-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
6
-
x86
-
windows_2000
FULL PRODUCT VERSION :
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Installation of Apache JackRabbit
A DESCRIPTION OF THE PROBLEM :
The javadoc for com.sun.security.auth.module.LdapLoginModule at http://java.sun.com/javase/6/docs/jre/api/security/jaas/spec/index.html?com/sun/security/auth/module/LdapLoginModule.html
states that the userProvider can be set to multiple URLs this
'When several LDAP URLs are specified then each is attempted, in turn, until the first successful connection is established'
But this does not happen. Only the first URL is ever used. Failure in the first URL means that the LDAP query fails, rather than trying the next URL
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
[Using jack rabbit]
Run the class below. This will create a default repository and repository configuration, repository.xml. Edit the repository.xml file as shown below to use LDAP for authentication. Make sure userA is not present in one LDAP server and is present in the other (the userProvider config).
Run the code again. The modified repostory.xml file will be used and authentication will fail
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Successful LDAP authentication
ACTUAL -
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1252)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at LDAPLoginFailure.main(LDAPLoginFailure.java:18)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
--
test case
--
import javax.jcr.Repository;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.core.TransientRepository;
public class LDAPLoginFailure {
public static void main(String[] args) throws Exception {
Repository repository = null;
Session session = null;
try {
repository = new TransientRepository();
SimpleCredentials cred = new SimpleCredentials("userA, "test_password".toCharArray());
session = repository.login( cred );
}
catch (Exception e) {
e.printStackTrace(System.err);
}
finally {
if( session != null ) session.logout();
}
}
}
--
repository.xml
--
<?xml version="1.0"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE Repository PUBLIC "-//The Apache Software Foundation//DTD Jackrabbit 1.2//EN"
"http://jackrabbit.apache.org/dtd/repository-1.2.dtd">
<!-- Example Repository Configuration File -->
<Repository>
<!--
virtual file system where the repository stores global state
(e.g. registered namespaces, custom node types, etc.)
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/repository"/>
</FileSystem>
<!--
security configuration
-->
<Security appName="Jackrabbit">
<!--
access manager:
class: FQN of class implementing the AccessManager interface
-->
<AccessManager class="org.apache.jackrabbit.core.security.SimpleAccessManager">
<!-- <param name="config" value="${rep.home}/access.xml"/> -->
</AccessManager>
<LoginModule class="com.sun.security.auth.module.LdapLoginModule">
<param name="userProvider" value="ldap://ldapWithOutUserA:389 ldap://ldapWithUserA:389"/>
<param name="debug" value="false"/>
<param name="useFirstPass" value="false"/>
<param name="tryFirstPass" value="false"/>
<param name="useSSL" value="false"/>
<param name="userFilter" value="<depends on ldap setup>"/>
</LoginModule>
</Security>
<!--
location of workspaces root directory and name of default workspace
-->
<Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="default"/>
<!--
workspace configuration template:
used to create the initial workspace if there's no workspace yet
-->
<Workspace name="${wsp.name}">
<!--
virtual file system of the workspace:
class: FQN of class implementing the FileSystem interface
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${wsp.home}"/>
</FileSystem>
<!--
persistence manager of the workspace:
class: FQN of class implementing the PersistenceManager interface
-->
<PersistenceManager class="org.apache.jackrabbit.core.persistence.db.DerbyPersistenceManager">
<param name="url" value="jdbc:derby:${wsp.home}/db;create=true"/>
<param name="schemaObjectPrefix" value="${wsp.name}_"/>
</PersistenceManager>
<!--
Search index and the file system it uses.
class: FQN of class implementing the QueryHandler interface
-->
<SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
<param name="path" value="${wsp.home}/index"/>
</SearchIndex>
</Workspace>
<!--
Configures the versioning
-->
<Versioning rootPath="${rep.home}/version">
<!--
Configures the filesystem to use for versioning for the respective
persistence manager
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/version" />
</FileSystem>
<!--
Configures the persistence manager to be used for persisting version state.
Please note that the current versioning implementation is based on
a 'normal' persistence manager, but this could change in future
implementations.
-->
<PersistenceManager class="org.apache.jackrabbit.core.persistence.db.DerbyPersistenceManager">
<param name="url" value="jdbc:derby:${rep.home}/version/db;create=true"/>
<param name="schemaObjectPrefix" value="version_"/>
</PersistenceManager>
</Versioning>
<!--
Search index for content that is shared repository wide
(/jcr:system tree, contains mainly versions)
-->
<SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
<param name="path" value="${rep.home}/repository/index"/>
</SearchIndex>
</Repository>
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I patched com.sun.security.auth.module.LdapLoginModule to work correctly, but that isn't really a workaround is it?
