4 Replies Latest reply on Oct 30, 2014 8:33 AM by Daniel Castro

    JSF login using Active Directory issue

    Stéphane Wantiez Newbie

      The application I'm developing will be used via JSF pages secured with a login system that will validate the user credentials via Active Directory.

       

      In order to do that, I've a /login.xhtml page, and the applications pages in the /sec/ directory like /sec/index.xhtml. The web.xml is as follows:

       

           <display-name>testWeb</display-name>

       

           <servlet>

               <servlet-name>Faces Servlet</servlet-name>

               <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>

               <load-on-startup>1</load-on-startup>

           </servlet>

       

           <listener>

               <listener-class>com.sun.faces.config.ConfigureListener</listener-class>

           </listener>

       

           <servlet-mapping>

               <servlet-name>Faces Servlet</servlet-name>

               <url-pattern>*.faces</url-pattern>

           </servlet-mapping>

       

           <welcome-file-list>

               <welcome-file>/sec/index.faces</welcome-file>

           </welcome-file-list>

       

           <security-constraint>

               <display-name>SecurePages</display-name>

               <web-resource-collection>

                    <web-resource-name>SecurePages</web-resource-name>

                    <url-pattern>/sec/*</url-pattern>

               </web-resource-collection>

               <auth-constraint>

                    <role-name>*</role-name>

               </auth-constraint>

           </security-constraint>

       

           <login-config>

               <auth-method>FORM</auth-method>

               <realm-name>ad_security_domain</realm-name>

               <form-login-config>

                    <form-login-page>/login.xhtml</form-login-page>

                    <form-error-page>/login-error.xhtml</form-error-page>

               </form-login-config>

           </login-config>

       

       

      My JBoss AS 7.1 (EAP 6.1) is configured as follows:

       

              <subsystem xmlns="urn:jboss:domain:security:1.2">

                  <security-domains>

                      <security-domain name="other" cache-type="default">

                          <authentication>

                              <login-module code="Disabled" flag="required"/>

                          </authentication>

                      </security-domain>

                      <security-domain name="ad_security_domain" cache-type="default">

                          <authentication>

                              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                  <module-option name="debug" value="true"/>

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="java.naming.provider.url" value="ldap://mycompany:389"/>

                                  <module-option name="java.naming.security.authentication" value="simple"/>

                                  <module-option name="bindDN" value="MYGROUP\mylogin"/>

                                  <module-option name="bindCredential" value="mypassword"/>

                                  <module-option name="baseCtxDN" value="OU=User,OU=City1,DC=mycompany"/>

                                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="rolesCtxDN" value="OU=Groups,DC=mycompany"/>

                                  <module-option name="roleFilter" value="(member={1})"/>

                                  <module-option name="roleAttributeIsDN" value="true"/>

                                  <module-option name="roleNameAttributeID" value="sAMAccountName"/>

                                  <module-option name="allowEmptyPasswords" value="false"/>

                                  <module-option name="roleRecursion" value="5"/>

                                  <!--<module-option name="searchTimeLimit" value="100000"/>-->

                              </login-module>

                          </authentication>

                      </security-domain>

                      <security-domain name="jboss-web-policy" cache-type="default">

                          <authorization>

                              <policy-module code="Delegating" flag="required"/>

                          </authorization>

                      </security-domain>

                      <security-domain name="jboss-ejb-policy" cache-type="default">

                          <authorization>

                              <policy-module code="Delegating" flag="required"/>

                          </authorization>

                      </security-domain>

                  </security-domains>

              </subsystem>

       

       

      I've checked the AD settings with tools like LdapSearch and JXplorer, they seem correct. My problem is that whenever I try to login, I get an error. And by redirecting all the security traces to the same file, I get only this :

       

      14:22:49,462 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Security checking request GET /testWeb/sec/index.faces

      14:22:49,463 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-1)   Checking constraint 'SecurityConstraint[SecurePages]' against GET /sec/index.faces --> true

      14:22:49,463 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-1)   Checking constraint 'SecurityConstraint[SecurePages]' against GET /sec/index.faces --> true

      14:22:49,463 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1)  Calling hasUserDataPermission()

      14:22:49,463 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-1)   User data constraint has no restrictions

      14:22:49,463 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1)  Calling authenticate()

      14:22:49,464 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Save request in session 'SK5o6Rm7dLQF1iUNyylYQpht'

      14:22:49,465 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb].[default]] (http-localhost/127.0.0.1:8080-1)  Disabling the response for futher output

      14:22:49,465 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb].[default]] (http-localhost/127.0.0.1:8080-1)  The Response is vehiculed using a wrapper: org.apache.catalina.connector.Response

      14:22:49,466 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1)  Failed authenticate() test

      14:22:49,466 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000354: Setting security roles ThreadLocal: null

      14:22:56,007 DEBUG [org.apache.catalina.session] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1371126176007 sessioncount 0

      14:22:56,007 DEBUG [org.apache.catalina.session] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0

      14:22:56,007 DEBUG [org.apache.catalina.session] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1371126176007 sessioncount 1

      14:22:56,007 DEBUG [org.apache.catalina.session] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0

      14:23:07,983 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Security checking request POST /testWeb/sec/j_security_check

      14:23:07,985 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1) Authenticating username 'wantist'

      14:23:07,986 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: wantist, cache entry: null

      14:23:07,986 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: wantist

      14:23:07,989 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(other), size: 4

      14:23:07,996 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:

      [0]

      LoginModule Class: org.jboss.security.auth.spi.DisabledLoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

       

       

      14:23:08,000 ERROR [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000265: The security domain other has been disabled. All authentication will fail

      14:23:08,002 DEBUG [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000206: Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored

                at javax.security.auth.login.LoginContext.invoke(LoginContext.java:935) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_11]

                at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_11]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]

                at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:216) [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:373) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_11]

       

       

      14:23:08,007 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000201: End isValid, result = false

      14:23:08,007 TRACE [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb]] (http-localhost/127.0.0.1:8080-1) JBWEB000013: Username [wantist] NOT successfully authenticated

      14:23:08,009 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb].[default]] (http-localhost/127.0.0.1:8080-1)  Disabling the response for futher output

      14:23:08,009 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testWeb].[default]] (http-localhost/127.0.0.1:8080-1)  The Response is vehiculed using a wrapper: org.apache.catalina.connector.Response

      14:23:08,010 DEBUG [org.apache.catalina.authenticator] (http-localhost/127.0.0.1:8080-1)  Failed authenticate() test ??/testWeb/sec/j_security_check

      14:23:08,010 TRACE [org.jboss.security] (http-localhost/127.0.0.1:8080-1) PBOX000354: Setting security roles ThreadLocal: null


       

      It seems that my credentials are never handled by the LDAP login module, and just go to the Disabled one... How can I make them being validated by AD ? The security domain name is correctly written in the web.xml file, why isn't it going there?