject subject
       */
       private void setSubject(Subject subject)
       {
       this.subject = subject;
       }
      
       /**
       * Login method that is called by the container
       *
       * @return boolean
       */
       public boolean login() throws LoginException
       {
       return executeLDAPLogin();
       }
      
       /**
       * Execute LDAP login
       *
       * @return boolean
       */
       private boolean executeLDAPLogin()
       {
       try
       {
      
       // Get credentials:
      
       getCredentials();
      
       // Authenticate credentials against LDAP server
      
       authenticateUserOnLDAPServer();
      
       // Set login user as portal identity:
      
       setLoginUserAsIdentity();
       }
      
       catch (Exception e)
       {
       e.printStackTrace();
       resetLoginOKInBaseClass();
       setSuccessfulLogin(false);
       return isSuccessfulLogin();
       }
      
       setLoginOKInBaseClass();
       return isSuccessfulLogin();
       }
      
       /**
       * Set login user as portal identity.
       */
       private void setLoginUserAsIdentity()
       {
       setIdentity(new SimplePrincipal(getLoginUser()));
      
       // setIdentity(new SimplePrincipal("admin")); // ***** TEST ONLY *******
       }
      
       /**
       * Use call back handler to retrieve login credentials from the user
       *
       * @throws IOException
       * @throws UnsupportedCallbackException
       */
       private void getCredentials() throws IOException, UnsupportedCallbackException
       {
       Callback[] callbacks = createUICallBacks();
      
       getCallbackHandler().handle(callbacks);
      
       extractLoginUserFromCallback(callbacks);
       extractLoginPasswordFromCallback(callbacks);
       }
      
       /**
       * Create callback objects that will store user input
       *
       * @return Callback[]
       */
       private Callback[] createUICallBacks()
       {
       return new Callback[] {
       new NameCallback(SSO_USER_PROMPT_TEXT),
       new PasswordCallback(SSO_PASSWORD_PROMPT_TEXT, false)};
       }
      
       /**
       * Authenticate user credentials on LDAP server
       *
       * @throws NamingException
       * @throws LoginConfigurationException
       */
       private void authenticateUserOnLDAPServer() throws NamingException, LoginConfigurationException
       {
       LoginAuthenticator authenticator =
       LoginAuthenticatorFactory.create(LoginAuthenticatorFactory.LDAP);
      
       setSuccessfulLogin(authenticator.isLoginValid(getLoginUser(), getLoginPassword()));
       }
      
       /**
       * As per JBoss documentation, the loginOk protected variable must be set in the base
       * class based on login results
       */
       private void setLoginOKInBaseClass()
       {
       super.loginOk = true; // Set base class login flag to successful
       }
      
       /**
       * Reset loginOk protected variable in base class
       */
       private void resetLoginOKInBaseClass()
       {
       super.loginOk = false; // Reset base class login flag to false
       }
      
       /**
       * Extract user ID string from Callback array
       *
       * @param Callback[] callbacks
       */
       private void extractLoginUserFromCallback(Callback[] callbacks)
       {
       setLoginUser(((NameCallback)callbacks[0]).getName());
       }
      
       /**
       * Extract password string from Callback array
       *
       * @param Callback[] callbacks
       */
       private void extractLoginPasswordFromCallback(Callback[] callbacks)
       {
       // Be sure to create a String object from the getPassword() call or login will fail:
      
       setLoginPassword(new String(((PasswordCallback) callbacks[1]).getPassword()));
       }
      
       /**
       * Set call back handler for obtaining credentials from the user
       *
       * @param CallbackHandler callbackHandler
       */
       private void setCallbackHandler(CallbackHandler callbackHandler)
       {
       this.callbackHandler = callbackHandler;
       }
      
       /**
       * Return portal identity. This is the portal user ID. This method is called by the container.
       *
       * @return Principal
       */
       @Override
       protected Principal getIdentity()
       {
       return this.identity;
       }
      
       /**
       * Get role set. This is where roles are loaded from the back end.
       * Note that Group is a subinterface of Principal. This method is
       * called by the container.
       *
       * @return Group[]
       */
       @Override
       protected Group[] getRoleSets() throws LoginException
       {
       logger.info("%%%%% CALLING SsoPortalLoginModule.getRoleSets() method from PORTAL %%%%%");
      
