SSO in AEM 6.0 with JCR OAk | Community
Skip to main content
D
DheepakR
October 16, 2015
Solved

SSO in AEM 6.0 with JCR OAk

  • October 16, 2015
  • 4 replies
  • 2015 views

Team,

   I just validating via POC where in , I should be able to do a single sign on with just JCR OAK / CRX login Module. I have setup my SSO Authentication handler to take up a request parameter - SM_USER = XXXX

 In the 5.6.1 , the repository.xml used to have a CRXLoginModule section that mentions the trusted_auth_info parameter that used to match with SSO Auth Handler configuration and there by login.

 

However, in 6.0 I see the documentation ( http://docs.adobe.com/docs/en/aem/6-0/deploy/configuring/single-sign-on.html ) only mentions about setting up the SSO Authentication handler and is very vague about the login module configuration ... I understand there is a explicit Login Module configuration for LDAP... However, what about simple CRX / JCR-OAK configuration? 

 

 Does this mean that SSO cannot be accomplished without LDAP from AEM 6.0 onwards? 

 Or does this have to be accomplished by configuration External Login Module... if so how?

Ideally,there should be some documentation to indicate as to what is the replacement for Trusted_auth_info configuration.

Any pointers on this would be much appreciated....

Regards,

DR

 

LOG : 

Caused by: javax.security.auth.login.LoginException: UserId/Password mismatch.
    at org.apache.jackrabbit.oak.security.authentication.user.UserAuthentication.checkSuccess(UserAuthentication.java:121)
    at org.apache.jackrabbit.oak.security.authentication.user.UserAuthentication.authenticate(UserAuthentication.java:102)
    at org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl.login(LoginModuleImpl.java:128)
    at org.apache.felix.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:52)
    at sun.reflect.GeneratedMethodAccessor73.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at org.apache.jackrabbit.oak.core.ContentRepositoryImpl.login(ContentRepositoryImpl.java:160)
    at org.apache.jackrabbit.oak.jcr.repository.RepositoryImpl.login(RepositoryImpl.java:254)
    at com.adobe.granite.repository.impl.CRX3RepositoryImpl.login(CRX3RepositoryImpl.java:87)
    at org.apache.jackrabbit.oak.jcr.repository.RepositoryImpl.login(RepositoryImpl.java:195)
    at org.apache.sling.jcr.base.AbstractSlingRepository2.login(AbstractSlingRepository2.java:297)
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:289)
    ... 72 common frames omitted

 

02.01.2015 17:01:21.578 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] com.day.cq.auth.impl.HTTPAuthHandler forceAuthentication: Not forcing authentication because request parameter sling:authRequestLogin is not set
02.01.2015 17:01:21.578 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] com.adobe.granite.auth.sso.impl.SsoAuthenticationHandler found parameter SM_USER=dheepak
02.01.2015 17:01:21.578 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: Trying to get a session for dheepak
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] com.adobe.granite.repository.impl.SlingRepositoryImpl login: Logging in to workspace 'crx.default'
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.security.authentication.LoginContextProviderImpl Found pre-authenticated subject: No further login actions required.
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule Login: retrieving Credentials using callback.
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule Login: No supported credentials obtained from callback; trying shared state.
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule Login: No supported credentials found in shared state; looking for credentials in subject.
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule No credentials found.
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule Login: retrieving Credentials using callback.
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule Login: Credentials 'javax.jcr.SimpleCredentials@795803b5' obtained from callback
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.security.authentication.LoginContextProviderImpl Found pre-authenticated subject: No further login actions required.
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.query.QueryEngineImpl Parsing JCR-SQL2 statement: SELECT * FROM [nt:base] WHERE [jcr:uuid] = $id
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.query.QueryImpl cost using filter Filter(query=SELECT * FROM [nt:base] WHERE [jcr:uuid] = $id, path=*, property=[jcr:uuid=9263caf2-41d4-35f5-ae4a-cc4c2401ec23])
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.query.QueryImpl cost for reference is Infinity
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.query.QueryImpl cost for property is 3.0
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.plugins.index.property.OrderedPropertyIndex getPlans(Filter, List<OrderEntry>, NodeState)
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.plugins.index.property.OrderedPropertyIndex getPlans() - filter: Filter(query=SELECT * FROM [nt:base] WHERE [jcr:uuid] = $id, path=*, property=[jcr:uuid=9263caf2-41d4-35f5-ae4a-cc4c2401ec23]) - 
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.plugins.index.property.OrderedPropertyIndex getPlans() - sortOrder: null - 
02.01.2015 17:01:21.579 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.jackrabbit.oak.plugins.index.property.OrderedPropertyIndex getPlans() - rootState: { jcr:primaryType = rep:root, jcr:mixinTypes = [rep:RepoAccessControllable, rep:AccessControllable], sling:target = /index.html, sling:resourceType 
02.01.2015 17:01:21.581 *INFO* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate dheepak: UserId/Password mismatch.
02.01.2015 17:01:21.582 *DEBUG* [qtp175883883-84 - /useradmin?SM_USER=dheepak] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure
org.apache.sling.api.resource.LoginException: UserId/Password mismatch.
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getLoginException(JcrResourceProviderFactory.java:394)
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:333)

