Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

An external user/identity that is member of "administrators" group does not have access to all the resources (403 forbidden)

Avatar

Level 2
Hi:
 
I'm very frustrated. I've spent many days trying to implement authentication using an external provider.
 
I've created my own AuthenticationHandler, a LoginModule (using Oak), a LoginModuleFactory, an External Identity Provider, and created all the required configurations (a default Synchronizer and external provider are linked to my login module)
 
I have create a login-page, a logout servlet, and my others pages in general. I'm able to request my home page, it redirect me to login-page when I'm not authenticated, and after log in I can see the home-page again. I'm able to log out too, being redirected to login-page. 
 
The External User that I'm using to log in is correctly added in the right group (administrators for test purposes).
 
The user is perfectly located in /home/"mypath"/:
 
The profile is correctly created and imported:
 
 
The ONLY PROBLEM is that the Home-page does has access to any resource outside of /content/myAppName. 
 
All its HTML content is shown: 
 
But I'm receiving 403 (Forbidden) for every other resource:
 
The AuthenticationHandler.extractCredentials implementation is saving the credential just in the session (no cookies so far).

 

Something like this:
 
private void setUserInSession(String user, HttpServletRequest request) {
   request.getSession(true).setAttribute(USER_KEY, user);
}
 
Is there any bug with external users?
 
I have no idea where else to seek.
11 Replies

Avatar

Level 10

Looks like a bug - file a day care ticket. 

Avatar

Level 2
Hi:
 
More info. Depending of what credentials I'm using to authenticate (and where) we got many scenarios and results: 
 
1- I enter in the CRXDE Lite tool using "admin" user
 
After do that:
- I have access to everything in CRXDE Lite. 
- I'm able to open the others consoles (just pulling out their URL, with no extra authentication step) like http://localhost:4502/system/console/configMgr
- My website load perfectly with no extra authentication step (no forbidden access to any resource/asset)
 
Everything is normal, as expected. 
 
2- I first enter in the CRXDE Lite tool using an external user that belong to "administrators" group ("kirk" in my example). 
 
After do that:
I have access to everything in CRXDE Lite !!! 
 
- I'm NOT able to open the others consoles like http://localhost:4502/system/console/configMgr.  I can see this message in the logs: 
 
org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2 authenticate: User kirk1 is denied Web Console access
 
Looks like as additional check out is being done in the console tools. It's ok, no problem.
 
- My website load perfectly.
 
3- If I log out and after that I decide to enter first in my site using the same external credentials then: 
 
 CRXDE Lite does not show any info. It is loaded with anonimous user. 
 
- I'm able to load my site, but I have no access to any other resource out of /content/myapp. I receive many Forbidden Access to cause that only text with no format is visible in my pages.
 
So, from this facts I was able to see an important different in the logged user. 
 
When I log in CRXDELite first using an external user a ".token" node is create under the parent user node containing nodes for each active session. 
 
 
Inline image 1
 
Evidently I'm missing an important step during the authentication process: create a token that is expected for the Sling Framework. 
 
I saw in an old example I found in a blog that this token was created for the Login Module, but taking a look to the new Jackrabbit Oak there is no longer a method for this approach. 
 
I saw other source code (for a FormAuthenticationHandler) where some token is created during the extractCredentials method, saved in a cookie, etc. But, this example is linked to the old jackrabbit model, no with Oak. 
 
So, I'm totally lost about where and how take care of the .token creation. This article does not put in clear my doubts. 
 
Any help please? 
 

OOB login, creates 'login-token' which is a session cookie. Are you seeing this cookie getting created ?

Avatar

Level 2

Yes, I have read it, but I got nothing in clear there.

Let me explain, I have implemented the following classes:

- MyAuthHandler
                extends DefaultAuthenticationFeedbackHandler
                implements AuthenticationHandler, AuthenticationFeedbackHandler

- MyAuthLoginModuleFactory implements LoginModuleFactory

- MyAuthLoginModule extends AbstractLoginModule

- MyAuthJsonIDP implements ExternalIdentityProvider

I have the right configuration linking every one of these pieces. I'm able to login, logout, etc. But, looks like AEM 6.1 require some special implementation related with token.

There are many rows in my jaas configuration, including the two mentioned in that articles

http://screencast.com/t/xDgNBx1wF0A

I can't neither understand the real scope of this paragraph:   

----

Token Creation

The creation of a new token is triggered by valid SimpleCredentials passed to the login module chain that contain an additional, empty .token attribute. The default TokenProvider implementation will consequently generate a new token and store it’s hash along with all mandatory and informative attributes to the new content node representing the new token.

------

I've tried to add an empty attribute ".token" to the AuthenticationInfo before exit of extractCredentials in MyAuthHandler but with no success. 