       Group rolesGroup = new SimpleGroup("Roles");
      
       rolesGroup.addMember(new SimplePrincipal("Authenticated")); // Must add authenticated principle
       rolesGroup.addMember(new SimplePrincipal("Users")); // Gives portal Users rites (Test)
       rolesGroup.addMember(new SimplePrincipal("Admin")); // Gives portal admin rites (Test)
      
       // Note that the identity needs to exist as a user account inside the portal prior to login
      
       rolesGroup.addMember(getIdentity()); // Add login identity as role (Test)
      
       return new Group[] { rolesGroup };
       }
      
       /**
       * Get call back handler. This object is used to obtain credentials from the user.
       *
       * @return CallbackHandler
       */
       private CallbackHandler getCallbackHandler()
       {
       return callbackHandler;
       }
      
       /**
       * Get login password string
       *
       * @return String
       */
       private String getLoginPassword() {
       return loginPassword;
       }
      
       /**
       * Set login password string
       *
       * @param String loginPassword
       */
       public void setLoginPassword(String loginPassword) {
       this.loginPassword = loginPassword;
       }
      
       /**
       * Get login user string
       *
       * @return String
       */
       private String getLoginUser() {
       return loginUser;
       }
      
       /**
       * Set login user string
       *
       * @param String loginPassword
       */
       private void setLoginUser(String loginUser) {
       this.loginUser = loginUser;
       }
      
       /**
       * This method signals whether the login attempt was successful or not.
       *
       * @return boolean
       */
       private boolean isSuccessfulLogin() {
       return successfulLogin;
       }
      
       /**
       * This method sets the successful login flag.
       *
       * @return boolean
       */
       private void setSuccessfulLogin(boolean successfulLogin) {
       this.successfulLogin = successfulLogin;
       }
      
       /**
       * Set login options as Map
       *
       * @param Map options
       */
       private void setOptions(Map options)
       {
       this.options = options;
       }
      
       /**
       * Set shared state options as Map
       *
       * @param Map sharedState
       */
       private void setSharedState(Map sharedState) {
       this.sharedState = sharedState;
       }
      
       /**
       * Set portal identity
       *
       * @param Principal identity
       */
       private void setIdentity(Principal identity)
       {
       this.identity = identity;
       }
      
      }


        • 1. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
          cpage cpage Novice

          same issue.

          sso cas + custom login module + dashboard error 403.

          did you make some changes on portal-server/web-inf/web.xml ?

          • 2. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
            Brendan Farragher Newbie

            I believe my custom LoginModule is functioning properly. Again, there are no exceptions in the log of any kind.

            I see that some error page behavior is configurable from within the Admin->Home->Dashboard page/tab, so maybe the exception is being caught and mishandled? There should be something in the log to indicate what is causing the 403...

            I was just reading another post regarding a dashboard 403 exception:

            http://www.jboss.com/index.html?module=bb&op=viewtopic&t=113200

            I realize that this other post is related to an Oracle DS, but would it be possible for a portal developer to check to see if there is anything that would be preventing the dashboard from being loaded for a user? In particular, why do the Admin | Logout links work properly, but not the Dashboard link? If the Admin link works, then that means that the Admin role has been successfully associated with the login user.

            Thanks. I am also attaching my login-config.xml:

            <policy>
             <!-- For the JCR CMS -->
             <application-policy name="cms">
             <authentication>
             <login-module code="org.apache.jackrabbit.core.security.SimpleLoginModule" flag="required"/>
             </authentication>
             </application-policy>
            
             <application-policy name="portal">
             <authentication>
            
             <!-- Activate custom login module for portal: -->
            
             <login-module code="test.custom.jaas.impl.SsoPortalLoginModule" flag="required">
             <module-option name="debug">1</module-option>
             <module-option name="unauthenticatedIdentity">guest</module-option>
             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
             <module-option name="additionalRole">Authenticated</module-option>
             <module-option name="password-stacking">useFirstPass</module-option>
             </login-module>
            
             <!--To configure LDAP support with IdentityLoginModule please check documentation on how to
             configure portal identity modules for this-->
            
             <!--<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">-->
             <!--<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="optional">-->
            
             <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="optional">
             <module-option name="unauthenticatedIdentity">guest</module-option>
             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
             <module-option name="additionalRole">Authenticated</module-option>
             <module-option name="password-stacking">useFirstPass</module-option>
             </login-module>
            
             <!--Use can use this module instead of IdentityLoginModule to bind to LDAP. It simply extends JBossSX LdapExtLoginModule so
             all configuration that can be applied to LdapExtLoginModule also can be applied here. For user that
             was authenticated successfully it will try to take identity modules from portal, check if such user (and roles it belongs to)
             is present, and if not it will try to create them. Then for all roles assigned to this authenticated principal it will
             try to check and create them using identity modules. This behaviour can be disabled using "synchronizeRoles". You can also
             define one "defaultAssignRole" that will be always assigned to synchronized user.
             It is also possible to set option "synchronizeIdentity" to "false" so this module will act exactly like LdapExtLoginModule
             but it will inject role defined in "additionalRole". For obvious reasons
             this is designed to use with portal identity modules configured with DB and not LDAP-->
             <!--There is also SynchronizingLDAPLoginModule which provide the same set of options on top of JBossSX LdapLoginModule-->
             <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule" flag="required">
             <module-option name="synchronizeIdentity">true</module-option>
             <module-option name="synchronizeRoles">true</module-option>
             <module-option name="additionalRole">Authenticated</module-option>
             <module-option name="defaultAssignedRole">User</module-option>
             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
             <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
             <module-option name="java.naming.provider.url">ldap://example.com:10389/</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">cn=Directory Manager</module-option>
             <module-option name="bindCredential">lolo</module-option>
             <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
             <module-option name="baseFilter">(uid={0})</module-option>
             <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
             <module-option name="roleFilter">(member={1})</module-option>
             <module-option name="roleAttributeID">cn</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchTimeLimit">10000</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             <module-option name="allowEmptyPasswords">false</module-option>
             </login-module>-->
            
             <!--This login module should be placed at the end of authentication stack. It always returns
             true in login() method so it should be always "optional" and exists after other "required" module in the stack.
             It will try to synchronize authenticated user into portal store using portal identity modules. Each subject principal assigned
             by previous modules will be tried to synchronize into portal as a role. -->
             <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
             <module-option name="synchronizeIdentity">true</module-option>
             <module-option name="synchronizeRoles">true</module-option>
             <module-option name="additionalRole">Authenticated</module-option>
             <module-option name="defaultAssignedRole">User</module-option>
             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
             </login-module>-->
            
             <!--Uncomment this if you want to fall down to users kept in DB if LDAP authentication fails
             This may be usefull if you want to use Admin user provided with portal database schema-->
             <!--Note that this may lead to the security risk - with LDAP when storing user profile information
             that are not mapped as attribute you may have LDAP user synchronized into DB with no password set.
             Please see HibernateUserProfileImpl module options "synchronizeNonExistingUsers", "acceptOtherImplementations"
             "defaultSynchronizePassword" or "randomSynchronizePassword" to manage this behaviour-->
             <!--<login-module code = "org.jboss.portal.identity.auth.DBIdentityLoginModule" flag="sufficient">
             <module-option name="dsJndiName">java:/PortalDS</module-option>
             <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option>
             <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option>
             <module-option name="hashAlgorithm">MD5</module-option>
             <module-option name="hashEncoding">HEX</module-option>
             <module-option name="additionalRole">Authenticated</module-option>
             </login-module>-->
            
             </authentication>
             </application-policy>
            </policy>


            • 3. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
              Brendan Farragher Newbie

              No, I didn't change portal-server/web-inf/web.xml. That should not have to be changed. I say this because I am already adding the "Authenticated" role to the user within the LoginModule.

              Has anyone else configured a custom JAAS LoginModule to JBP 2.6.1 without experiencing the broken Dashboard link? If so, did you modify anything other than login-config.xml?

              Thanks.

              • 4. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                cpage cpage Novice

                btw, i run jbp with an oracle DB.

                i remember a couple of months ago, i have raised a problem with dashboard + oracle DB:
                http://www.jboss.com/index.html?module=bb&op=viewtopic&t=113135

                maybe, the 2 problems are conected ?

                • 5. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                  Brendan Farragher Newbie

                  I found the problem. Change login-config so that the modules are in this order. That's all that I did, and it worked. I remember reading somewhere that the login module calls are chained or something.

