Problem with IDP security domain : cannot authenticate
ndrw_cheung Nov 15, 2012 1:48 PMHi. I have trouble authenticating a user using the LDAPExtLoginModule in my IDP application. I have verified that the password is correct using jexplorer logging the user to the tree (Novell eDirectory). Configurations, logs, and code snippets can be found below. I have also turned up the logs for JBoss security.
Any help to make authentication works is appreciated.
-Andrew
P.S. This IDP application (minus the jboss-web.xml file) has been proved to work on tomcat 6 (in which a JNDIRealm is defined in the context.xml file as follows:
<Realm className="org.apache.catalina.realm.JNDIRealm" allRolesMode="strict" connectionName="cn=mygenericuser,ou=Canada,o=com" connectionPassword="hello123" connectionURL="ldap://127.0.0.1:389" userBase="ou=Canada,o=com" userRoleName="employeetype" userSearch="(cn={0})" userSubtree="true"/>) So I don't know what's wrong with my secure-domain configuration that causes the authentication problem).
---------------
Setup : JBoss EAP5.2.
Generic user that has read/write permissions to other users and doing the search : cn=mygenericuser,ou=Canada,o=com
The password field is the attribute "userPassword" of the user object.
Examples of users:
dn=cn=johndoe,ou=myLocation,ou=Canada,o=com
objectClass: inetOrgPerson
objectClass: person
objectClass: top
employeetype: sales
cn: johndoe
dn=cn=ssmith,ou=myLocation,ou=Canada,o=com
objectClass: inetOrgPerson
objectClass: person
objectClass: top
employeetype: manager
cn: ssmith
-----------------------
login-config.xml:
<application-policy name="idp">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="bindDN">cn=mygenericuser,ou=Canada,o=com</module-option>
<module-option name="bindCredential">hello123</module-option>
<module-option name="baseCtxDN">ou=Canada,o=com</module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<module-option name="rolesCtxDN">ou=Canada,o=com</module-option>
<module-option name="userRolesCtxDNAttributeName">employeetype</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">4</module-option>
<module-option name="searchTimeLimit">10000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="defaultRole">employee</module-option>
</login-module>
</authentication>
</application-policy>
-------------------
In my web application, jboss-web.xml :
<jboss-web>
<security-domain>idp</security-domain>
</jboss-web>
-----------------------
web.xml :
<login-config>
<auth-method>FORM</auth-method>
<realm-name>My Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
---------------------------
jboss-log4j.xml :
<category name="org.jboss.serial">
<priority value="INFO"/>
</category>
<!-- debugging security layer -->
<category name="org.jboss.security">
<priority value="TRACE" class="org.jboss.logging.XLevel"></priority>
</category>
<category name="org.jboss.web.tomcat.security">
<priority value="TRACE" class="org.jboss.logging.XLevel"></priority>
</category>
<category name="org.apache.catalina">
<priority value="DEBUG"></priority>
</category>
--------------------------
In server.log:
2012-11-15 13:11:37,191 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-1) Requested cookie session id is 28415D00742347B197702702F61FD52C
2012-11-15 13:11:37,191 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:{}
2012-11-15 13:11:37,191 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-1) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}
2012-11-15 13:11:37,205 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Security checking request POST /IDP/j_security_check
2012-11-15 13:11:37,223 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-1) Authenticating username 'johndoe'
2012-11-15 13:11:37,223 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-1) Begin authenticate, username=johndoe
2012-11-15 13:11:37,230 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-1) Begin isValid, principal:johndoe, cache info: null
2012-11-15 13:11:37,231 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-1) defaultLogin, principal=johndoe
2012-11-15 13:11:37,231 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-1) Begin getAppConfigurationEntry(idp), size=15
2012-11-15 13:11:37,231 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-1) End getAppConfigurationEntry(idp), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=defaultRole, value=employee
name=baseFilter, value=(cn={0})
name=java.naming.referral, value=follow
name=bindDN, value=cn=mygenericuser,ou=Canada,o=com
name=rolesCtxDN, value=ou=Canada,o=com
name=debug, value=true
name=baseCtxDN, value=ou=Canada,o=com
name=roleRecursion, value=4
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.security.authentication, value=simple
name=allowEmptyPasswords, value=false
name=java.naming.provider.url, value=ldap://127.0.0.1:389
name=bindCredential, value=****
name=searchTimeLimit, value=10000
name=roleAttributeIsDN, value=false
name=searchScope, value=SUBTREE_SCOPE
name=roleAttributeID, value=employeetype
2012-11-15 13:11:37,257 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) initialize
2012-11-15 13:11:37,257 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) Security domain: idp
2012-11-15 13:11:37,257 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) login
2012-11-15 13:11:37,258 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.referral=follow, defaultRole=8, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=mygenericuser,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=4, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://127.0.0.1:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}
2012-11-15 13:11:37,336 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.referral=follow, defaultRole=8, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=johndoe,ou=myLocation,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=4, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://127.0.0.1:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}
2012-11-15 13:11:37,347 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) Bad password for username=johndoe
2012-11-15 13:11:37,357 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-1) abort
2012-11-15 13:11:37,357 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-1) Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:553)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:487)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:399)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:426)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.internalProcess(ActiveRequestResponseCacheValve.java:74)
at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:47)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
at java.lang.Thread.run(Thread.java:619)
2012-11-15 13:11:37,358 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-1) End isValid, false
2012-11-15 13:11:37,358 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-1) User: johndoe is NOT authenticated
2012-11-15 13:11:37,358 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-1) End authenticate, principal=null
2012-11-15 13:11:37,358 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-1) jsp, runAs: null
2012-11-15 13:11:37,358 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-1) jsp, runAs: null
2012-11-15 13:11:37,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-1) jsp, runAs: null
2012-11-15 13:11:37,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-1) jsp, runAs: null
2012-11-15 13:11:37,396 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/IDP].[jsp]] (http-127.0.0.1-8080-1) Disabling the response for futher output
2012-11-15 13:11:37,396 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Failed authenticate() test ??/IDP/j_security_check
2012-11-15 13:11:37,396 TRACE [org.jboss.security.SecurityAssociation] (http-127.0.0.1-8080-1) clear, server=true
2012-11-15 13:11:37,396 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:null
2012-11-15 13:11:37,396 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:null
2012-11-15 13:11:37,440 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-2) Requested cookie session id is 28415D00742347B197702702F61FD52C
2012-11-15 13:11:37,440 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-1) Requested cookie session id is 28415D00742347B197702702F61FD52C
2012-11-15 13:11:37,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:{}
2012-11-15 13:11:37,442 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-2) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}
2012-11-15 13:11:37,442 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Security checking request GET /IDP/images/picketlink-banner-1180px.png
2012-11-15 13:11:37,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:{}
2012-11-15 13:11:37,442 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-1) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}
2012-11-15 13:11:37,442 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Security checking request GET /IDP/css/idp.css