0 Replies Latest reply on Jan 30, 2013 6:44 PM by Kenneth Hensel

    Problem with LDAP security-

    Kenneth Hensel Newbie

      We are trying to access LDAP for a simple authorization in a small web application running in jboss-as-7.1.3.

       

      Here is the LDAP security-domain:

       

      <security-domain name="tranreq-login-realm" cache-type="default">

      <authentication>

                  <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

                          <module-option name="java.naming.provider.url" value="ldaps://myurl:port/dc=berkeley,dc=edu"/>

                          <module-option name="java.naming.security.authentication" value="simple"/>

                          <module-option name="java.naming.security.credentials" value="password"/>

                          <module-option name="principalDNPrefix" value="uid=myId,ou=applications,dc=berkeley,dc=edu"/>

                          <module-option name="allowEmptyPasswords" value="false"/>

                  </login-module>

          </authentication>

      </security-domain>

       

      The jboss-web.xml is such:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

          <security-domain flushOnSessionInvalidation="true">

              tranreq-login-realm

          </security-domain>

      </jboss-web>

       

      Here is the web.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

               xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

          <display-name>transcript-request</display-name>

          <session-config>

              <session-timeout>30</session-timeout>

          </session-config>

          <filter>

              <filter-name>guiceFilter</filter-name>

              <filter-class>com.google.inject.servlet.GuiceFilter</filter-class>

          </filter>

          <filter-mapping>

              <filter-name>guiceFilter</filter-name>

              <url-pattern>/*</url-pattern>

          </filter-mapping>

          <listener>

              <listener-class>edu.berkeley.eas.enrollment.transcriptrequest.servlet.ServletContext</listener-class>

          </listener>

          <listener>

              <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

          </listener>

          <welcome-file-list>

              <welcome-file>index.jsp</welcome-file>

          </welcome-file-list>

      </web-app>

       

      Here is the META-INF/context.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <Context antiJARLocking="true" path="/tranreq">

       

        <ResourceLink name="ldap"

                      global="ldapContext"

                      type="javax.naming.ldap.InitialLdapContext"/>

      </Context>

       

       

      The programmer that did this made it so that a parameter will be read containing the jndi name.  I have tried all combinations and got the best results with this:

       

         jndi.ldap.name=java:jboss/jaas/tranreq-login-realm

       

      Here is the Java Class that is trying to access LDAP.  For some reason, he set it up to read ldap.properties file OR use JNDI.  I don't think his JNDI usage is correct.  The error is below the code:

       

      /*

      * To change this template, choose Tools | Templates

      * and open the template in the editor.

      */

      package edu.berkeley.eas.enrollment.transcriptrequest.servlet;

       

      import com.google.inject.Inject;

      import com.google.inject.Provider;

      import com.google.inject.name.Named;

       

      import java.util.Properties;

      import javax.naming.Context;

      import javax.naming.InitialContext;

      import javax.naming.NamingException;

      import javax.naming.ldap.InitialLdapContext;

       

      import org.slf4j.Logger;

      import org.slf4j.LoggerFactory;

       

      /**

      * @author boris

      */

      public class InitialLdapContextProvider implements Provider<InitialLdapContext> {

       

          private static Logger logger = LoggerFactory.getLogger(InitialLdapContextProvider.class);

          @Inject(optional = true)

          @Named("edu.berkeley.ist.ldap.initCtxFactory")

          protected String initCtxFactory;

          @Inject(optional = true)

          @Named("edu.berkeley.ist.ldap.providerURL")

          protected String providerURL;

          @Inject(optional = true)

          @Named("edu.berkeley.ist.ldap.principalDNPrefix")

          protected String principalDNPrefix;

          @Inject(optional = true)

          @Named("edu.berkeley.ist.ldap.pwd")

          protected String passwd;

          @Inject(optional = true)

          @Named("jndi.ldap.name")

          protected String jndiLdapName;

       

          @Override

          public InitialLdapContext get() {

       

              if (jndiLdapName != null) {

                  try {

                      logger.info("using {}", jndiLdapName);

                      InitialContext initialContext = new InitialContext();

                      return (InitialLdapContext) initialContext.lookup(jndiLdapName);

