Adobe Experience Manager Sites & More

prajwalreddi · 3/16/22

We're using OOTB SAML auth handler for authentication and we have no issue with login and same being used since long time. However, For some reason we see below error in our logs occasionally and the same reported by the AMS team. We're not able to reproduce this issue at all. Did anyone come across such issue and any suggestions on how we can reproduce or avoid this error?

POST /saml_login HTTP/1.1] org.apache.sling.servlets.post.impl.operations.ModifyOperation Exception during response processing.
org.apache.sling.api.resource.PersistenceException: Resource at '/saml_login' is not modifiable.
at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:114) [org.apache.sling.servlets.post:2.3.26]

Jörg_Hoh · 3/17/22

That's a classic one. Let me walk you through my thinking:

/saml_login as a path is not a path which is stored in the JCR repository (there we only have /libs, /apps, /content /var, /etc/, /oak:index, /jcr:system at the toplevel).
It seems that here the SlingPostServlet fails to create this path in the repository (most likely missing write permissions).
But is that really, what we can and should expect? "saml login" sounds like that someone tries to login via SAML, right?
In that case we can imagine, that instead of creating a resource at /saml_login, rather a servlet bound to /saml_login should be invoked.
But why is the SlingPostServlet invoked, if we would expect that another servlet is called?
For background: The SlingPostServlet is registered as default, if no other servlet takes precedence, and it tries to create/modify resources in the repository.
So in this case we expect that a servlet is invoked, but it is not. Which just leaves us with a single explanation:
The servlet which we expect to be bound at /saml_login is not active.

So you should start the troubleshooting like this:

* do these messages just appear in single instances? Or rather in batches?

* can you correlate it with start and stop of other services?

View solution in original post

Himanshu_Jain · 3/17/22

Check ACLs whether you have write permission or not.

Himanshu Jain

Jörg_Hoh · 3/17/22

That's a classic one. Let me walk you through my thinking:

/saml_login as a path is not a path which is stored in the JCR repository (there we only have /libs, /apps, /content /var, /etc/, /oak:index, /jcr:system at the toplevel).
It seems that here the SlingPostServlet fails to create this path in the repository (most likely missing write permissions).
But is that really, what we can and should expect? "saml login" sounds like that someone tries to login via SAML, right?
In that case we can imagine, that instead of creating a resource at /saml_login, rather a servlet bound to /saml_login should be invoked.
But why is the SlingPostServlet invoked, if we would expect that another servlet is called?
For background: The SlingPostServlet is registered as default, if no other servlet takes precedence, and it tries to create/modify resources in the repository.
So in this case we expect that a servlet is invoked, but it is not. Which just leaves us with a single explanation:
The servlet which we expect to be bound at /saml_login is not active.

So you should start the troubleshooting like this:

* do these messages just appear in single instances? Or rather in batches?

* can you correlate it with start and stop of other services?

prsn1034 · 6/15/24

Hi @Jörg_Hoh @Himanshu_Jain @prajwalreddi

I have also face this exact issue recently and in my case, it was the certificate alias which was mismatching i.e. the alias from Truststore console was different than the one configured in the SAML OSGI configuration.

Thanks for posting the question and answers.

Adobe Experience Manager Sites & More

Resource at '/saml_login' is not modifiable.

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe