2 Replies Latest reply on Apr 30, 2008 10:58 AM by Dean Pullen

    HTTP Status 403 - when using LDAP

    Dean Pullen Novice

      Hi,

      I'm still struggling to get LDAP working with JBoss Portal, using Active Directory (on Windows 2003 SBS).

      We seem to be authenticating properly, but then get:

      HTTP Status 403 Access to the specified resource () has been forbidden.


      Which suggests to me the correct role isn't assigned to the user - which I believe is 'Authenticated' for the default portal setup.

      Debugging through IdentityLoginModule shows that Authenticated is definitely put in the roles set - I see a map entry in rolesGroup with key/value of PortalPrincipal[Authenticated].

      Any ideas guys, completely stuck at this point.

        • 1. Re: HTTP Status 403 - when using LDAP
          Dean Pullen Novice

          I've added some logging and am seeing:

          [30 Apr 2008 11:56:26] DEBUG com.msp.ejb.security.IdentityLoginModule - U
          serStatus is OK, returning true.
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.authenticator.FormAuthenticator
           - Authentication of 'dean.pullen' was successful
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.authenticator.FormAuthenticator
           - Redirecting to original '/portal/auth/portal/default/default'
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.authenticator.AuthenticatorBase
           - Failed authenticate() test ??/portal/auth/portal/default/j_security_check
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.connector.CoyoteAdapter - Req
          uested cookie session id is 6D4F6081BEF093070076F5DF9E375A06
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.authenticator.AuthenticatorBase
           - Security checking request GET /portal/auth/portal/default/default
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.realm.RealmBase - Checking c
          onstraint 'SecurityConstraint[Authenticated]' against GET /auth/portal/default/d
          efault --> true
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.realm.RealmBase - Checking c
          onstraint 'SecurityConstraint[Secure]' against GET /auth/portal/default/default
          --> false
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.realm.RealmBase - Checking c
          onstraint 'SecurityConstraint[Secure+Authenticated]' against GET /auth/portal/de
          fault/default --> false
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.realm.RealmBase - Checking c
          onstraint 'SecurityConstraint[Authenticated]' against GET /auth/portal/default/d
          efault --> true
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.realm.RealmBase - Checking c
          onstraint 'SecurityConstraint[Secure]' against GET /auth/portal/default/default
          --> false
          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.realm.RealmBase - Checking c
          onstraint 'SecurityConstraint[Secure+Authenticated]' against GET /auth/portal/de
          fault/default --> false
          


          (You'll notice I've replaced IdentityLoginModule with our own version which only adds additional debug statements)

          I see it passing the Authenticated roles but not Secure or Secure+Authenticated but I've never seen these mentioned anywhere. Is this the cause of the problem, and if so how do I fix it? Adding these roles doesn't seem to change anything.

          This also makes me wonder if authetication hasn't properly passed (shown above too):

          [30 Apr 2008 11:56:26] DEBUG org.apache.catalina.authenticator.AuthenticatorBase
           - Failed authenticate() test ??/portal/auth/portal/default/j_security_check
          


          • 2. Re: HTTP Status 403 - when using LDAP
            Dean Pullen Novice

            After a lot of debugging, taking source from the JBoss repo and stepping through it, I noticed that the role 'User' was also added to role set of the users, via the standard non-LDAP IdentityLoginModule.

            Adding this as a group in SBS AD and adding it to the user allowed the portal to work. Also, adding Admin worked as you would expect.

            I suspect a lot of people have fallen into this trap considering the 403 errors I've seen in the forums.
            It might be worth updating the specs to ensure people add these roles to their user's role sets, not just 'Authenticated'.