An external user/identity that is member of "administrators" group does not have access to all the resources (403 forbidden) | Adobe Higher Education
Skip to main content
deisbel_diaz
deisbel_diaz
Level 2
March 30, 2016

An external user/identity that is member of "administrators" group does not have access to all the resources (403 forbidden)

  • March 30, 2016
  • 3 の返信
  • 3394 ビュー
Hi:
 
I'm very frustrated. I've spent many days trying to implement authentication using an external provider.
 
I've created my own AuthenticationHandler, a LoginModule (using Oak), a LoginModuleFactory, an External Identity Provider, and created all the required configurations (a default Synchronizer and external provider are linked to my login module)
 
I have create a login-page, a logout servlet, and my others pages in general. I'm able to request my home page, it redirect me to login-page when I'm not authenticated, and after log in I can see the home-page again. I'm able to log out too, being redirected to login-page. 
 
The External User that I'm using to log in is correctly added in the right group (administrators for test purposes).
 
The user is perfectly located in /home/"mypath"/:
 
The profile is correctly created and imported:
 
 
The ONLY PROBLEM is that the Home-page does has access to any resource outside of /content/myAppName. 
 
All its HTML content is shown: 
 
But I'm receiving 403 (Forbidden) for every other resource:
 
The AuthenticationHandler.extractCredentials implementation is saving the credential just in the session (no cookies so far).

 

Something like this:
 
private void setUserInSession(String user, HttpServletRequest request) {
   request.getSession(true).setAttribute(USER_KEY, user);
}
 
Is there any bug with external users?
 
I have no idea where else to seek.
このトピックへの返信は締め切られました。

3 の返信

smacdonald2008
smacdonald2008
Level 10
March 30, 2016

Looks like a bug - file a day care ticket. 

deisbel_diaz
deisbel_diaz作成者
Level 2
April 1, 2016
Hi:
 
More info. Depending of what credentials I'm using to authenticate (and where) we got many scenarios and results: 
 
1- I enter in the CRXDE Lite tool using "admin" user
 
After do that:
- I have access to everything in CRXDE Lite. 
- I'm able to open the others consoles (just pulling out their URL, with no extra authentication step) like http://localhost:4502/system/console/configMgr
- My website load perfectly with no extra authentication step (no forbidden access to any resource/asset)
 
Everything is normal, as expected. 
 
2- I first enter in the CRXDE Lite tool using an external user that belong to "administrators" group ("kirk" in my example). 
 
After do that:
I have access to everything in CRXDE Lite !!! 
 
- I'm NOT able to open the others consoles like http://localhost:4502/system/console/configMgr.  I can see this message in the logs: 
 
org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2 authenticate: User kirk1 is denied Web Console access
 
Looks like as additional check out is being done in the console tools. It's ok, no problem.
 
- My website load perfectly.
 
3- If I log out and after that I decide to enter first in my site using the same external credentials then: 
 
 CRXDE Lite does not show any info. It is loaded with anonimous user. 
 
- I'm able to load my site, but I have no access to any other resource out of /content/myapp. I receive many Forbidden Access to cause that only text with no format is visible in my pages.
 
So, from this facts I was able to see an important different in the logged user. 
 
When I log in CRXDELite first using an external user a ".token" node is create under the parent user node containing nodes for each active session. 
 
 
Inline image 1
 
Evidently I'm missing an important step during the authentication process: create a token that is expected for the Sling Framework. 
 
I saw in an old example I found in a blog that this token was created for the Login Module, but taking a look to the new Jackrabbit Oak there is no longer a method for this approach. 
 
I saw other source code (for a FormAuthenticationHandler) where some token is created during the extractCredentials method, saved in a cookie, etc. But, this example is linked to the old jackrabbit model, no with Oak. 
 
So, I'm totally lost about where and how take care of the .token creation. This article does not put in clear my doubts. 
 
Any help please? 
 
Lokesh_Shivalingaiah
Lokesh_Shivalingaiah
Level 10
April 1, 2016

OOB login, creates 'login-token' which is a session cookie. Are you seeing this cookie getting created ?

smacdonald2008
smacdonald2008
Level 10
April 1, 2016

Have you read this OAK doc: 

https://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanagement.html

deisbel_diaz
deisbel_diaz作成者
Level 2
April 1, 2016

Yes, I have read it, but I got nothing in clear there.

Let me explain, I have implemented the following classes:

- MyAuthHandler
                extends DefaultAuthenticationFeedbackHandler
                implements AuthenticationHandler, AuthenticationFeedbackHandler

- MyAuthLoginModuleFactory implements LoginModuleFactory

- MyAuthLoginModule extends AbstractLoginModule

- MyAuthJsonIDP implements ExternalIdentityProvider

I have the right configuration linking every one of these pieces. I'm able to login, logout, etc. But, looks like AEM 6.1 require some special implementation related with token.

There are many rows in my jaas configuration, including the two mentioned in that articles

http://screencast.com/t/xDgNBx1wF0A

I can't neither understand the real scope of this paragraph:   

----

Token Creation

The creation of a new token is triggered by valid SimpleCredentials passed to the login module chain that contain an additional, empty .token attribute. The default TokenProvider implementation will consequently generate a new token and store it’s hash along with all mandatory and informative attributes to the new content node representing the new token.

------

I've tried to add an empty attribute ".token" to the AuthenticationInfo before exit of extractCredentials in MyAuthHandler but with no success. 

        AuthenticationInfo info = new AuthenticationInfo(AUTH_TYPE, user, psw.toCharArray());

        info.put(ACCESS_TOKEN_KEY, accessToken);
        info.put(USER_KEY, user);
        info.put(".token", "");

So, as you can see there should be a key piece of this puzzle that I'm not capable yet to figure out where to put.

Many libraries, APIs, different versions of these one, many incompatibilities, many AEM versions, etc, and to few real samples or articles about how to use them together have become in a big problem for me. Hopefully I'm very close to the end, but it looks like a maze.

.

deisbel_diaz
deisbel_diaz作成者
Level 2
April 20, 2016

Yes, I agree with you. The problem is that I was not able to locate some example about how to create this ".token" nor the sources of the AuthHandler by default. I appreciate so much your efforts to help me, thanks.  

In the CRXDE Lite's HomePage I can see this information:

Repository Information


I have finished the first version of the classes/services that allow me to log in using my external OAuth2 Provider. 
 
I've created an AuthenticationHandler and ExternalIdentityProvider. Using instances of the default "Apache Jackrabbit Oak External Login Module" and "Apache Jackrabbit Oak Default Sync Handler" I'm able to complete the whole authentication process/flow: 
 
- My "login servlet/path" makes a redirect to the authorization page in my OAuth2 Server. 
 
- The OAuth2Server calls back my local redirect url (other servlet) in charge of negotiate an access token. 
 
- The login flow takes place normally. 
 
** My AuthenticationHandler.extractCredentials do its job creating a SimpleCredentials
 
** The default login module delegate the login function in my external identity provider (IDP)
 
** My IDP returns External Instances of the authenticated oauth2 users with appropriated properties maps.
 
** The default sync handler is adding the new users as external users, and also putting it as administrators member (for test purposes)  
 
- Finally, my AuthenticationHandler.authenticationSucceded save the authenticated credentials in a cookie to allow extractCredentials to get them later.
 
That cookie is created following the same requirements in Form based Authentication Handler: 
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
 
 
The pages located inside /content/myapp have permit to be accessed by the logged user in, but AEM is giving me Forbidden access to every assets located in others paths like: /libs, /etc, /apps.
 
I can't find any documentation that give me a clue about what else I have to do. 
 
The only one I was able to find are differences in the stored info between an user authenticated with CRXDE Lite (or the Defauul Login page) and my one.
 
That is what I'm going to try to show to you below:
 
 
After you log in AEM using the default Login Page, or through CRXDE Lite, the user registered in /home/user contains a ".token" node. 
 
It looks like AEM is only considering this info to give access to others resources. But, I've read every article that I've found and no one says something that give me a clue about how to do that. 
 
The next week there is a conference "Getting Beyond Basic Authentication" and I'm wondering if is possible to contact its authors to make them all the questions I have. 
 
Any recommendation? 
契約条件Accessibility statement

Loading footer...