                   <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="optional">
                   <module-option name="unauthenticatedIdentity">guest</module-option>
                   <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
                   <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
                   <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
                   <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
                   <module-option name="additionalRole">Authenticated</module-option>
                   <module-option name="password-stacking">useFirstPass</module-option>
                   </login-module>
                  
                   <!-- Make sure that org.jboss.portal.identity.auth.IdentityLoginModule is first!! -->
                  
                   <login-module code="test.custom.jaas.impl.SsoPortalLoginModule" flag="required">
                   <module-option name="debug">1</module-option>
                   <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
                   <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
                   <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
                   <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
                   <module-option name="additionalRole">Authenticated</module-option>
                   <module-option name="password-stacking">useFirstPass</module-option>
                   </login-module>


                  • 6. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                    Guy M. Spillman, Jr. Newbie

                    I am having the same problem, but NM-156's solution of ordering the login modules does not fix it.

                    I am using JBP 2.6.1 + JBoss AS 4.2.1 distribution, and am running it on Windows XP Pro.
                    Also using the NTLM login module from the http://jaaslounge.sourceforge.net project.

                    Here are the jar files added from JaasLounge to server\default\lib
                    jaaslounge-1.0.0RC1.jar
                    jcifs-1.1.11.jar
                    jcifs-ext-0.9.4.jar

                    Here is my server\default\deploy\jboss-portal.sar\conf\login-config.xml:

                    <application-policy name="portal">
                     <authentication>
                     <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="optional">
                     <module-option name="unauthenticatedIdentity">guest</module-option>
                     <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
                     <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
                     <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
                     <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
                     <module-option name="additionalRole">Authenticated</module-option>
                     <module-option name="password-stacking">useFirstPass</module-option>
                     </login-module>
                    
                     <login-module code="org.jaaslounge.ntlm.NtlmLoginModule" flag="required">
                     <module-option name="debug">true</module-option>
                     <module-option name="mode">JBoss</module-option>
                     <module-option name="domain">DUMMYDOMAIN</module-option>
                     <module-option name="host">WINNT-SVR-VM</module-option>
                     <module-option name="additionalRole">Authenticated</module-option>
                     </login-module>
                    
                     <login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
                     <module-option name="synchronizeIdentity">true</module-option>
                     <module-option name="synchronizeRoles">true</module-option>
                     <module-option name="additionalRole">Authenticated</module-option>
                     <module-option name="defaultAssignedRole">User</module-option>
                     <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
                     <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
                     <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
                     <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
                     </login-module>
                     </authentication>
                    </application-policy>
                    


                    Simply adding the jars from JaasLounge, and configuring login-config.xml will allow users to login using thier Windows Domain user and password. However, clicking on the Dashboard link produces the follow page:

                    HTTP Status 403 -
                    --------------------------------------------------------------------------------
                    type Status report
                    message
                    description Access to the specified resource () has been forbidden.
                    --------------------------------------------------------------------------------
                    JBossWeb/2.0.0.GA

                    I have also modified server\default\conf\jboss-log4j.xml to expose portal security messages using:
                    <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
                     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
                     <param name="Target" value="System.out"/>
                     <param name="Threshold" value="TRACE"/>
                    
                     <layout class="org.apache.log4j.PatternLayout">
                     <!-- The default pattern: Date Priority [Category] Message\n -->
                     <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}.%M] %m%n"/>
                     </layout>
                     </appender>
                    <category name="org.jboss.portal.security">
                     <priority value="TRACE" />
                     </category>
                    


                    This produced the following lines when clicking on the Dashboard link:

                    TRACE [JACCPortalAuthorizationManager.checkPermission] hasPermission:uri=dashboard:/portal/user::action=portalobject::type=portalobject
                    TRACE [JACCPortalAuthorizationManager.checkPermission] hasPermission:result=false


                    • 7. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                      Brendan Farragher Newbie

                      Try to simplify so that you can see where your problem is. Remove your custom login modules, and then add them back one at a time (in login-config.xml). When I placed the IdentityLoginModule before my custom LoginModule, that configuration worked for me, and the dashboard link then functioned correctly. I performed additional tests where I restablished my original configuration (to make sure that my change is what fixed the 403), and the 403 error returned. I did not change anything else in my environment, except for what I noted.

                      You have THREE login modules involved. I only have two. You may need to experiment a little bit further to find the arrangement that works for you.

                      Hope this helps.

