[jboss-jira] [JBoss JIRA] (SECURITY-741) Spnego fallback with LDAP login modul does does not authorize property
L D (JIRA)
jira-events at lists.jboss.org
Mon May 13 13:16:07 EDT 2013
L D created SECURITY-741:
----------------------------
Summary: Spnego fallback with LDAP login modul does does not authorize property
Key: SECURITY-741
URL: https://issues.jboss.org/browse/SECURITY-741
Project: PicketBox
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Components: Negotiation
Affects Versions: PicketBox_4_0_14.Final
Environment: Windows 2008
AS 7.1.3
Reporter: L D
Assignee: Darran Lofthouse
When using LDAP fallback mechanism with SPNEGO looks that Authorization always fails.
Users are getting 403 message.
When I setup same login modules to work in only Form authentication (without Spnego) or only SPNEGO (without fallback) everything is working.
In server logs everything looks OK – user is authenticated but web application throwing 403 exception.
12:50:16,560 TRACE [org.jboss.security] (http-whofr836w33/172.29.60.93:8080-1) PBOX000201: End isValid, result = true
12:50:16,560 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) User: ld is authenticated
12:50:16,564 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) End invoke, caller=null
12:50:16,565 TRACE [org.jboss.security] (http-whofr836w33/172.29.60.93:8080-1) PBOX000354: Setting security roles ThreadLocal: null
12:50:16,567 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) Begin invoke, caller=null
12:50:16,567 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) Restoring principal info from cache
12:50:16,567 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-whofr836w33/172.29.60.93:8080-1) Authenticating user
12:50:16,567 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-whofr836w33/172.29.60.93:8080-1) Already authenticated 'ld'
12:50:16,567 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false
12:50:16,568 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) hasResourcePermission:RealmBase says:false::Authz framework says:true:final=false
12:50:16,568 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) End invoke, caller=null
Example of standalone.xml
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="debug" value="true"/>
<module-option name="principal" value="HTTP/xxx"/>
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="keyTab" value="D:/path to keytab.keytab"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="debug" value="true"/>
<module-option name="usernamePasswordDomain" value="fallback"/>
</login-module>
<login-module code="AdvancedAdLdap" flag="sufficient">
<module-option name="bindAuthentication" value="GSSAPI"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="jaasSecurityDomain" value="host"/>
<module-option name="debug" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://xxx:389"/>
<module-option name="bindDN" value="xxx"/>
<module-option name="bindCredential" value="xxx"/>
<module-option name="baseCtxDN" value="OU=xxx,DC=xx,DC=xxx,DC=xx"/>
<module-option name="baseFilter" value="(userPrincipalName={0})"/>
<module-option name="rolesCtxDN" value="OU=Production,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="accountNameHistory"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="java.naming.referral" value="follow"/>
<module-option name="realmName" value="SPNEGO"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="fallback" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="bindAuthentication" value="GSSAPI"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="debug" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://xxx:389"/>
<module-option name="bindDN" value="xxx"/>
<module-option name="bindCredential" value="xxx"/>
<module-option name="baseCtxDN" value=" OU=xxx,DC=xx,DC=xxx,DC=xx "/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value=" OU=Production,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx "/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="accountNameHistory"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="java.naming.referral" value="follow"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
<module-option name="realmName" value="SPNEGO"/>
</login-module>
</authentication>
</security-domain>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list