10:25 a.m.
I believe my custom LoginModule is functioning properly. Again, there are no exceptions in
the log of any kind.
I see that some error page behavior is configurable from within the
Admin->Home->Dashboard page/tab, so maybe the exception is being caught and
mishandled? There should be something in the log to indicate what is causing the 403...
I was just reading another post regarding a dashboard 403 exception:
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=113200
I realize that this other post is related to an Oracle DS, but would it be possible for a
portal developer to check to see if there is anything that would be preventing the
dashboard from being loaded for a user? In particular, why do the Admin | Logout links
work properly, but not the Dashboard link? If the Admin link works, then that means that
the Admin role has been successfully associated with the login user.
Thanks. I am also attaching my login-config.xml:
<policy>
| <!-- For the JCR CMS -->
| <application-policy name="cms">
| <authentication>
| <login-module
code="org.apache.jackrabbit.core.security.SimpleLoginModule"
flag="required"/>
| </authentication>
| </application-policy>
|
| <application-policy name="portal">
| <authentication>
|
| <!-- Activate custom login module for portal: -->
|
| <login-module code="test.custom.jaas.impl.SsoPortalLoginModule"
flag="required">
| <module-option name="debug">1</module-option>
| <module-option
name="unauthenticatedIdentity">guest</module-option>
| <module-option
name="userModuleJNDIName">java:/portal/UserModule</module-option>
| <module-option
name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
| <module-option
name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
| <module-option
name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
| <module-option
name="additionalRole">Authenticated</module-option>
| <module-option
name="password-stacking">useFirstPass</module-option>
| </login-module>
|
| <!--To configure LDAP support with IdentityLoginModule please check
documentation on how to
| configure portal identity modules for this-->
|
| <!--<login-module
code="org.jboss.portal.identity.auth.IdentityLoginModule"
flag="required">-->
| <!--<login-module
code="org.jboss.portal.identity.auth.IdentityLoginModule"
flag="optional">-->
|
| <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule"
flag="optional">
| <module-option
name="unauthenticatedIdentity">guest</module-option>
| <module-option
name="userModuleJNDIName">java:/portal/UserModule</module-option>
| <module-option
name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
| <module-option
name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
| <module-option
name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
| <module-option
name="additionalRole">Authenticated</module-option>
| <module-option
name="password-stacking">useFirstPass</module-option>
| </login-module>
|
| <!--Use can use this module instead of IdentityLoginModule to bind to
LDAP. It simply extends JBossSX LdapExtLoginModule so
| all configuration that can be applied to LdapExtLoginModule also can be
applied here. For user that
| was authenticated successfully it will try to take identity modules from
portal, check if such user (and roles it belongs to)
| is present, and if not it will try to create them. Then for all roles
assigned to this authenticated principal it will
| try to check and create them using identity modules. This behaviour can be
disabled using "synchronizeRoles". You can also
| define one "defaultAssignRole" that will be always assigned to
synchronized user.
| It is also possible to set option "synchronizeIdentity" to
"false" so this module will act exactly like LdapExtLoginModule
| but it will inject role defined in "additionalRole". For obvious
reasons
| this is designed to use with portal identity modules configured with DB and
not LDAP-->
| <!--There is also SynchronizingLDAPLoginModule which provide the same set
of options on top of JBossSX LdapLoginModule-->
| <!--<login-module
code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule"
flag="required">
| <module-option
name="synchronizeIdentity">true</module-option>
| <module-option
name="synchronizeRoles">true</module-option>
| <module-option
name="additionalRole">Authenticated</module-option>
| <module-option
name="defaultAssignedRole">User</module-option>
| <module-option
name="userModuleJNDIName">java:/portal/UserModule</module-option>
| <module-option
name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
| <module-option
name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
| <module-option
name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
| <module-option
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
| <module-option
name="java.naming.provider.url">ldap://example.com:10389/</module-option>
| <module-option
name="java.naming.security.authentication">simple</module-option>
| <module-option name="bindDN">cn=Directory
Manager</module-option>
| <module-option
name="bindCredential">lolo</module-option>
| <module-option
name="baseCtxDN">ou=People,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
| <module-option
name="baseFilter">(uid={0})</module-option>
| <module-option
name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
| <module-option
name="roleFilter">(member={1})</module-option>
| <module-option
name="roleAttributeID">cn</module-option>
| <module-option
name="roleRecursion">-1</module-option>
| <module-option
name="searchTimeLimit">10000</module-option>
| <module-option
name="searchScope">SUBTREE_SCOPE</module-option>
| <module-option
name="allowEmptyPasswords">false</module-option>
| </login-module>-->
|
| <!--This login module should be placed at the end of authentication stack.
It always returns
| true in login() method so it should be always "optional" and exists
after other "required" module in the stack.
| It will try to synchronize authenticated user into portal store using portal
identity modules. Each subject principal assigned
| by previous modules will be tried to synchronize into portal as a role.
-->
| <!--<login-module
code="org.jboss.portal.identity.auth.SynchronizingLoginModule"
flag="optional">
| <module-option
name="synchronizeIdentity">true</module-option>
| <module-option
name="synchronizeRoles">true</module-option>
| <module-option
name="additionalRole">Authenticated</module-option>
| <module-option
name="defaultAssignedRole">User</module-option>
| <module-option
name="userModuleJNDIName">java:/portal/UserModule</module-option>
| <module-option
name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
| <module-option
name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
| <module-option
name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
| </login-module>-->
|
| <!--Uncomment this if you want to fall down to users kept in DB if LDAP
authentication fails
| This may be usefull if you want to use Admin user provided with portal
database schema-->
| <!--Note that this may lead to the security risk - with LDAP when storing
user profile information
| that are not mapped as attribute you may have LDAP user synchronized into
DB with no password set.
| Please see HibernateUserProfileImpl module options
"synchronizeNonExistingUsers", "acceptOtherImplementations"
| "defaultSynchronizePassword" or
"randomSynchronizePassword" to manage this behaviour-->
| <!--<login-module code =
"org.jboss.portal.identity.auth.DBIdentityLoginModule"
flag="sufficient">
| <module-option
name="dsJndiName">java:/PortalDS</module-option>
| <module-option name="principalsQuery">SELECT jbp_password
FROM jbp_users WHERE jbp_uname=?</module-option>
| <module-option name="rolesQuery">SELECT
jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON
jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON
jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE
jbp_users.jbp_uname=?</module-option>
| <module-option
name="hashAlgorithm">MD5</module-option>
| <module-option
name="hashEncoding">HEX</module-option>
| <module-option
name="additionalRole">Authenticated</module-option>
| </login-module>-->
|
| </authentication>
| </application-policy>
| </policy>
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4088907#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...