[jboss-user] [JBoss Portal] - Re: LDAP authentication and Role-based permissions question

Forgot to attach some tracing/logging information in my last reply. Also, our portal is not the default and is accessed by the url : http://localhost:8080/portal/auth/portal/myportal. The following is a section of the log starting from the authentication. Any help is appreciated. Thanks. -Andrew ------------------------------------ 2007-03-12 09:55:16,953 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] Begin isValid, principal:abc, cache info: null 2007-03-12 09:55:16,953 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] defaultLogin, principal=abc 2007-03-12 09:55:16,953 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(portal), size=10 2007-03-12 09:55:16,953 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(portal), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=principalDNSuffix, value=,ou=users,ou=MyDivision,o=MyCompany name=user.provider.url, value=ldap://myLDAPServerIP:389/ou=users,ou=MyDivision,o=MyCompany name=principalDNPrefix, value=cn= name=group.provider.url, value=ldap://myLDAPServerIP:389/ou=DistributionLists,ou=MyDivision,o=MyCompany name=java.naming.security.authentication, value=simple name=java.naming.provider.url, value=ldap://myLDAPServerIP:389/ name=roleAttributeID, value=cn name=uidAttributeID, value=member name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory name=roleAttributeIsDN, value=false name=rolesCtxDN, value=ou=DistributionLists,ou=MyDivision,o=MyCompany name=matchOnUserDN, value=true 2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.auth.spi.LdapLoginModule, false) 2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.auth.spi.LdapLoginModule) 2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@6d3209 2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent 2007-03-12 09:55:16,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@9504057 2007-03-12 09:55:16,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: portal 2007-03-12 09:55:16,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login 2007-03-12 09:55:16,984 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={user.provider.url=ldap://myLDAPServerIP:389/ou=users,ou=MyDivision,o=MyCompany, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, principalDNPrefix=cn=, java.naming.security.principal=cn=abc,ou=users,ou=MyDivision,o=MyCompany, roleAttributeID=cn, matchOnUserDN=true, principalDNSuffix=,ou=users,ou=MyDivision,o=MyCompany, rolesCtxDN=ou=DistributionLists,ou=MyDivision,o=MyCompany, jboss.security.security_domain=portal, group.provider.url=ldap://10.141.41.21:389/ou=DistributionLists,ou=MyDivision,o=MyCompany, java.naming.provider.url=ldap://myLDAPServerIP:389/, roleAttributeIsDN=false, uidAttributeID=member, java.naming.security.authentication=simple, java.naming.security.credentials=***} 2007-03-12 09:55:16,984 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(com.sun.jndi.ldap.LdapCtxFactory, false) 2007-03-12 09:55:17,281 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@dc35ba 2007-03-12 09:55:17,281 TRACE [org.jboss.security.auth.spi.LdapLoginModule] searching rolesCtxDN=ou=DistributionLists,ou=MyDivision,o=MyCompany, roleFilter=(member={0}), filterArgs=cn=abc,ou=users,ou=MyDivision,o=MyCompany, roleAttr=[Ljava.lang.String;@14b6ec8, searchScope=2, searchTimeLimit=10000 2007-03-12 09:55:17,671 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'abc' authenticated, loginOk=true 2007-03-12 09:55:17,671 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true 2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] defaultLogin, lc=javax.security.auth.login.LoginContext@1e4e47f, subject=Subject(5607282).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup(a)20745137(Roles(members)) 2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] updateCache, inputSubject=Subject(5607282).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup(a)20745137(Roles(members)), cacheSubject=Subject(32978170).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup(a)20745137(Roles(members)) 2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b70e32[Subject(32978170).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup@20745137(Roles(members)),credential.class=java.lang.String(a)20738936,expirationTime=1173709516953] 2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] End isValid, true 2007-03-12 09:55:17,687 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: Principal: abc Principal: Roles(members) , sc=org.jboss.security.SecurityAssociation$SubjectContext@5e8588{principal=abc,subject=26267652} 2007-03-12 09:55:17,687 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b70e32[Subject(32978170).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup@20745137(Roles(members)),credential.class=java.lang.String(a)20738936,expirationTime=1173709516953] 2007-03-12 09:55:17,687 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@5e8588{principal=abc,subject=26267652} 2007-03-12 09:55:17,687 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] getUserRoles, subject: Subject: Principal: abc Principal: Roles(members) 2007-03-12 09:55:17,687 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'abc' was successful 2007-03-12 09:55:17,687 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/portal/auth/portal/myportal' 2007-03-12 09:55:17,687 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/portal/auth/portal/j_security_check 2007-03-12 09:55:17,687 TRACE [org.jboss.security.SecurityAssociation] clear, server=true 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is BA0783EC9001950BDFF9A5C80C6027B9 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /portal/auth/portal/myportal 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /auth/portal/myportal --> true 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /auth/portal/myportal --> false 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /auth/portal/myportal --> false 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /auth/portal/myportal --> true 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /auth/portal/myportal --> false 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /auth/portal/myportal --> false 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session 'BA0783EC9001950BDFF9A5C80C6027B9' 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'abc' with type 'FORM' 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl() 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Username abc does NOT have role finance 2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4027214#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...