                      • 8. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                        Guy M. Spillman, Jr. Newbie

                        According to the documentation, SynchronizingLoginModule should always be the final login module as it always succeeds.
                        http://docs.jboss.com/jbportal/v2.6/referenceGuide/html_single/#authentication.synchronizing_login_module

                        With that in mind, the original order of the the login modules were:

                        NtlmLoginModule
                        IdentityLoginModule
                        SynchronizingLoginModule

                        After reading NM-156's solution, I re-ordered it to:

                        IdentityLoginModule
                        NtlmLoginModule
                        SynchronizingLoginModule

                        I also changed the IdentityLoginModule flag attribute from "sufficient" to "optional". to match NM-156's example.

                        And after reading NM-156's last message, i tried

                        NtlmLoginModule
                        SynchronizingLoginModule
                        IdentityLoginModule

                        All of the above produced the same error.

                        • 9. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                          Brendan Farragher Newbie

                          Please read this thread:

                          http://jboss.org/index.html?module=bb&op=viewtopic&t=117148

                          Comment out your custom login-module so that your login-config.xml is exactly the same as the default portal installation's login-config.xml (just temporarily). Now test (this is a sanity check). If your dashboard link works with the original login-config.xml configuration, then either your login module implementation (check log for exceptions) or your login module configuration is causing the problem.

                          • 10. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                            Guy M. Spillman, Jr. Newbie

                            After trying your procedure, it does seem to suggest that the JaasLounge NtlmLoginModule is the culprit.

                            Now the question becomes what is the Dashboard looking for that JAAS login modules are suppose to provide, but NtlmLoginModule does not?

                            • 11. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                              Brendan Farragher Newbie

                              That is exactly what I am researching now. If I use form based authentication to the portal, everything works fine because IdentityLoginModule AND my custom JAAS LoginModule are activated.

                              But now, I am trying to implement a Tomcat valve so that I will be able to bypass the portal login form altogether (my valve class extends org.apache.catalina.authenticator.SingleSignOn). When I add the roles and user principal to the request (inside of the valve), I am sent to the portal, and everything works fine except the dashboard link again (403 error ;). That is because, as you said, the login module call sequence in the context of form based login, appears to be providing something that my valve code is not. In the context of the execution of my valve, whatever the IdentityLoginModule (apparently) appears to be providing to enable the Dashboard is now missing again.

                              If any of the JBoss developers could provide some insight about what is required to enable the Dashboard link (programmatically or via configuration), that would be a great. I know that Sohil talked about the exact valve scenario that I am referring to here:

                              http://jboss.org/index.html?module=bb&op=viewtopic&t=115399&postdays=0&postorder=asc&start=20

                              Thanks.

                              • 12. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                                Brendan Farragher Newbie

                                OK - I found the solution on Friday, but I needed to verify it... You have to add a UserPrincipal to the Subject (directly) inside of your JAAS module. This is the piece that enabled the dashboard functionality. I tested this both in my valve and with my custom JAAS module, and this was the case in both contexts. I now have only one LoginModule configured within login-config.xml (my custom LoginModule), and everything works fine.

                                Just do this within your login() method, and the dashboard link will work. (Note that you have access to the subject object via the initialize() method).

                                
                                getSubject().getPrincipals().add(new UserPrincipal(getLoginUser()));
                                
                                


                                • 13. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                                  Guy M. Spillman, Jr. Newbie

                                  This also does not fix my problem. I overrode the JassLounge NtlmLoginModule class with the following method:

                                  @Override
                                  public boolean login() throws LoginException {
                                   boolean result = super.login();
                                  
                                   if (result) {
                                   log.trace("Add new UserPrincipal to Subject: "+this.getUsername());
                                   this.getSubject().getPrincipals().add(new UserPrincipal(this.getUsername()));
                                   }
                                  
                                   return result;
                                  }
                                  


                                  After configuring login-module.xml to look at the new class, I see my log trace, but still the same 403 error when accessing the dashboard.

                                  I think what I'm seeing is a different problem that causes the same symptom. Can anyone describe how best to find where the Dashboard is checking privileges?

                                  Thanks.

                                  • 14. Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)
                                    Brendan Farragher Newbie

                                    This is certainly possible. I have additional steps going on in my login() method, so our environments and needs differ. You may also have additional login modules configured.

                                    Again, all I can tell you at this point is that I tested adding the UserPrincipal in both my valve, and then in a separate round of testing, within my custom JAAS module. I ran several tests in both contexts where I removed, and then added back, the UserPrincipal. This object definitely has an effect on the dashboard. With it, no 403. Without it, I got the 403 consistently.

                                    1 2 Previous Next