        AuthenticationInfo info = new AuthenticationInfo(AUTH_TYPE, user, psw.toCharArray());

        info.put(ACCESS_TOKEN_KEY, accessToken);
        info.put(USER_KEY, user);
        info.put(".token", "");

So, as you can see there should be a key piece of this puzzle that I'm not capable yet to figure out where to put.

Many libraries, APIs, different versions of these one, many incompatibilities, many AEM versions, etc, and to few real samples or articles about how to use them together have become in a big problem for me. Hopefully I'm very close to the end, but it looks like a maze.

.

Avatar

Level 2

This issue come to remember me why I hate too much every existing CMS. When you have to do something just a little bit different of its common tasks then you get inside a maze. 

- Somebody can give the email of some developer in Adobe in charge of the Oak module? Looks like nobody in this forum is capable of really clarify my doubts? 

I have a client waiting for this feature since 2 weeks!!. 

I can't see any Factory for the Oak Token Login Module like the existing for the classic Oak Login Module. 

- Is there any article about how to create the .token node after the user is logged in?.

- What is the right place to do that: a Login Module, or before in the AuthenticationHandler?

Thanks in advance.

Couple of questions.

which version of AEM and Oak are  you using ?

are you seeing login-token cookie getting created once you login with your customLoginModule ?

I'm using AEM 6.1, SP1. 

<dependency>
                <groupId>org.apache.jackrabbit</groupId>
                <artifactId>oak-auth-external</artifactId>
                <version>1.4.0</version>
            </dependency>

 

<dependency>
                <groupId>org.apache.sling</groupId>
                <artifactId>org.apache.sling.jcr.jackrabbit.server</artifactId>
                <version>2.3.0</version>
            </dependency>

My AuthLoginModule class extends org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

When I log in from CRXDELite with my external user I can see the login-token cookie created in the browser. When I use my app, I'm creating my own cookie. 

My questions are: 

- The name "login-token" is mandatory for the cookie? 

- Who is responsable for create this cookie: the AuthenticationHandler.authenticationSucceeded event handler, or the External Login Module? It looks to me like should be the first one.

- What info should be stored in this cookie to allow AEM read it and use it as its own? 

- Do I need to create an entry in the node .tokens below the /home/users/myCurrentUser? What info do I need to store there?

Thanks

It looks like, we need that login-token which is created by AuthenticationHandler. Let me debug further and let you know If I could figure out something

Yes, I agree with you. The problem is that I was not able to locate some example about how to create this ".token" nor the sources of the AuthHandler by default. I appreciate so much your efforts to help me, thanks.  

In the CRXDE Lite's HomePage I can see this information:

Repository Information

Avatar

Level 2
I have finished the first version of the classes/services that allow me to log in using my external OAuth2 Provider. 
 
I've created an AuthenticationHandler and ExternalIdentityProvider. Using instances of the default "Apache Jackrabbit Oak External Login Module" and "Apache Jackrabbit Oak Default Sync Handler" I'm able to complete the whole authentication process/flow: 
 
- My "login servlet/path" makes a redirect to the authorization page in my OAuth2 Server. 
 
- The OAuth2Server calls back my local redirect url (other servlet) in charge of negotiate an access token. 
 
- The login flow takes place normally. 
 
** My AuthenticationHandler.extractCredentials do its job creating a SimpleCredentials
 
** The default login module delegate the login function in my external identity provider (IDP)
 
** My IDP returns External Instances of the authenticated oauth2 users with appropriated properties maps.
 
** The default sync handler is adding the new users as external users, and also putting it as administrators member (for test purposes)  
 
- Finally, my AuthenticationHandler.authenticationSucceded save the authenticated credentials in a cookie to allow extractCredentials to get them later.
 
That cookie is created following the same requirements in Form based Authentication Handler: 
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
 
 
The pages located inside /content/myapp have permit to be accessed by the logged user in, but AEM is giving me Forbidden access to every assets located in others paths like: /libs, /etc, /apps.
 
I can't find any documentation that give me a clue about what else I have to do. 
 
The only one I was able to find are differences in the stored info between an user authenticated with CRXDE Lite (or the Defauul Login page) and my one.
 
That is what I'm going to try to show to you below:
 
 
After you log in AEM using the default Login Page, or through CRXDE Lite, the user registered in /home/user contains a ".token" node. 
 
It looks like AEM is only considering this info to give access to others resources. But, I've read every article that I've found and no one says something that give me a clue about how to do that. 
 
The next week there is a conference "Getting Beyond Basic Authentication" and I'm wondering if is possible to contact its authors to make them all the questions I have. 
 
Any recommendation?