[jboss-jira] [JBoss JIRA] (SECURITY-741) Spnego fallback with LDAP login modul does does not authorize properly
L D (JIRA)
jira-events at lists.jboss.org
Mon May 13 13:18:06 EDT 2013
[ https://issues.jboss.org/browse/SECURITY-741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
L D updated SECURITY-741:
-------------------------
Summary: Spnego fallback with LDAP login modul does does not authorize properly (was: Spnego fallback with LDAP login modul does does not authorize property)
> Spnego fallback with LDAP login modul does does not authorize properly
> ----------------------------------------------------------------------
>
> Key: SECURITY-741
> URL: https://issues.jboss.org/browse/SECURITY-741
> Project: PicketBox
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Negotiation
> Affects Versions: PicketBox_4_0_14.Final
> Environment: Windows 2008
> AS 7.1.3
> Reporter: L D
> Assignee: Darran Lofthouse
>
> When using LDAP fallback mechanism with SPNEGO looks that Authorization always fails.
> Users are getting 403 message.
> When I setup same login modules to work in only Form authentication (without Spnego) or only SPNEGO (without fallback) everything is working.
> In server logs everything looks OK – user is authenticated but web application throwing 403 exception.
> 12:50:16,560 TRACE [org.jboss.security] (http-whofr836w33/172.29.60.93:8080-1) PBOX000201: End isValid, result = true
> 12:50:16,560 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) User: ld is authenticated
> 12:50:16,564 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) End invoke, caller=null
> 12:50:16,565 TRACE [org.jboss.security] (http-whofr836w33/172.29.60.93:8080-1) PBOX000354: Setting security roles ThreadLocal: null
> 12:50:16,567 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) Begin invoke, caller=null
> 12:50:16,567 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) Restoring principal info from cache
> 12:50:16,567 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-whofr836w33/172.29.60.93:8080-1) Authenticating user
> 12:50:16,567 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-whofr836w33/172.29.60.93:8080-1) Already authenticated 'ld'
> 12:50:16,567 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false
> 12:50:16,568 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) hasResourcePermission:RealmBase says:false::Authz framework says:true:final=false
> 12:50:16,568 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) End invoke, caller=null
> Example of standalone.xml
> <security-domain name="host" cache-type="default">
> <authentication>
> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
> <module-option name="debug" value="true"/>
> <module-option name="principal" value="HTTP/xxx"/>
> <module-option name="storeKey" value="true"/>
> <module-option name="useKeyTab" value="true"/>
> <module-option name="doNotPrompt" value="true"/>
> <module-option name="keyTab" value="D:/path to keytab.keytab"/>
> </login-module>
> </authentication>
> </security-domain>
> <security-domain name="SPNEGO" cache-type="default">
> <authentication>
> <login-module code="SPNEGO" flag="requisite">
> <module-option name="password-stacking" value="useFirstPass"/>
> <module-option name="serverSecurityDomain" value="host"/>
> <module-option name="debug" value="true"/>
> <module-option name="usernamePasswordDomain" value="fallback"/>
> </login-module>
> <login-module code="AdvancedAdLdap" flag="sufficient">
> <module-option name="bindAuthentication" value="GSSAPI"/>
> <module-option name="password-stacking" value="useFirstPass"/>
> <module-option name="jaasSecurityDomain" value="host"/>
> <module-option name="debug" value="true"/>
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="ldap://xxx:389"/>
> <module-option name="bindDN" value="xxx"/>
> <module-option name="bindCredential" value="xxx"/>
> <module-option name="baseCtxDN" value="OU=xxx,DC=xx,DC=xxx,DC=xx"/>
> <module-option name="baseFilter" value="(userPrincipalName={0})"/>
> <module-option name="rolesCtxDN" value="OU=Production,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx"/>
> <module-option name="roleFilter" value="(member={1})"/>
> <module-option name="roleAttributeID" value="accountNameHistory"/>
> <module-option name="roleNameAttributeID" value="cn"/>
> <module-option name="roleAttributeIsDN" value="false"/>
> <module-option name="throwValidateError" value="true"/>
> <module-option name="searchScope" value="SUBTREE_SCOPE"/>
> <module-option name="allowEmptyPasswords" value="false"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="realmName" value="SPNEGO"/>
> </login-module>
> </authentication>
> </security-domain>
> <security-domain name="fallback" cache-type="default">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
> <module-option name="bindAuthentication" value="GSSAPI"/>
> <module-option name="password-stacking" value="useFirstPass"/>
> <module-option name="debug" value="true"/>
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="ldap://xxx:389"/>
> <module-option name="bindDN" value="xxx"/>
> <module-option name="bindCredential" value="xxx"/>
> <module-option name="baseCtxDN" value=" OU=xxx,DC=xx,DC=xxx,DC=xx "/>
> <module-option name="baseFilter" value="(sAMAccountName={0})"/>
> <module-option name="rolesCtxDN" value=" OU=Production,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx "/>
> <module-option name="roleFilter" value="(member={1})"/>
> <module-option name="roleAttributeID" value="accountNameHistory"/>
> <module-option name="roleNameAttributeID" value="cn"/>
> <module-option name="roleAttributeIsDN" value="false"/>
> <module-option name="throwValidateError" value="true"/>
> <module-option name="searchScope" value="SUBTREE_SCOPE"/>
> <module-option name="allowEmptyPasswords" value="false"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="removeRealmFromPrincipal" value="true"/>
> <module-option name="realmName" value="SPNEGO"/>
> </login-module>
> </authentication>
> </security-domain>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list