You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Ate Douma <at...@douma.nu> on 2011/10/03 18:34:06 UTC
Re: authentificating with ldap javax.security.auth.login.LoginException
on org.apache.catalina.realm.JAASRealm authenticate
On 10/03/2011 05:28 PM, jerome.dupont@bnf.fr wrote:
>
> Hi everybody.
>
> I'm trying and trying to authentificate with my own ldap. (I've changed the
> names of the relationship between users and roles).
> The conection to the ldap is correct. (I've seen connection and retrieving
> of the user entity when debugging.)
>
> Synchronisation with db seems correct, as you can see in these logs:
> 03.10.2011 17:00:02 DEBUG
> [org.apache.jetspeed.security.spi.impl.DefaultJetspeedSecuritySynchronizer.synchronizeUserPrincipal
> ():156] Synchronizing UserPrincipal(partenaire)
> 03.10.2011 17:00:02 DEBUG
> [org.apache.jetspeed.security.spi.impl.DefaultJetspeedSecuritySynchronizer.synchronizeEntity
> ():189] Synchronizing entity user id: partenaire
> 03.10.2011 17:00:02 DEBUG
> [org.apache.jetspeed.security.spi.impl.DefaultJetspeedSecuritySynchronizer.synchronizeEntity
> ():189] Synchronizing entity role id: partenaires_admin
> 03.10.2011 17:00:02 DEBUG
> [org.apache.jetspeed.security.spi.impl.DefaultJetspeedSecuritySynchronizer.synchronizeEntity
> ():375] Synchronized entity role id: partenaires_admin mapped attributes
> ...
> 03.10.2011 17:00:03 DEBUG
> [org.apache.jetspeed.security.spi.impl.DefaultJetspeedSecuritySynchronizer.synchronizeEntity
> ():189] Synchronizing entity role id:
> partenaires_moissonnage_gallica_partenaire
> 03.10.2011 17:00:03 DEBUG
> [org.apache.jetspeed.security.spi.impl.DefaultJetspeedSecuritySynchronizer.synchronizeEntity
> ():375] Synchronized entity role id:
> partenaires_moissonnage_gallica_partenaire mapped attributes
> 03.10.2011 17:00:03 WARN
> [org.apache.jetspeed.decoration.DecorationFactoryImpl.getConfiguration
> ():287] Could not locate the decorator.properties configuration file for
> decoration "clear". This decoration may not exist.
>
>
> But after I have the following exception:
>
>
> ATTENTION: Exception lors de l'authentification par login du nom
> d'utilisateur partenaire
> javax.security.auth.login.LoginException: A user member role association is
> not
> allowed.
> at org.apache.jetspeed.security.impl.DefaultLoginModule.login
> (DefaultLog
> inModule.java:258)
This is a o.a.j.security.SecurityException.PRINCIPAL_ASSOCIATION_UNSUPPORTED
thrown from BaseJetspeedPrincipalManager#addPrincipal or #addAssociation method.
I suspect your changes in the user/role association mapping are not or no longer
aligned with the (Jetspeed generic, not LDAP specific) association handlers
configuration in security-managers.xml
It might help if you can provide a diff of your changes compared tot the default
jetspeed configuration files for these.
Ate
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke
> (NativeMethodAccessorImpl.
> java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke
> (DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at javax.security.auth.login.LoginContext.invoke
> (LoginContext.java:769)
> at javax.security.auth.login.LoginContext.access$000
> (LoginContext.java:1
> 86)
> at javax.security.auth.login.LoginContext$4.run
> (LoginContext.java:683)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv
> (LoginContext.java:6
> 80)
> at javax.security.auth.login.LoginContext.login
> (LoginContext.java:579)
> at org.apache.catalina.realm.JAASRealm.authenticate
> (JAASRealm.java:363)
> at org.apache.catalina.authenticator.FormAuthenticator.authenticate
> (Form
> Authenticator.java:258)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke
> (Authentica
> torBase.java:417)
> at org.apache.catalina.core.StandardHostValve.invoke
> (StandardHostValve.j
> ava:128)
> at org.apache.catalina.valves.ErrorReportValve.invoke
> (ErrorReportValve.j
> ava:102)
> at org.apache.catalina.core.StandardEngineValve.invoke
> (StandardEngineVal
> ve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service
> (CoyoteAdapter.jav
> a:286)
> at org.apache.coyote.http11.Http11Processor.process
> (Http11Processor.java
> :845)
> at org.apache.coyote.http11.Http11Protocol
> $Http11ConnectionHandler.proce
> ss(Http11Protocol.java:583)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run
> (JIoEndpoint.java:44
> 7)
> at java.lang.Thread.run(Thread.java:619)
>
>
> I don't know what to do.
