Hello,
Our team is trying to implement a third party authentication called DocCheck. In our tests we have found an issue where sometimes authenticating using this service works and other times we get a 403 error code. We reached out to their team and they said:
What we experienced is, that sometimes the exact same session-ID is set for your users:
-S2JhuvEP0EZxkC9-pJX_Jt6kkZhMDu9SmiCFoY-WA2lujLVu89DWdmilkRv2OgK70scAFVfqpHBg3pANzX9kgnrYpDsPzdx4HVNEMKCqZ1FSLj4dMA== (redacted)
You pass this session-ID via the login ID and we hash it, so you can check if the user came from DocCheck. But every time, this exact session-ID gets set (and hashed from our end) we end up on the 403 on your end. Maybe that is a lead.
In general, we always succeed to pass the DocCheck end of the login, and we also end up on your target /content/site/country/j_brand_security with the expected parameters that are used for the authentication on your end (as far as we know): session_id and session_id_enc. But sometimes it throws the 403 and stops your authentication process.
Another thing that some customers are facing is too short timeframes when it comes to the authentication process. When timeframes are set too tightly, the authentication process could fail too. But the repeating session-ID seems very suspicious, so maybe it's worth digging deeper into that for now.
I have checked the logs and found the following repeating debug messages:
02.05.2021 00:00:00.093 *DEBUG* [qtp1051107223-482182] org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: No credentials in the request, anonymous
02.05.2021 00:00:00.094 *DEBUG* [qtp1051107223-482182] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes: ResourceResolver stored as request attribute: user=anonymous
02.05.2021 00:00:00.882 *DEBUG* [qtp1051107223-481268] org.apache.sling.auth.core.impl.SlingAuthenticator getAuthenticationInfo: no handler could extract credentials; assuming anonymous
Is the session ID always being the same the potential cause of this issue? As a temporarily solution I was thinking on allowing anonymous users to login via the http://<env_path>/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuthenticator configuration but I am unsure what this could affect. When a user enters a incorrect login the DocCheck service redirects to another page so the issue is only with valid users.
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @Jeanmaradiaga,
Based on the log messages, it look like your Custom Authentication Handler(which has the logic of extracting credentials from login form/request) is not visible/considered by Sling Authenticator.
Can you confirm if your handler is available under "Registered Authentication Handlers" for the path you are trying to access. (Navigate to Sling Authenticator in Felix console via http://localhost:4502/system/console/slingauth)
If possible, please share code or high level implementation details that you are following.
Hi @Jeanmaradiaga,
Based on the log messages, it look like your Custom Authentication Handler(which has the logic of extracting credentials from login form/request) is not visible/considered by Sling Authenticator.
Can you confirm if your handler is available under "Registered Authentication Handlers" for the path you are trying to access. (Navigate to Sling Authenticator in Felix console via http://localhost:4502/system/console/slingauth)
If possible, please share code or high level implementation details that you are following.