You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Jason Rose (JIRA)" <ji...@apache.org> on 2010/04/02 20:50:27 UTC
[jira] Created: (SLING-1472) Form Auth seems unoperational
Form Auth seems unoperational
-----------------------------
Key: SLING-1472
URL: https://issues.apache.org/jira/browse/SLING-1472
Project: Sling
Issue Type: Bug
Components: Extensions
Environment: sling trunk -r930334 on fuse 4.2
Reporter: Jason Rose
Installing bundle mvn:org.apache.sling/org.apache.sling.formauth/0.9-SNAPSHOT doesn't seem to actually provide any functionality.
curl http://localhost:8181/system/sling/form/login returns a 404.
The authentication handler itself doesn't seem to provide any login or logout support; if I post to /j_security_check with the correct credentials, the basic auth handler handles it. I don't know if the form auth code is even running at all. Calling /system/sling/logout pops up the basic challenge modal in my browser.
It looks like there was a Sakai bug raised about this a while ago, and they fixed it. I don't know if the code was backported, or what.
http://jira.sakaiproject.org/browse/KERN-716
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SLING-1472) Form Auth seems unoperational
Posted by "Jason Rose (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1472?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Rose resolved SLING-1472.
-------------------------------
Resolution: Cannot Reproduce
> Form Auth seems unoperational
> -----------------------------
>
> Key: SLING-1472
> URL: https://issues.apache.org/jira/browse/SLING-1472
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Environment: sling trunk -r930334 on fuse 4.2
> Reporter: Jason Rose
> Attachments: formauth_superclass_patch.patch
>
>
> Installing bundle mvn:org.apache.sling/org.apache.sling.formauth/0.9-SNAPSHOT doesn't seem to actually provide any functionality.
> curl http://localhost:8181/system/sling/form/login returns a 404.
> The authentication handler itself doesn't seem to provide any login or logout support; if I post to /j_security_check with the correct credentials, the basic auth handler handles it. I don't know if the form auth code is even running at all. Calling /system/sling/logout pops up the basic challenge modal in my browser.
> It looks like there was a Sakai bug raised about this a while ago, and they fixed it. I don't know if the code was backported, or what.
> http://jira.sakaiproject.org/browse/KERN-716
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-1472) Form Auth seems unoperational
Posted by "Jason Rose (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1472?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Rose updated SLING-1472:
------------------------------
Attachment: formauth_superclass_patch.patch
I think I've fixed the issue. The formauth just extended servlet, and switching its parent class to a sling servlet caused the servlet to be found again. I don't know if you'd rather keep api dependencies as simple as possible, but this completely fixes the problem for me.
I also have a fix in here because the form auth handler wasn't logging one of the properties. I don't know if you want it to be in a different issue, but it's very minor so I put it here.
> Form Auth seems unoperational
> -----------------------------
>
> Key: SLING-1472
> URL: https://issues.apache.org/jira/browse/SLING-1472
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Environment: sling trunk -r930334 on fuse 4.2
> Reporter: Jason Rose
> Attachments: formauth_superclass_patch.patch
>
>
> Installing bundle mvn:org.apache.sling/org.apache.sling.formauth/0.9-SNAPSHOT doesn't seem to actually provide any functionality.
> curl http://localhost:8181/system/sling/form/login returns a 404.
> The authentication handler itself doesn't seem to provide any login or logout support; if I post to /j_security_check with the correct credentials, the basic auth handler handles it. I don't know if the form auth code is even running at all. Calling /system/sling/logout pops up the basic challenge modal in my browser.
> It looks like there was a Sakai bug raised about this a while ago, and they fixed it. I don't know if the code was backported, or what.
> http://jira.sakaiproject.org/browse/KERN-716
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SLING-1472) Form Auth seems unoperational
Posted by "Jason Rose (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12857944#action_12857944 ]
Jason Rose commented on SLING-1472:
-----------------------------------
Looking into this more, it looks like the FormAuthServlet wasn't being picked up on by Sling. That means that /system/sling/form/login was not a "safe" url to hit, and was therefore being redirected to /system/sling/login. I changed the superclass of the servlet and it looks like Sling is finding the servlet again without issue. I included a patch with that change. If you all can find a solution to the problem without changing the superclass, go ahead and do that over this change.
> Form Auth seems unoperational
> -----------------------------
>
> Key: SLING-1472
> URL: https://issues.apache.org/jira/browse/SLING-1472
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Environment: sling trunk -r930334 on fuse 4.2
> Reporter: Jason Rose
> Attachments: formauth_superclass_patch.patch
>
>
> Installing bundle mvn:org.apache.sling/org.apache.sling.formauth/0.9-SNAPSHOT doesn't seem to actually provide any functionality.
> curl http://localhost:8181/system/sling/form/login returns a 404.
> The authentication handler itself doesn't seem to provide any login or logout support; if I post to /j_security_check with the correct credentials, the basic auth handler handles it. I don't know if the form auth code is even running at all. Calling /system/sling/logout pops up the basic challenge modal in my browser.
