An external user/identity that is member of "administrators" group does not have access to all the resources (403 forbidden) | Adobe Higher Education
Skip to main content
deisbel_diaz
deisbel_diaz
Level 2
March 30, 2016

An external user/identity that is member of "administrators" group does not have access to all the resources (403 forbidden)

Hi:
 
I'm very frustrated. I've spent many days trying to implement authentication using an external provider.
 
I've created my own AuthenticationHandler, a LoginModule (using Oak), a LoginModuleFactory, an External Identity Provider, and created all the required configurations (a default Synchronizer and external provider are linked to my login module)
 
I have create a login-page, a logout servlet, and my others pages in general. I'm able to request my home page, it redirect me to login-page when I'm not authenticated, and after log in I can see the home-page again. I'm able to log out too, being redirected to login-page. 
 
The External User that I'm using to log in is correctly added in the right group (administrators for test purposes).
 
The user is perfectly located in /home/"mypath"/:
 
The profile is correctly created and imported:
 
 
The ONLY PROBLEM is that the Home-page does has access to any resource outside of /content/myAppName. 
 
All its HTML content is shown: 
 
But I'm receiving 403 (Forbidden) for every other resource:
 
The AuthenticationHandler.extractCredentials implementation is saving the credential just in the session (no cookies so far).

 

Something like this:
 
private void setUserInSession(String user, HttpServletRequest request) {
   request.getSession(true).setAttribute(USER_KEY, user);
}
 
Is there any bug with external users?
 
I have no idea where else to seek.
Ce sujet a été fermé aux réponses.

3 commentaires

smacdonald2008
smacdonald2008
Level 10
March 30, 2016

Looks like a bug - file a day care ticket. 

deisbel_diaz
deisbel_diazAuteur
Level 2
April 1, 2016
Hi:
 
More info. Depending of what credentials I'm using to authenticate (and where) we got many scenarios and results: 
 
1- I enter in the CRXDE Lite tool using "admin" user
 
After do that:
- I have access to everything in CRXDE Lite. 
- I'm able to open the others consoles (just pulling out their URL, with no extra authentication step) like http://localhost:4502/system/console/configMgr
- My website load perfectly with no extra authentication step (no forbidden access to any resource/asset)
 
Everything is normal, as expected. 
 
2- I first enter in the CRXDE Lite tool using an external user that belong to "administrators" group ("kirk" in my example). 
 
After do that:
I have access to everything in CRXDE Lite !!! 
 
- I'm NOT able to open the others consoles like http://localhost:4502/system/console/configMgr.  I can see this message in the logs: 
 
org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2 authenticate: User kirk1 is denied Web Console access
 
Looks like as additional check out is being done in the console tools. It's ok, no problem.
 
- My website load perfectly.
 
3- If I log out and after that I decide to enter first in my site using the same external credentials then: 
 
 CRXDE Lite does not show any info. It is loaded with anonimous user. 
 
- I'm able to load my site, but I have no access to any other resource out of /content/myapp. I receive many Forbidden Access to cause that only text with no format is visible in my pages.
 
So, from this facts I was able to see an important different in the logged user. 
 
When I log in CRXDELite first using an external user a ".token" node is create under the parent user node containing nodes for each active session. 
 
 
Inline image 1
 
Evidently I'm missing an important step during the authentication process: create a token that is expected for the Sling Framework. 
 
I saw in an old example I found in a blog that this token was created for the Login Module, but taking a look to the new Jackrabbit Oak there is no longer a method for this approach. 
 
I saw other source code (for a FormAuthenticationHandler) where some token is created during the extractCredentials method, saved in a cookie, etc. But, this example is linked to the old jackrabbit model, no with Oak. 
 
So, I'm totally lost about where and how take care of the .token creation. This article does not put in clear my doubts. 
 
Any help please? 
 
Lokesh_Shivalingaiah
Lokesh_Shivalingaiah
Level 10
April 1, 2016

OOB login, creates 'login-token' which is a session cookie. Are you seeing this cookie getting created ?

smacdonald2008
smacdonald2008
Level 10
April 1, 2016

Have you read this OAK doc: 

https://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanagement.html

deisbel_diaz
deisbel_diazAuteur
Level 2
April 1, 2016

Yes, I have read it, but I got nothing in clear there.

Let me explain, I have implemented the following classes:

- MyAuthHandler
                extends DefaultAuthenticationFeedbackHandler
                implements AuthenticationHandler, AuthenticationFeedbackHandler

- MyAuthLoginModuleFactory implements LoginModuleFactory

- MyAuthLoginModule extends AbstractLoginModule

- MyAuthJsonIDP implements ExternalIdentityProvider

I have the right configuration linking every one of these pieces. I'm able to login, logout, etc. But, looks like AEM 6.1 require some special implementation related with token.

There are many rows in my jaas configuration, including the two mentioned in that articles

http://screencast.com/t/xDgNBx1wF0A

I can't neither understand the real scope of this paragraph:   

----

Token Creation

The creation of a new token is triggered by valid SimpleCredentials passed to the login module chain that contain an additional, empty .token attribute. The default TokenProvider implementation will consequently generate a new token and store it’s hash along with all mandatory and informative attributes to the new content node representing the new token.

------

I've tried to add an empty attribute ".token" to the AuthenticationInfo before exit of extractCredentials in MyAuthHandler but with no success. 

        AuthenticationInfo info = new AuthenticationInfo(AUTH_TYPE, user, psw.toCharArray());

        info.put(ACCESS_TOKEN_KEY, accessToken);
        info.put(USER_KEY, user);
        info.put(".token", "");

So, as you can see there should be a key piece of this puzzle that I'm not capable yet to figure out where to put.

Many libraries, APIs, different versions of these one, many incompatibilities, many AEM versions, etc, and to few real samples or articles about how to use them together have become in a big problem for me. Hopefully I'm very close to the end, but it looks like a maze.

.

deisbel_diaz
deisbel_diazAuteur
Level 2
April 1, 2016

This issue come to remember me why I hate too much every existing CMS. When you have to do something just a little bit different of its common tasks then you get inside a maze. 

- Somebody can give the email of some developer in Adobe in charge of the Oak module? Looks like nobody in this forum is capable of really clarify my doubts? 

I have a client waiting for this feature since 2 weeks!!. 

I can't see any Factory for the Oak Token Login Module like the existing for the classic Oak Login Module. 

- Is there any article about how to create the .token node after the user is logged in?.

- What is the right place to do that: a Login Module, or before in the AuthenticationHandler?

Thanks in advance.

Conditions d'utilisationAccessibility statement

Loading footer...