0 Replies Latest reply on Nov 15, 2012 1:48 PM by Andrew Cheung

    Problem with IDP security domain : cannot authenticate

    Andrew Cheung Newbie

      Hi. I have trouble authenticating a user using the LDAPExtLoginModule in my IDP application. I have verified that the password is correct using jexplorer logging the user to the tree (Novell eDirectory). Configurations, logs, and code snippets can be found below. I have also turned up the logs for JBoss security.

       

      Any help to make authentication works is appreciated.

       

        -Andrew

       

      P.S. This IDP application (minus the jboss-web.xml file) has been proved to work on tomcat 6 (in which a JNDIRealm is defined in the context.xml file as follows:

      <Realm className="org.apache.catalina.realm.JNDIRealm" allRolesMode="strict" connectionName="cn=mygenericuser,ou=Canada,o=com" connectionPassword="hello123" connectionURL="ldap://127.0.0.1:389" userBase="ou=Canada,o=com"  userRoleName="employeetype" userSearch="(cn={0})" userSubtree="true"/>) So I don't know what's wrong with my secure-domain configuration that causes the authentication problem).

       

      ---------------

       

      Setup : JBoss EAP5.2.

      Generic user that has read/write permissions to other users and doing the search : cn=mygenericuser,ou=Canada,o=com

      The password field is the attribute "userPassword" of the user object.

      Examples of users:

       

       

       

      dn=cn=johndoe,ou=myLocation,ou=Canada,o=com

      objectClass: inetOrgPerson

      objectClass: person

      objectClass: top

      employeetype: sales

      cn: johndoe

       

       

      dn=cn=ssmith,ou=myLocation,ou=Canada,o=com

      objectClass: inetOrgPerson

      objectClass: person

      objectClass: top

      employeetype: manager

      cn: ssmith

       

      -----------------------

      login-config.xml:

       

      <application-policy name="idp">

      <authentication>

        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >

                     <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

                     <module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>

                     <module-option name="java.naming.security.authentication">simple</module-option>

                     <module-option name="java.naming.referral">follow</module-option>

                     <module-option name="bindDN">cn=mygenericuser,ou=Canada,o=com</module-option>

                     <module-option name="bindCredential">hello123</module-option>

                     <module-option name="baseCtxDN">ou=Canada,o=com</module-option>

                     <module-option name="baseFilter">(cn={0})</module-option>

                     <module-option name="rolesCtxDN">ou=Canada,o=com</module-option>

                       <module-option name="userRolesCtxDNAttributeName">employeetype</module-option>

                     <module-option name="roleAttributeIsDN">false</module-option>

                     <module-option name="roleRecursion">4</module-option>

                     <module-option name="searchTimeLimit">10000</module-option>

                     <module-option name="searchScope">SUBTREE_SCOPE</module-option>

                     <module-option name="allowEmptyPasswords">false</module-option>

                     <module-option name="defaultRole">employee</module-option>

       

                </login-module>

      </authentication>

      </application-policy>

       

      -------------------

       

      In my web application, jboss-web.xml :

       

       

      <jboss-web>

      <security-domain>idp</security-domain>

      </jboss-web>

       

      -----------------------

      web.xml :

       

      <login-config>

       

        <auth-method>FORM</auth-method>

        <realm-name>My Application</realm-name>

        <form-login-config>

        <form-login-page>/jsp/login.jsp</form-login-page>

        <form-error-page>/jsp/login-error.jsp</form-error-page>

        </form-login-config>

       

      </login-config>

       

      ---------------------------

      jboss-log4j.xml :

       

      <category name="org.jboss.serial">

            <priority value="INFO"/>

         </category>

                  <!-- debugging security layer -->

                  <category name="org.jboss.security">

         <priority value="TRACE" class="org.jboss.logging.XLevel"></priority>

      </category>

      <category name="org.jboss.web.tomcat.security">

         <priority value="TRACE" class="org.jboss.logging.XLevel"></priority>

      </category>

      <category name="org.apache.catalina">

         <priority value="DEBUG"></priority>

      </category>

       

      --------------------------

       

      In server.log:

       

      2012-11-15 13:11:37,191 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-1)  Requested cookie session id is 28415D00742347B197702702F61FD52C

      2012-11-15 13:11:37,191 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:{}

      2012-11-15 13:11:37,191 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-1) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}