                  } catch (NamingException e) {

                      logger.error("+++ Caught namingException: {}", e.getMessage());

                      logger.error("+++ jndiLdapName: {},", jndiLdapName);

                      return null;

                  }

              }

       

              logger.info("loading external properties...");

              Properties env = new Properties();

              env.put(Context.INITIAL_CONTEXT_FACTORY, initCtxFactory);

              env.put(Context.PROVIDER_URL, providerURL);

              env.put(Context.SECURITY_PROTOCOL, "ssl");

              env.put(Context.SECURITY_AUTHENTICATION, "simple");

              env.put(Context.SECURITY_PRINCIPAL, principalDNPrefix);

              env.put(Context.SECURITY_CREDENTIALS, passwd);

              try {

                  return new InitialLdapContext(env, null);

              } catch (Throwable t) {

                  logger.error("+++ caught Exception: {}", t.getMessage());

                  return null;

              }

          }

      }

       

      Here are the errors from the log when trying to deploy the war file:

       

       

      15:15:57,609 INFO  [edu.berkeley.eas.enrollment.transcriptrequest.servlet.InitialLdapContextProvider] (MSC service thread 1-3) using java:jboss/jaas/tranreq-login-realm

      15:15:57,611 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/tranreq]] (MSC service thread 1-3) Exception starting filter guiceFilter: com.google.inject.ProvisionException: Guice provision errors:

       

      1) Error in custom provider, java.lang.ClassCastException: org.jboss.security.authentication.JBossCachedAuthenticationManager cannot be cast to javax.naming.ldap.InitialLdapContext

        while locating edu.berkeley.eas.enrollment.transcriptrequest.servlet.InitialLdapContextProvider

        at edu.berkeley.eas.enrollment.transcriptrequest.servlet.ConfigurationModule.configure(ConfigurationModule.java:33)

        while locating javax.naming.ldap.InitialLdapContext

          for field at edu.berkeley.eas.enrollment.transcriptrequest.servlet.LdapClient.initialLdapContext(LdapClient.java:25)

        at edu.berkeley.eas.enrollment.transcriptrequest.servlet.ConfigurationModule.configure(ConfigurationModule.java:34)

        while locating edu.berkeley.eas.enrollment.transcriptrequest.servlet.LdapClient

          for field at edu.berkeley.eas.enrollment.transcriptrequest.servlet.TranReqFilter.ldapClient(TranReqFilter.java:30)

        at edu.berkeley.eas.enrollment.transcriptrequest.servlet.ServletContext$1.configureServlets(ServletContext.java:96)

        while locating edu.berkeley.eas.enrollment.transcriptrequest.servlet.TranReqFilter

       

      1 error

              at com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:987) [guice-3.0.jar:]

              at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1009) [guice-3.0.jar:]

              at com.google.inject.servlet.FilterDefinition.init(FilterDefinition.java:104) [guice-servlet-3.0.jar:]

              at com.google.inject.servlet.ManagedFilterPipeline.initPipeline(ManagedFilterPipeline.java:98) [guice-servlet-3.0.jar:]

              at com.google.inject.servlet.GuiceFilter.init(GuiceFilter.java:172) [guice-servlet-3.0.jar:]

              at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:447) [jbossweb-7.0.17.Final.jar:]

              at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3269) [jbossweb-7.0.17.Final.jar:]

              at org.apache.catalina.core.StandardContext.start(StandardContext.java:3865) [jbossweb-7.0.17.Final.jar:]

              at org.jboss.as.web.deployment.WebDeploymentService.start(WebDeploymentService.java:89) [jboss-as-web-7.1.3.Final.jar:7.1.3.Final]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)

              at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_33]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_33]

              at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]

      Caused by: java.lang.ClassCastException: org.jboss.security.authentication.JBossCachedAuthenticationManager cannot be cast to javax.naming.ldap.InitialLdapContext

              at edu.berkeley.eas.enrollment.transcriptrequest.servlet.InitialLdapContextProvider.get(InitialLdapContextProvider.java:49) [classes:]

              at edu.berkeley.eas.enrollment.transcriptrequest.servlet.InitialLdapContextProvider.get(InitialLdapContextProvider.java:23) [classes:]

              at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:55) [guice-3.0.jar:]

              at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [guice-3.0.jar:]

              at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1031) [guice-3.0.jar:]

