[jboss-user] [JBoss Portal] - Re: Is this a JBP 2.6.1 bug? (403 Error From Dashboard Link)

NM-156 do-not-reply at jboss.com
Wed Sep 26 11:25:06 EDT 2007 

I believe my custom LoginModule is functioning properly. Again, there are no exceptions in the log of any kind. 

I see that some error page behavior is configurable from within the Admin->Home->Dashboard page/tab, so maybe the exception is being caught and mishandled? There should be something in the log to indicate what is causing the 403...

I was just reading another post regarding a dashboard 403 exception:

http://www.jboss.com/index.html?module=bb&op=viewtopic&t=113200

I realize that this other post is related to an Oracle DS, but would it be possible for a portal developer to check to see if there is anything that would be preventing the dashboard from being loaded for a user? In particular, why do the Admin | Logout links work properly, but not the Dashboard link? If the Admin link works, then that means that the Admin role has been successfully associated with the login user.

Thanks. I am also attaching my login-config.xml:

<policy>
  |    <!-- For the JCR CMS -->
  |    <application-policy name="cms">
  |       <authentication>
  |          <login-module code="org.apache.jackrabbit.core.security.SimpleLoginModule" flag="required"/>
  |       </authentication>
  |    </application-policy>
  |    
  |    <application-policy name="portal">
  |       <authentication>
  | 
  |          <!-- Activate custom login module for portal: -->
  | 
  | 	 <login-module code="test.custom.jaas.impl.SsoPortalLoginModule" flag="required">
  |             <module-option name="debug">1</module-option>
  |             <module-option name="unauthenticatedIdentity">guest</module-option>
  |             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
  |             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
  |             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
  |             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
  |             <module-option name="additionalRole">Authenticated</module-option>
  |             <module-option name="password-stacking">useFirstPass</module-option>
  |          </login-module>
  | 
  |          <!--To configure LDAP support with IdentityLoginModule please check documentation on how to
  |          configure portal identity modules for this-->
  | 
  |          <!--<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">-->
  | 	 <!--<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="optional">-->
  | 
  | 	<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="optional">
  |             <module-option name="unauthenticatedIdentity">guest</module-option>
  |             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
  |             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
  |             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
  |             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
  |             <module-option name="additionalRole">Authenticated</module-option>
  |             <module-option name="password-stacking">useFirstPass</module-option>
  |          </login-module>
  | 
  |          <!--Use can use this module instead of IdentityLoginModule to bind to LDAP. It simply extends JBossSX LdapExtLoginModule so
  |           all configuration that can be applied to LdapExtLoginModule also can be applied here. For user that
  |           was authenticated successfully it will try to take identity modules from portal, check if such user (and roles it belongs to)
  |           is present, and if not it will try to create them. Then for all roles assigned to this authenticated principal it will
  |           try to check and create them using identity modules. This behaviour can be disabled using "synchronizeRoles". You can also
  |           define one "defaultAssignRole" that will be always assigned to synchronized user.
  |           It is also possible to set option "synchronizeIdentity" to "false" so this module will act exactly like LdapExtLoginModule
  |           but it will inject role defined in "additionalRole".  For obvious reasons
  |           this is designed to use with portal identity modules configured with DB and not LDAP-->
  |          <!--There is also SynchronizingLDAPLoginModule which provide the same set of options on top of JBossSX LdapLoginModule-->
  |          <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule" flag="required">
  |             <module-option name="synchronizeIdentity">true</module-option>
  |             <module-option name="synchronizeRoles">true</module-option>
  |             <module-option name="additionalRole">Authenticated</module-option>
  |             <module-option name="defaultAssignedRole">User</module-option>
  |             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
  |             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
  |             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
  |             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
  |             <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
  |             <module-option name="java.naming.provider.url">ldap://example.com:10389/</module-option>
  |             <module-option name="java.naming.security.authentication">simple</module-option>
  |             <module-option name="bindDN">cn=Directory Manager</module-option>
  |             <module-option name="bindCredential">lolo</module-option>
  |             <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
  |             <module-option name="baseFilter">(uid={0})</module-option>
  |             <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
  |             <module-option name="roleFilter">(member={1})</module-option>
  |             <module-option name="roleAttributeID">cn</module-option>
  |             <module-option name="roleRecursion">-1</module-option>
  |             <module-option name="searchTimeLimit">10000</module-option>
  |             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
  |             <module-option name="allowEmptyPasswords">false</module-option>
  |          </login-module>-->
  | 
  |          <!--This login module should be placed at the end of authentication stack. It always returns
  |          true in login() method so it should be always "optional" and exists after other "required" module in the stack.
  |          It will try to synchronize authenticated user into portal store using portal identity modules. Each subject principal assigned
  |          by previous modules will be tried to synchronize into portal as a role.  -->
  |          <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
  |             <module-option name="synchronizeIdentity">true</module-option>
  |             <module-option name="synchronizeRoles">true</module-option>
  |             <module-option name="additionalRole">Authenticated</module-option>
  |             <module-option name="defaultAssignedRole">User</module-option>
  |             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
  |             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
  |             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
  |             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
  |          </login-module>-->
  | 
  |          <!--Uncomment this if you want to fall down to users kept in DB if LDAP authentication fails
  |              This may be usefull if you want to use Admin user provided with portal database schema-->
  |          <!--Note that this may lead to the security risk - with LDAP  when storing user profile information
  |              that are not mapped as attribute you may have LDAP user synchronized into DB with no password set.
  |              Please see HibernateUserProfileImpl module options "synchronizeNonExistingUsers", "acceptOtherImplementations"
  |              "defaultSynchronizePassword" or "randomSynchronizePassword" to manage this behaviour-->
  |          <!--<login-module code = "org.jboss.portal.identity.auth.DBIdentityLoginModule" flag="sufficient">
  |             <module-option name="dsJndiName">java:/PortalDS</module-option>
  |             <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option>
  |             <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM  jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option>
  |             <module-option name="hashAlgorithm">MD5</module-option>
  |             <module-option name="hashEncoding">HEX</module-option>
  |             <module-option name="additionalRole">Authenticated</module-option>
  |          </login-module>-->
  |          
  |       </authentication>
  |    </application-policy>
  | </policy>

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4088907#4088907

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4088907

More information about the jboss-user mailing list