      2012-11-15 13:11:37,205 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Security checking request POST /IDP/j_security_check

      2012-11-15 13:11:37,223 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-1) Authenticating username 'johndoe'

      2012-11-15 13:11:37,223 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-1) Begin authenticate, username=johndoe

      2012-11-15 13:11:37,230 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-1) Begin isValid, principal:johndoe, cache info: null

      2012-11-15 13:11:37,231 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-1) defaultLogin, principal=johndoe

      2012-11-15 13:11:37,231 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-1) Begin getAppConfigurationEntry(idp), size=15

      2012-11-15 13:11:37,231 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-1) End getAppConfigurationEntry(idp), authInfo=AppConfigurationEntry[]:

      [0]

      LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

      name=defaultRole, value=employee

      name=baseFilter, value=(cn={0})

      name=java.naming.referral, value=follow

      name=bindDN, value=cn=mygenericuser,ou=Canada,o=com

      name=rolesCtxDN, value=ou=Canada,o=com

      name=debug, value=true

      name=baseCtxDN, value=ou=Canada,o=com

      name=roleRecursion, value=4

      name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory

      name=java.naming.security.authentication, value=simple

      name=allowEmptyPasswords, value=false

      name=java.naming.provider.url, value=ldap://127.0.0.1:389

      name=bindCredential, value=****

      name=searchTimeLimit, value=10000

      name=roleAttributeIsDN, value=false

      name=searchScope, value=SUBTREE_SCOPE

      name=roleAttributeID, value=employeetype

       

      2012-11-15 13:11:37,257 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) initialize

      2012-11-15 13:11:37,257 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) Security domain: idp

      2012-11-15 13:11:37,257 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) login

      2012-11-15 13:11:37,258 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.referral=follow, defaultRole=8, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=mygenericuser,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=4, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://127.0.0.1:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}

      2012-11-15 13:11:37,336 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.referral=follow, defaultRole=8, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=johndoe,ou=myLocation,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=4, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://127.0.0.1:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}

      2012-11-15 13:11:37,347 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) Bad password for username=johndoe

      2012-11-15 13:11:37,357 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) abort

      2012-11-15 13:11:37,357 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-1) Login failure

      javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252)

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

          at java.lang.reflect.Method.invoke(Method.java:597)

          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)

          at java.security.AccessController.doPrivileged(Native Method)

          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

          at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:553)

          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:487)

          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)

          at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)

          at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:399)

          at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:426)

          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)

          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

          at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.internalProcess(ActiveRequestResponseCacheValve.java:74)

          at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:47)

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)

          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)

          at java.lang.Thread.run(Thread.java:619)

      2012-11-15 13:11:37,358 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-1) End isValid, false

      2012-11-15 13:11:37,358 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-1) User: johndoe is NOT authenticated

      2012-11-15 13:11:37,358 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-1) End authenticate, principal=null

      2012-11-15 13:11:37,358 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-1) jsp, runAs: null

      2012-11-15 13:11:37,358 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-1) jsp, runAs: null

      2012-11-15 13:11:37,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-1) jsp, runAs: null

      2012-11-15 13:11:37,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-1) jsp, runAs: null

      2012-11-15 13:11:37,396 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/IDP].[jsp]] (http-127.0.0.1-8080-1)  Disabling the response for futher output

      2012-11-15 13:11:37,396 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1)  Failed authenticate() test ??/IDP/j_security_check

      2012-11-15 13:11:37,396 TRACE [org.jboss.security.SecurityAssociation] (http-127.0.0.1-8080-1) clear, server=true

      2012-11-15 13:11:37,396 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:null

      2012-11-15 13:11:37,396 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:null

      2012-11-15 13:11:37,440 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-2)  Requested cookie session id is 28415D00742347B197702702F61FD52C

      2012-11-15 13:11:37,440 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-1)  Requested cookie session id is 28415D00742347B197702702F61FD52C

      2012-11-15 13:11:37,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:{}

      2012-11-15 13:11:37,442 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-2) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}

      2012-11-15 13:11:37,442 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Security checking request GET /IDP/images/picketlink-banner-1180px.png

      2012-11-15 13:11:37,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:{}

      2012-11-15 13:11:37,442 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-1) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}

      2012-11-15 13:11:37,442 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Security checking request GET /IDP/css/idp.css