Highlighted

AEM 6550 - Log AEM Form Login User (j_username) Password (j_password) doing j_security_check Authentication | AEM Community Blog Seeding

Avatar

Avatar

kautuk_sahni

Community Manager

Total Posts

5.6K

Likes

961

Correct Answer

1.1K

Avatar

kautuk_sahni

Community Manager

Total Posts

5.6K

Likes

961

Correct Answer

1.1K
kautuk_sahni
Community Manager

05-08-2020

BlogImage.jpg

AEM 6550 - Log AEM Form Login User (j_username) Password (j_password) doing j_security_check Authent... by Sreekanth Choudry Nalabotu

Abstract

If you are unsure the user authentication information like j_username, j_password are passed to /libs/granite/core/content/login.html/j_security_check or being stripped off from the request by intermediate proxies before reaching AEM, you can use the following code to log them...

Solution

Add the following custom authentication handler in a separate bundle (independent of your project) or install this package with the auth handler and log configuration logging to http://localhost:4502/system/console/slinglog/tailer.txt?tail=10000&grep=*&name=%2Flogs%2Feaem-jsecurity.log


package apps.experienceaem.assets;

import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.auth.core.spi.AuthenticationFeedbackHandler;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import java.io.IOException;

import static org.osgi.framework.Constants.SERVICE_RANKING;

@Component(
service = { AuthenticationHandler.class },
immediate = true,
property = {
SERVICE_RANKING + ":Integer=" + 9999,
AuthenticationHandler.PATH_PROPERTY + "=/libs/granite/core/content/login.html/j_security_check",
AuthenticationHandler.TYPE_PROPERTY + "=" + "EAEM_RECORD_CREDS",
"service.description=Experience AEM Log j_security_check User Password Credentials"
})
public class EAEMRecordUserPassAuthHandler implements AuthenticationHandler, AuthenticationFeedbackHandler {

private static final Logger log = LoggerFactory.getLogger(EAEMRecordUserPassAuthHandler.class);

private static final String REQUEST_METHOD = "POST";
private static final String REQUEST_URL_SUFFIX = "/j_security_check";

@Reference
private SlingRepository repository;

@Reference(target = "(service.pid=com.day.crx.security.token.impl.impl.TokenAuthenticationHandler)")
private AuthenticationHandler wrappedAuthHandler;

public AuthenticationInfo extractCredentials(HttpServletRequest request, HttpServletResponse response) {
if (REQUEST_METHOD.equals(request.getMethod()) && request.getRequestURI().endsWith(REQUEST_URL_SUFFIX)) {
AuthenticationInfo authInfo = wrappedAuthHandler.extractCredentials(request, response);

SimpleCredentials sc = (SimpleCredentials) authInfo.get("user.jcr.credentials");

log.debug("User: " + sc.getUserID() + ", Password : " + new String(sc.getPassword()));

return authInfo;
}

return null;
}

public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
return wrappedAuthHandler.requestCredentials(httpServletRequest, httpServletResponse);
}

public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
wrappedAuthHandler.dropCredentials(httpServletRequest, httpServletResponse);
}

@Override
public void authenticationFailed(HttpServletRequest request, HttpServletResponse response, AuthenticationInfo authInfo) {
if (wrappedAuthHandler instanceof AuthenticationFeedbackHandler) {
((AuthenticationFeedbackHandler) wrappedAuthHandler).authenticationFailed(request, response, authInfo);
}
}

@Override
public boolean authenticationSucceeded(HttpServletRequest request, HttpServletResponse response, AuthenticationInfo authInfo) {
if (wrappedAuthHandler instanceof AuthenticationFeedbackHandler) {
return ((AuthenticationFeedbackHandler) wrappedAuthHandler).authenticationSucceeded(request, response, authInfo);
}
return false;
}
}

Read Full Blog

AEM 6550 - Log AEM Form Login User (j_username) Password (j_password) doing j_security_check Authent...

Q&A

Please use this thread to ask the related questions.

AEM AEMEBlogSeeding Experience Manager

Replies

Highlighted

Avatar

Avatar

Mohan_BMS

Avatar

Mohan_BMS

Mohan_BMS

27-09-2020

Hi @kautuk_sahni , I am facing below error while trying to use this service. Please let me know if got into similar issue?

java.lang.ClassCastException: class org.apache.jackrabbit.api.security.authentication.token.TokenCredentials cannot be cast to class javax.jcr.SimpleCredentials (org.apache.jackrabbit.api.security.authentication.token.TokenCredentials is in unnamed module of loader org.apache.felix.framework.BundleWiringImpl$BundleClassLoader @2267c547; javax.jcr.SimpleCredentials is in unnamed module of loader org.apache.felix.framework.BundleWiringImpl$BundleClassLoader @2a20564b)
	at com.shared.core.service.impl.AuthorLoginHookAuthenticationHandler.extractCredentials(AuthorLoginHookAuthenticationHandler.java:72)
	at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:76)
	at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
	at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:735)
	at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483)
	at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460)
	at org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2.authenticate(SlingWebConsoleSecurityProvider2.java:69)
	at org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)
	at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:406)
	at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58)
	at org.apache.felix.http.base.internal.dispatch.Dispatcher$1.doFilter(Dispatcher.java:146)
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1002)
	at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:326)
	at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136)
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008)
	at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:97)
	at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136)
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008)
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager.invokePreprocessors(WhiteboardManager.java:1012)
	at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:91)
	at org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:755)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:547)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:500)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
	at java.base/java.lang.Thread.run(Thread.java:834)