> It looks like there was a Sakai bug raised about this a while ago, and they fixed it. I don't know if the code was backported, or what.
> http://jira.sakaiproject.org/browse/KERN-716
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SLING-1472) Form Auth seems unoperational
Posted by "Ian Boston (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12853792#action_12853792 ]
Ian Boston commented on SLING-1472:
-----------------------------------
First off the Sakai form login code is different from Sling since is uses a shared HMAC service to generate tokens to track logins, so we fixed that code separately (in Sakai Nakamura). It was broken because it was bound to the old Authentication API. The code in the Sling httpauth extension bundle is (AFAICT) using the current AuthenticationHandler SPI.
AFAIK Sling does not use j_security_check but I could be wrong.
The reason /system/sling/logout results in a popup is it responds with a 401.
Since curl http://localhost:8181/system/sling/form/login returns a 404, I would check that you have a AuthenticationFormServlet under the list of Components in the Sling Console.
> Form Auth seems unoperational
> -----------------------------
>
> Key: SLING-1472
> URL: https://issues.apache.org/jira/browse/SLING-1472
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Environment: sling trunk -r930334 on fuse 4.2
> Reporter: Jason Rose
>
> Installing bundle mvn:org.apache.sling/org.apache.sling.formauth/0.9-SNAPSHOT doesn't seem to actually provide any functionality.
> curl http://localhost:8181/system/sling/form/login returns a 404.
> The authentication handler itself doesn't seem to provide any login or logout support; if I post to /j_security_check with the correct credentials, the basic auth handler handles it. I don't know if the form auth code is even running at all. Calling /system/sling/logout pops up the basic challenge modal in my browser.
> It looks like there was a Sakai bug raised about this a while ago, and they fixed it. I don't know if the code was backported, or what.
> http://jira.sakaiproject.org/browse/KERN-716
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1472) Form Auth seems unoperational
Posted by "Jason Rose (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12855219#action_12855219 ]
Jason Rose commented on SLING-1472:
-----------------------------------
Sorry about the false positive regarding Sakai; I didn't pick up from the JIRA case that its form auth has a different backend than Sling's.
When I inspect the services installed by the 0.9-SNAPSHOT bundle, I get the following output:
Apache Sling Form Based Authentication Handler (338) provides:
--------------------------------------------------------------
component.id = 60
component.name = org.apache.sling.formauth.FormAuthenticationHandler
form.auth.name = sling.formauth
form.auth.storage = cookie
form.auth.timeout = 30
form.credentials.name = sling.formauth
form.login.form = /system/sling/form/login
form.token.file = cookie-tokens.bin
objectClass = org.apache.sling.commons.auth.spi.AuthenticationHandler, org.apache.sling.commons.auth.spi.AuthenticationFeedbackHandler
path = /
service.description = Apache Sling Form Based Authentication Handler
service.id = 375
service.pid = org.apache.sling.formauth.FormAuthenticationHandler
service.vendor = The Apache Software Foundation
----
objectClass = org.apache.sling.jcr.jackrabbit.server.security.LoginModulePlugin
service.description = LoginModulePlugin Support for FormAuthenticationHandler
service.id = 376
service.vendor = The Apache Software Foundation
----
component.id = 61
component.name = org.apache.sling.formauth.AuthenticationFormServlet
objectClass = javax.servlet.Servlet
service.description = Default Login Form for Form Based Authentication
service.id = 377
service.pid = org.apache.sling.formauth.AuthenticationFormServlet
service.vendor = The Apache Software Foundation
sling.auth.requirements = -/system/sling/form/login
sling.servlet.paths = /system/sling/form/login
All of this seems to be correct, but I still get a 404 when I try to GET the path in my browser or with cURL. Looking at the source for the servlet, it includes a form that posts to j_security_check with j_username and j_password. I just think something got lost in the recent auth changes from about 2 weeks ago, and this code just hasn't been updated yet, because old checkouts of the trunk on coworkers' machines work just fine.
> Form Auth seems unoperational
> -----------------------------
>
> Key: SLING-1472
> URL: https://issues.apache.org/jira/browse/SLING-1472
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Environment: sling trunk -r930334 on fuse 4.2
> Reporter: Jason Rose
>
> Installing bundle mvn:org.apache.sling/org.apache.sling.formauth/0.9-SNAPSHOT doesn't seem to actually provide any functionality.
> curl http://localhost:8181/system/sling/form/login returns a 404.
> The authentication handler itself doesn't seem to provide any login or logout support; if I post to /j_security_check with the correct credentials, the basic auth handler handles it. I don't know if the form auth code is even running at all. Calling /system/sling/logout pops up the basic challenge modal in my browser.
> It looks like there was a Sakai bug raised about this a while ago, and they fixed it. I don't know if the code was backported, or what.
> http://jira.sakaiproject.org/browse/KERN-716
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.