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Installation of Apache JackRabbit
A DESCRIPTION OF THE PROBLEM :
The javadoc for com.sun.security.auth.module.LdapLoginModule at http://java.sun.com/javase/6/docs/jre/api/security/jaas/spec/index.html?com/sun/security/auth/module/LdapLoginModule.html
states that the userProvider can be set to multiple URLs this
'When several LDAP URLs are specified then each is attempted, in turn, until the first successful connection is established'
But this does not happen. Only the first URL is ever used. Failure in the first URL means that the LDAP query fails, rather than trying the next URL
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
[Using jack rabbit]
Run the class below. This will create a default repository and repository configuration, repository.xml. Edit the repository.xml file as shown below to use LDAP for authentication. Make sure userA is not present in one LDAP server and is present in the other (the userProvider config).
Run the code again. The modified repostory.xml file will be used and authentication will fail
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Successful LDAP authentication
ACTUAL -
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1252)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at LDAPLoginFailure.main(LDAPLoginFailure.java:18)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
--
test case
--
import javax.jcr.Repository;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.core.TransientRepository;
public class LDAPLoginFailure {
public static void main(String[] args) throws Exception {
Repository repository = null;
Session session = null;
try {
repository = new TransientRepository();
SimpleCredentials cred = new SimpleCredentials("userA, "test_password".toCharArray());
session = repository.login( cred );
}
catch (Exception e) {
e.printStackTrace(System.err);
}
finally {
if( session != null ) session.logout();
}
}
}
--
repository.xml
--
<?xml version="1.0"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE Repository PUBLIC "-//The Apache Software Foundation//DTD Jackrabbit 1.2//EN"
"http://jackrabbit.apache.org/dtd/repository-1.2.dtd">
<!-- Example Repository Configuration File -->
<Repository>
<!--
virtual file system where the repository stores global state
(e.g. registered namespaces, custom node types, etc.)
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/repository"/>
</FileSystem>
<!--
security configuration
-->
<Security appName="Jackrabbit">
<!--
access manager:
class: FQN of class implementing the AccessManager interface
-->
<AccessManager class="org.apache.jackrabbit.core.security.SimpleAccessManager">
<!-- <param name="config" value="${rep.home}/access.xml"/> -->
</AccessManager>
<LoginModule class="com.sun.security.auth.module.LdapLoginModule">
<param name="userProvider" value="ldap://ldapWithOutUserA:389 ldap://ldapWithUserA:389"/>
<param name="debug" value="false"/>
<param name="useFirstPass" value="false"/>
<param name="tryFirstPass" value="false"/>
<param name="useSSL" value="false"/>
<param name="userFilter" value="<depends on ldap setup>"/>
</LoginModule>
</Security>
<!--
location of workspaces root directory and name of default workspace
-->
<Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="default"/>
<!--
workspace configuration template:
used to create the initial workspace if there's no workspace yet
-->
<Workspace name="${wsp.name}">
<!--
virtual file system of the workspace:
class: FQN of class implementing the FileSystem interface
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${wsp.home}"/>
</FileSystem>
<!--
persistence manager of the workspace:
class: FQN of class implementing the PersistenceManager interface
-->
<PersistenceManager class="org.apache.jackrabbit.core.persistence.db.DerbyPersistenceManager">
<param name="url" value="jdbc:derby:${wsp.home}/db;create=true"/>
<param name="schemaObjectPrefix" value="${wsp.name}_"/>
</PersistenceManager>
<!--
Search index and the file system it uses.
class: FQN of class implementing the QueryHandler interface
-->
<SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
<param name="path" value="${wsp.home}/index"/>
</SearchIndex>
</Workspace>
<!--
Configures the versioning
-->
<Versioning rootPath="${rep.home}/version">
<!--
Configures the filesystem to use for versioning for the respective
persistence manager
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/version" />
</FileSystem>
<!--
Configures the persistence manager to be used for persisting version state.
Please note that the current versioning implementation is based on
a 'normal' persistence manager, but this could change in future
implementations.
-->
<PersistenceManager class="org.apache.jackrabbit.core.persistence.db.DerbyPersistenceManager">
<param name="url" value="jdbc:derby:${rep.home}/version/db;create=true"/>
<param name="schemaObjectPrefix" value="version_"/>
</PersistenceManager>
</Versioning>
<!--
Search index for content that is shared repository wide
(/jcr:system tree, contains mainly versions)
-->
<SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
<param name="path" value="${rep.home}/repository/index"/>
</SearchIndex>
</Repository>
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I patched com.sun.security.auth.module.LdapLoginModule to work correctly, but that isn't really a workaround is it?
- duplicates
-
JDK-6550794 LdapLoginModule does not support multiple userProvider entries
-
- Closed
-