Expand my Community achievements bar.

SOLVED

Resource at '/saml_login' is not modifiable.

Avatar

Level 2

We're using OOTB SAML auth handler for authentication and we have no issue with login and same being used since long time. However, For some reason we see below error in our logs occasionally and the same reported by the AMS team. We're not able to reproduce this issue at all. Did anyone come across such issue and any suggestions on how we can reproduce or avoid this error?

 

POST /saml_login HTTP/1.1] org.apache.sling.servlets.post.impl.operations.ModifyOperation Exception during response processing.
org.apache.sling.api.resource.PersistenceException: Resource at '/saml_login' is not modifiable.
at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:114) [org.apache.sling.servlets.post:2.3.26]

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

That's a classic one. Let me walk you through my thinking:

 

  1. /saml_login as a path is not a path which is stored in the JCR repository (there we only have /libs, /apps, /content /var, /etc/, /oak:index, /jcr:system at the toplevel).
  2. It seems that here the SlingPostServlet fails to create this path in the repository (most likely missing write permissions).
  3. But is that really, what we can and should expect? "saml login" sounds like that someone tries to login via SAML, right?
  4. In that case we can imagine, that instead of creating a resource at /saml_login, rather a servlet bound to /saml_login should be invoked.
  5. But why is the SlingPostServlet invoked, if we would expect that another servlet is called?
  6. For background: The SlingPostServlet is registered as default, if no other servlet takes precedence, and it tries to create/modify resources in the repository.
  7. So in this case we expect that a servlet is invoked, but it is not. Which just leaves us with a single explanation:
  8. The servlet which we expect to be bound at /saml_login is not active.

So you should start the troubleshooting like this:

 

* do these messages just appear in single instances? Or rather in batches?

* can you correlate it with start and stop of other services?

 

 

 

 

View solution in original post

3 Replies

Avatar

Community Advisor

Check ACLs whether you have write permission or not.

Himanshu Jain

Avatar

Correct answer by
Employee Advisor

That's a classic one. Let me walk you through my thinking:

 

  1. /saml_login as a path is not a path which is stored in the JCR repository (there we only have /libs, /apps, /content /var, /etc/, /oak:index, /jcr:system at the toplevel).
  2. It seems that here the SlingPostServlet fails to create this path in the repository (most likely missing write permissions).
  3. But is that really, what we can and should expect? "saml login" sounds like that someone tries to login via SAML, right?
  4. In that case we can imagine, that instead of creating a resource at /saml_login, rather a servlet bound to /saml_login should be invoked.
  5. But why is the SlingPostServlet invoked, if we would expect that another servlet is called?
  6. For background: The SlingPostServlet is registered as default, if no other servlet takes precedence, and it tries to create/modify resources in the repository.
  7. So in this case we expect that a servlet is invoked, but it is not. Which just leaves us with a single explanation:
  8. The servlet which we expect to be bound at /saml_login is not active.

So you should start the troubleshooting like this:

 

* do these messages just appear in single instances? Or rather in batches?

* can you correlate it with start and stop of other services?

 

 

 

 

Avatar

Level 2

Hi @Jörg_Hoh @Himanshu_Jain  @prajwalreddi 

I have also face this exact issue recently and in my case, it was the certificate alias which was mismatching i.e. the alias from Truststore console was different than the one configured in the SAML OSGI configuration.

 

Thanks for posting the question and answers.