              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [guice-3.0.jar:]

              at com.google.inject.Scopes$1$1.get(Scopes.java:65) [guice-3.0.jar:]

              at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:40) [guice-3.0.jar:]

              at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:53) [guice-3.0.jar:]

              at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:110) [guice-3.0.jar:]

              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:94) [guice-3.0.jar:]

              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:254) [guice-3.0.jar:]

              at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [guice-3.0.jar:]

              at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1031) [guice-3.0.jar:]

              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [guice-3.0.jar:]

              at com.google.inject.Scopes$1$1.get(Scopes.java:65) [guice-3.0.jar:]

              at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:40) [guice-3.0.jar:]

              at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:53) [guice-3.0.jar:]

              at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:110) [guice-3.0.jar:]

              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:94) [guice-3.0.jar:]

              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:254) [guice-3.0.jar:]

              at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [guice-3.0.jar:]

              at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1031) [guice-3.0.jar:]

              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [guice-3.0.jar:]

              at com.google.inject.Scopes$1$1.get(Scopes.java:65) [guice-3.0.jar:]

              at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:40) [guice-3.0.jar:]

              at com.google.inject.internal.InjectorImpl$4$1.call(InjectorImpl.java:978) [guice-3.0.jar:]

              at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1024) [guice-3.0.jar:]

              at com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:974) [guice-3.0.jar:]

              ... 13 more

       

      15:15:57,618 ERROR [org.apache.catalina.core.StandardContext] (MSC service thread 1-3) Error filterStart

      15:15:57,618 ERROR [org.apache.catalina.core.StandardContext] (MSC service thread 1-3) Context [/tranreq] startup failed due to previous errors

      15:15:57,619 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC00001: Failed to start service jboss.web.deployment.default-host./tranreq: org.jboss.msc.service.StartException in service jboss.web.deployment.default-host./tranreq: JBAS018040: Failed to start context

              at org.jboss.as.web.deployment.WebDeploymentService.start(WebDeploymentService.java:94)

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]

              at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_33]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_33]

              at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]

       

      15:15:57,824 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 1) JBAS015870: Deploy of deployment "tranreq.war" was rolled back with failure message {"JBAS014671: Failed services" => {"jboss.web.deployment.default-host./tranreq" => "org.jboss.msc.service.StartException in service jboss.web.deployment.default-host./tranreq: JBAS018040: Failed to start context"},"JBAS014771: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"tranreq.war\".jboss.security.jacc Missing[JBAS014861: <one or more transitive dependencies>]"]}

      15:15:57,825 INFO  [org.jboss.as.controller] (DeploymentScanner-threads - 1) JBAS014774: Service status report

      JBAS014777:   Services which failed to start:      service jboss.web.deployment.default-host./tranreq: org.jboss.msc.service.StartException in service jboss.web.deployment.default-host./tranreq: JBAS018040: Failed to start context

       

      15:15:57,826 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 2) {"JBAS014653: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"JBAS014671: Failed services" => {"jboss.web.deployment.default-host./tranreq" => "org.jboss.msc.service.StartException in service jboss.web.deployment.default-host./tranreq: JBAS018040: Failed to start context"},"JBAS014771: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"tranreq.war\".jboss.security.jacc Missing[JBAS014861: <one or more transitive dependencies>]"]}}}

      15:15:57,829 INFO  [org.jboss.as.osgi] (MSC service thread 1-4) JBAS011908: Unregister module: Module "deployment.tranreq.war:main" from Service Module Loader

      15:15:57,830 DEBUG [org.jboss.osgi.resolver] (MSC service thread 1-4) Uninstall resource: AbstractResource[deployment.tranreq.war:0.0.0]

      15:15:57,850 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-2) JBAS015877: Stopped deployment tranreq.war in 24ms

       

       

      Any help would be greatly appreciated.


      Thanks, Ken