Expand my Community achievements bar.

SOLVED

Where to locate the configuration parameter for Form Based Authentication

Avatar

Former Community Member
10/15/15 7:28:06 PM

Hi,

I have been trying to write a custom authentication service based on the form based authentication.  There are a couple of problems that i am facing.

1) Was hoping to find out the default configuration parameters of Form Based Auth but so far i have been unsuccessful. Can anybody shed some light where can i find that configuration.

2) I can't see form based authentication handler in Felix Console http://localhost:4503/system/console/slingauth but it seems to work somehow. Is it not exposed?

3) I was trying to debug snippets in org.apache.sling.auth.core.impl.SlingAuthenticator, sling default authentication handler (DefaultAuthenticationFeedbackHandler) and the methods in those class are behaving weird i.e. methods that are declared are not being called despite of the fact that declaration. 

I want to reuse the Sling Form Auth as i don't want to handle the security myself and don't want loose pieces here and there for attackers.

Views

633

Replies

2

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:06 PM

AFAIK from 5.5 do not ship form based authentication handler. You might try installing the bundle from sling website. 

What is exact use case & why can't use OOB provided authentication handler.

View solution in original post

Views

446

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:06 PM

AFAIK from 5.5 do not ship form based authentication handler. You might try installing the bundle from sling website. 

What is exact use case & why can't use OOB provided authentication handler.

Views

447

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Former Community Member
10/15/15 7:28:06 PM

Sham HC wrote...

AFAIK from 5.5 do not ship form based authentication handler. You might try installing the bundle from sling website. 

What is exact use case & why can't use OOB provided authentication handler.

 

I have simple form where i am trying to login the user the credentials that are stored in LDAP. If i use the default login i.e. the POST request to j_security_check, this is logging in the user but since i have to validate few custom conditions before allowing them to login i have written a custom handler which is very similar to the Form Handler at sling website only difference being the value j_security_check was changed to j_custom_security_check. I was hoping that this will also let the user log in as it happens with a request to j_security_check.

What i am observing is that with valid credentials authenticationSucceeded is called but then the j_reason is set to INVALID_CREDENTIALS and i see the below exception in the logs. Similarly, when i happen to supply wrong credentials i am getting username and password do not match.

Should i not be using the Form Based Auth? Also, if everything goes fine will i see a login-token cookie is my browser or appropriate headers once i somehow get this to work. The service ranking of custom handler is 0 in case that helps.

 

02.05.2014 10:30:47.569 *DEBUG* [0:0:0:0:0:0:0:1 [1398983447488] GET /content/geometrixx/en.html HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: Trying to get a session for samthadhani@email.com

02.05.2014 10:30:47.726 *INFO* [0:0:0:0:0:0:0:1 [1398983447488] GET /content/geometrixx/en.html HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate samthadhani@email.com: null
02.05.2014 10:30:47.726 *DEBUG* [0:0:0:0:0:0:0:1 [1398983447488] GET /content/geometrixx/en.html HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure org.apache.sling.api.resource.LoginException
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getLoginException(JcrResourceProviderFactory.java:266)
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:175)
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProvider(JcrResourceProviderFactory.java:107)
    at org.apache.sling.resourceresolver.impl.tree.ResourceProviderFactoryHandler.login(ResourceProviderFactoryHandler.java:164)
    at org.apache.sling.resourceresolver.impl.tree.RootResourceProviderEntry.loginToRequiredFactories(RootResourceProviderEntry.java:95)
    at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolverInternal(ResourceResolverFactoryImpl.java:95)
    at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:76)
    at org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:749)
    at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483)
    at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:438)
    at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:148)
    at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:272)
    at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:91)
    at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:79)
    at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:42)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:49)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:127)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:55)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at com.adobe.granite.license.impl.LicenseCheckFilter.doFilter(LicenseCheckFilter.java:179)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:263)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.sling.engine.impl.log.RequestLoggerFilter.doFilter(RequestLoggerFilter.java:75)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:48)
    at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:39)
    at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at com.day.j2ee.servletengine.ServletRuntimeEnvironment.service(ServletRuntimeEnvironment.java:250)
    at com.day.j2ee.servletengine.RequestDispatcherImpl.doFilter(RequestDispatcherImpl.java:321)
    at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:340)
    at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:383)
    at com.day.j2ee.servletengine.ServletHandlerImpl.process(ServletHandlerImpl.java:335)
    at com.day.j2ee.servletengine.HttpListener$Worker.run(HttpListener.java:644)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.FailedLoginException
    at org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.authenticate(AbstractLoginModule.java:458)
    at org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.login(AbstractLoginModule.java:332)
    at com.day.crx.security.ldap.LDAPLoginModule.login(LDAPLoginModule.java:234)
    at sun.reflect.GeneratedMethodAccessor64.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at org.apache.jackrabbit.core.security.authentication.JAASAuthContext.login(JAASAuthContext.java:60)
    at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1465)
    at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:107)
    at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
    at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
    at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:144)
    ... 51 more

Views

568

Replies

0

Total Likes

Translate
Translate