> I've try to remove the jaas form my context file: same behavior.
>
>
>
> Regards,
> J.
>
>
> Exposition Vogue : l'aventure d'une maison de disque - jusqu'au13 novembre 2011 - BnF - François-Mitterrand / Allée Julien Cain Avant d'imprimer, pensez à l'environnement.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: authentificating with ldap javax.security.auth.login.LoginException on
org.apache.catalina.realm.JAASRealm authenticate
Posted by je...@bnf.fr.
It works!!!
Thanks To have asked me to describe all my changes it helped me to find out
the configuration trouble
So I can login, associated with the admin role (which is mapped with
partenaires_admin role defined in my ldap.
With the admin interface, I could create a user, and associate a role with
him.
Unfortunaltely, no password is stored in the ldap. Do I have to mapped a
userPassword attribute?
I recapitulate here the complete changes (help for next users which will
want to do the same thing, I hope).
Comparaison de: Q:\Apache\Jetspeed-2.2.1PourLdap\webapps\jetspeed\WEB-INF
\assembly\security-ldap.xml
Avec: Q:\Apache\Jetspeed-2.2.1ORI\webapps\jetspeed\WEB-INF\assembly
\security-ldap.xml
=======
1 * <?xml version="1.0" encoding="UTF-8"?> * <?xml version="1.0"
encoding="UTF-8"?>
!>
User DAO configuration attributes: I removed cn, sn and given Name, and
replaced by BNFMemberOf. I've changed the class (inetOrgPerson -> BnFUser.
179 * <property name="ldapIdAttribute" value="BnFIdentifiant" /> *
<property name="ldapIdAttribute" value="uid" />
180 * <property name="objectClasses" value="BNFUser"/> *
<property name="objectClasses"
value="inetOrgPerson,organizationalPerson,person,top"/>
184 * <constructor-arg index="0" value="BnFIdentifiant" /> *
<constructor-arg index="0" value="uid" />
190 * <bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
* <bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
191 * <constructor-arg index="0" value="BnFMemberOf" /> *
<constructor-arg index="0" value="cn" />
192 * <constructor-arg index="1" value="true" /> *
<constructor-arg index="1" value="false" />
194 * <property name="required" value="false"/> *
<property name="required" value="true"/>
195 * <property name="idAttribute" value="false"/> *
<property name="idAttribute" value="true"/>
!> </bean>
!> <bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
!> <constructor-arg index="0" value="sn" />
!> <constructor-arg index="1" value="false" />
!> <constructor-arg index="2" value="false" />
!> <property name="required" value="true"/>
!> <property name="idAttribute" value="true"/>
!> </bean>
!> <bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
!> <constructor-arg index="0" value="givenName" />
!> <constructor-arg index="1" value="false" />
!> <constructor-arg index="2" value="true" />
!> <constructor-arg index="3" value="user.name.given" />
RoleDaoConfiguration: class name of role class: groupOfName -> groupOfURLS.
attibute member -> uniqueMember
211 * <property name="objectClasses" value="groupOfURLs"/> *
<property name="objectClasses" value="groupOfNames,extensibleObject"/>
228 * <constructor-arg index="0" value="uniqueMember" /> *
<constructor-arg index="0" value="member" />
231 * <property name="required" value="false" /> *
<property name="required" value="true" />
!>
UserRoleRelationDAO
I've tried different cases: changing relationAttribute, or just
construction
relationAttribute member -> BnFMemberOf.
useFromEntityAttribute false -> true (In the other sens, the jetspeed
couldn't find urole associated with a user. So I inverted the sens of the
research, and the roles associated with the user were found.And
And that the trouble , I had changed this line isMemberOf -> member
290 * <constructor-arg index="0" value="member" /> *
<constructor-arg index="0" value="isMemberOf" />
I changed it back to
<constructor-arg index="0" value="member" />
and it WORKS !!!
285 * <property name="relationAttribute" value="BnFMemberOf" /> *
<property name="relationAttribute" value="member" />
287 * <property name="useFromEntityAttribute" value="true" /> *
<property name="useFromEntityAttribute" value="false" />
290 * <constructor-arg index="0" value="member" /> *
<constructor-arg index="0" value="isMemberOf" />
Regards,
Jérôme
Exposition Vogue : l'aventure d'une maison de disque - jusqu'au13 novembre 2011 - BnF - François-Mitterrand / Allée Julien Cain Avant d'imprimer, pensez à l'environnement.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org