[jboss-user] [JBoss Portal] - Re: LDAP authentication and Role-based permissions question
ndrw_cheung
do-not-reply at jboss.com
Mon Mar 12 11:48:24 EDT 2007
Forgot to attach some tracing/logging information in my last reply. Also, our portal is not the default and is accessed by the url : http://localhost:8080/portal/auth/portal/myportal.
The following is a section of the log starting from the authentication. Any help is appreciated. Thanks.
-Andrew
------------------------------------
2007-03-12 09:55:16,953 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] Begin isValid, principal:abc, cache info: null
2007-03-12 09:55:16,953 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] defaultLogin, principal=abc
2007-03-12 09:55:16,953 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(portal), size=10
2007-03-12 09:55:16,953 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(portal), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=principalDNSuffix, value=,ou=users,ou=MyDivision,o=MyCompany
name=user.provider.url, value=ldap://myLDAPServerIP:389/ou=users,ou=MyDivision,o=MyCompany
name=principalDNPrefix, value=cn=
name=group.provider.url, value=ldap://myLDAPServerIP:389/ou=DistributionLists,ou=MyDivision,o=MyCompany
name=java.naming.security.authentication, value=simple
name=java.naming.provider.url, value=ldap://myLDAPServerIP:389/
name=roleAttributeID, value=cn
name=uidAttributeID, value=member
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=roleAttributeIsDN, value=false
name=rolesCtxDN, value=ou=DistributionLists,ou=MyDivision,o=MyCompany
name=matchOnUserDN, value=true
2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.auth.spi.LdapLoginModule, false)
2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.auth.spi.LdapLoginModule)
2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader at 6d3209
2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2007-03-12 09:55:16,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@9504057
2007-03-12 09:55:16,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: portal
2007-03-12 09:55:16,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
2007-03-12 09:55:16,984 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={user.provider.url=ldap://myLDAPServerIP:389/ou=users,ou=MyDivision,o=MyCompany, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, principalDNPrefix=cn=, java.naming.security.principal=cn=abc,ou=users,ou=MyDivision,o=MyCompany, roleAttributeID=cn, matchOnUserDN=true, principalDNSuffix=,ou=users,ou=MyDivision,o=MyCompany, rolesCtxDN=ou=DistributionLists,ou=MyDivision,o=MyCompany, jboss.security.security_domain=portal, group.provider.url=ldap://10.141.41.21:389/ou=DistributionLists,ou=MyDivision,o=MyCompany, java.naming.provider.url=ldap://myLDAPServerIP:389/, roleAttributeIsDN=false, uidAttributeID=member, java.naming.security.authentication=simple, java.naming.security.credentials=***}
2007-03-12 09:55:16,984 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(com.sun.jndi.ldap.LdapCtxFactory, false)
2007-03-12 09:55:17,281 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext at dc35ba
2007-03-12 09:55:17,281 TRACE [org.jboss.security.auth.spi.LdapLoginModule] searching rolesCtxDN=ou=DistributionLists,ou=MyDivision,o=MyCompany, roleFilter=(member={0}), filterArgs=cn=abc,ou=users,ou=MyDivision,o=MyCompany, roleAttr=[Ljava.lang.String;@14b6ec8, searchScope=2, searchTimeLimit=10000
2007-03-12 09:55:17,671 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'abc' authenticated, loginOk=true
2007-03-12 09:55:17,671 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true
2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] defaultLogin, lc=javax.security.auth.login.LoginContext at 1e4e47f, subject=Subject(5607282).principals=org.jboss.security.SimplePrincipal at 19017836(abc)org.jboss.security.SimpleGroup at 20745137(Roles(members))
2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] updateCache, inputSubject=Subject(5607282).principals=org.jboss.security.SimplePrincipal at 19017836(abc)org.jboss.security.SimpleGroup at 20745137(Roles(members)), cacheSubject=Subject(32978170).principals=org.jboss.security.SimplePrincipal at 19017836(abc)org.jboss.security.SimpleGroup at 20745137(Roles(members))
2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at b70e32[Subject(32978170).principals=org.jboss.security.SimplePrincipal at 19017836(abc)org.jboss.security.SimpleGroup at 20745137(Roles(members)),credential.class=java.lang.String at 20738936,expirationTime=1173709516953]
2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] End isValid, true
2007-03-12 09:55:17,687 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: abc
Principal: Roles(members)
, sc=org.jboss.security.SecurityAssociation$SubjectContext at 5e8588{principal=abc,subject=26267652}
2007-03-12 09:55:17,687 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at b70e32[Subject(32978170).principals=org.jboss.security.SimplePrincipal at 19017836(abc)org.jboss.security.SimpleGroup at 20745137(Roles(members)),credential.class=java.lang.String at 20738936,expirationTime=1173709516953]
2007-03-12 09:55:17,687 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext at 5e8588{principal=abc,subject=26267652}
2007-03-12 09:55:17,687 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] getUserRoles, subject: Subject:
Principal: abc
Principal: Roles(members)
2007-03-12 09:55:17,687 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'abc' was successful
2007-03-12 09:55:17,687 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/portal/auth/portal/myportal'
2007-03-12 09:55:17,687 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/portal/auth/portal/j_security_check
2007-03-12 09:55:17,687 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is BA0783EC9001950BDFF9A5C80C6027B9
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /portal/auth/portal/myportal
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /auth/portal/myportal --> true
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /auth/portal/myportal --> false
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /auth/portal/myportal --> false
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /auth/portal/myportal --> true
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /auth/portal/myportal --> false
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /auth/portal/myportal --> false
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session 'BA0783EC9001950BDFF9A5C80C6027B9'
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'abc' with type 'FORM'
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Username abc does NOT have role finance
2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4027214#4027214
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4027214
More information about the jboss-user
mailing list