Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Where to locate the configuration parameter for Form Based Authentication

Avatar

Not applicable

Hi,

I have been trying to write a custom authentication service based on the form based authentication.  There are a couple of problems that i am facing.

1) Was hoping to find out the default configuration parameters of Form Based Auth but so far i have been unsuccessful. Can anybody shed some light where can i find that configuration.

2) I can't see form based authentication handler in Felix Console http://localhost:4503/system/console/slingauth but it seems to work somehow. Is it not exposed?

3) I was trying to debug snippets in org.apache.sling.auth.core.impl.SlingAuthenticator, sling default authentication handler (DefaultAuthenticationFeedbackHandler) and the methods in those class are behaving weird i.e. methods that are declared are not being called despite of the fact that declaration. 

I want to reuse the Sling Form Auth as i don't want to handle the security myself and don't want loose pieces here and there for attackers.

1 Accepted Solution

Avatar

Correct answer by
Level 10

AFAIK from 5.5 do not ship form based authentication handler. You might try installing the bundle from sling website. 

What is exact use case & why can't use OOB provided authentication handler.

View solution in original post

0 Replies

Avatar

Correct answer by
Level 10

AFAIK from 5.5 do not ship form based authentication handler. You might try installing the bundle from sling website. 

What is exact use case & why can't use OOB provided authentication handler.

Avatar

Not applicable

Sham HC wrote...

AFAIK from 5.5 do not ship form based authentication handler. You might try installing the bundle from sling website. 

What is exact use case & why can't use OOB provided authentication handler.

 

I have simple form where i am trying to login the user the credentials that are stored in LDAP. If i use the default login i.e. the POST request to j_security_check, this is logging in the user but since i have to validate few custom conditions before allowing them to login i have written a custom handler which is very similar to the Form Handler at sling website only difference being the value j_security_check was changed to j_custom_security_check. I was hoping that this will also let the user log in as it happens with a request to j_security_check.

What i am observing is that with valid credentials authenticationSucceeded is called but then the j_reason is set to INVALID_CREDENTIALS and i see the below exception in the logs. Similarly, when i happen to supply wrong credentials i am getting username and password do not match.

Should i not be using the Form Based Auth? Also, if everything goes fine will i see a login-token cookie is my browser or appropriate headers once i somehow get this to work. The service ranking of custom handler is 0 in case that helps.

 

02.05.2014 10:30:47.569 *DEBUG* [0:0:0:0:0:0:0:1 [1398983447488] GET /content/geometrixx/en.html HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: Trying to get a session for samthadhani@email.com

02.05.2014 10:30:47.726 *INFO* [0:0:0:0:0:0:0:1 [1398983447488] GET /content/geometrixx/en.html HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate samthadhani@email.com: null
02.05.2014 10:30:47.726 *DEBUG* [0:0:0:0:0:0:0:1 [1398983447488] GET /content/geometrixx/en.html HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure org.apache.sling.api.resource.LoginException
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getLoginException(JcrResourceProviderFactory.java:266)
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:175)
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProvider(JcrResourceProviderFactory.java:107)
    at org.apache.sling.resourceresolver.impl.tree.ResourceProviderFactoryHandler.login(ResourceProviderFactoryHandler.java:164)
    at org.apache.sling.resourceresolver.impl.tree.RootResourceProviderEntry.loginToRequiredFactories(RootResourceProviderEntry.java:95)
    at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolverInternal(ResourceResolverFactoryImpl.java:95)
    at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:76)
    at org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:749)
    at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483)
    at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:438)
    at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:148)
    at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:272)
    at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:91)
    at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:79)
    at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:42)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:49)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:127)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:55)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at com.adobe.granite.license.impl.LicenseCheckFilter.doFilter(LicenseCheckFilter.java:179)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:263)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.sling.engine.impl.log.RequestLoggerFilter.doFilter(RequestLoggerFilter.java:75)
    at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88)
    at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)
    at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:48)
    at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:39)
    at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at com.day.j2ee.servletengine.ServletRuntimeEnvironment.service(ServletRuntimeEnvironment.java:250)
    at com.day.j2ee.servletengine.RequestDispatcherImpl.doFilter(RequestDispatcherImpl.java:321)
    at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:340)
    at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:383)
    at com.day.j2ee.servletengine.ServletHandlerImpl.process(ServletHandlerImpl.java:335)
    at com.day.j2ee.servletengine.HttpListener$Worker.run(HttpListener.java:644)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.FailedLoginException
    at org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.authenticate(AbstractLoginModule.java:458)
    at org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.login(AbstractLoginModule.java:332)
    at com.day.crx.security.ldap.LDAPLoginModule.login(LDAPLoginModule.java:234)
    at sun.reflect.GeneratedMethodAccessor64.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at org.apache.jackrabbit.core.security.authentication.JAASAuthContext.login(JAASAuthContext.java:60)
    at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1465)
    at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:107)
    at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
    at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
    at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
    at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:144)
    ... 51 more