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sham_HC

Hi DR,

Trust Credential Attribute is not supported in Oak and instead you need to make use of new Pre Authentication support  http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html​

After you review the doc & still having issue let me know I will try to get blog post created for this by next week.

Thanks,

Sham

tweet:-   adobe_sham

4 replies

Sham_HC
Sham_HCAccepted solution
Level 10
October 16, 2015

Hi DR,

Trust Credential Attribute is not supported in Oak and instead you need to make use of new Pre Authentication support  http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html​

After you review the doc & still having issue let me know I will try to get blog post created for this by next week.

Thanks,

Sham

tweet:-   adobe_sham

D
DheepakRAuthor
October 16, 2015

Thanks Sham! for you very quick response!! 

Pre-Auth Looks interesting... 

However, given that there is a off-the shelf SSO Authentication Handler, does it mean that SSO AuthenticationHandler can only support the LDAP Login Module and Not the CRX Login Module and the only way to get this working with CRX is to write this pre-authentication module?

 From what I see in the AEM documentation - http://docs.adobe.com/docs/en/aem/6-0/deploy/configuring/single-sign-on.html

This is pretty cryptic

 

Configure the following two services to recognize the name of the attribute that stores the ssid:

  • The login module.
  • The SSO Authentication service.

 

You must specify the same attribute name for both services. The attribute is included in the SimpleCredentials that is provided to Repository.login. The value of the attribute is irrelevant and ignored, the mere presence of it is important and verified.

 

After this, it branches off to the SSOAuthenticaationHandler and mentions about LDAP Login Module

D
DheepakRAuthor
October 16, 2015

Thanks Sham,

   I did some progress... 

 

The things that I noticed that are unusual for AEM 6.0 are 

a) actually, the SSOAuthenticationHandler looks like a 2 in 1 :-) IT does spin up a SSOLoginModule with a higher ranking... when I see the JAAS section in Felix console, this is present at a higher priority and it must be setting up the pre-auth login credentials... 

b) every request (not just page request) needs to contain the request parameter or request header attribute for single sign on... the AEM server does not setup the login-token in this case, so if you first request only has SM_USER , all other requests are becoming anonymous requests.... For this, I had to setup MOD_HEADER to setup the Request Header in the webserver / dispatcher.

c) turn on the jcr-oak (spi / security packages) and com.adobe.granite.auth to debug logging to really see the single sign-on working.

 

Thanks for your help on this!!

Regards,

Dheepak

kolpur
kolpur
Level 2
October 16, 2015

Hi Dheepak,

Even I'm facing a similar issue with SSO login. Can you please share the steps you performed and also please check if with above procedure the CUG pages are working fine.

Thanks,

Srinivasa Chary Kolpur

Terms & ConditionsAccessibility statement

Loading footer...