ActiveMQ Artemis AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from SSL certificate subject DN: unavailable - activemq-artemis
The same user with the same password works after we restart the broker (ActiveMQ Artemis 2.19.0).
With different random users we get the following error message:
AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.27.48.12:49550. Username: lot-sfmsri.fenmqprd; SSL certificate subject DN: unavailable
2021-11-16 23:05:03,150 WARN [org.apache.activemq.artemis.core.client] AMQ212037: Connection failure to /172.27.48.12:49478 has been detected: User name [lot-sfmsri.fenmqprd] or password is invalid. [code=GENERIC_EXCEPTION] component = org.apache.activemq.artemis.core.clienthost = fenacosrv43113log_level = WARNsource = /amq_prd/log/artemis.log
After a restart of the broker other users have the same problem.
We use an ActiveDirectory as the LDAP directory (multiple servers). Here's the login.config:
activemq {
/*
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient
debug=false
org.apache.activemq.jaas.guest.user="admin"
org.apache.activemq.jaas.guest.role="amq";
*/
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
debug=true
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
/*
connectionURL - specify the location of the directory server using an ldap URL, ldap://Host:Port.
You can optionally qualify this URL, by adding a forward slash, /, followed by the DN of a particular node in the directory tree.
For example, ldap://ldapserver:10389/ou=system.
*/
/*
connectionURL="ldap://main.corp.fenaco.com:389/"
*/
connectionURL="ldap://ad-ldap-rzsur.main.corp.fenaco.com:389/"
/*
authentication - specifies the authentication method used when binding to the LDAP server. Can take either of the values,
- simple (username and password),
- GSSAPI (Kerberos SASL) or
- none (anonymous)
*/
authentication="simple"
/*
connectionUsername - the DN of the user that opens the connection to the directory server. For example, uid=admin,ou=system.
Directory servers generally require clients to present username/password credentials in order to open a connection.
*/
connectionUsername="CN=lot-fenit.amq,OU=Admins,OU=fou-fenit,DC=main,DC=corp,DC=fenaco,DC=com"
/*
connectionPassword - the password that matches the DN from connectionUsername. In the directory server, in the DIT, the password is normally stored as a userPassword attribute in the corresponding directory entry.
*/
connectionPassword="xxxxxxxxxxxxx"
/*
saslLoginConfigScope - the scope in JAAS configuration (login.config) to use to obtain Kerberos initiator credentials when the authentication method is SASL GSSAPI. The default value is broker-sasl-gssapi
*/
/*
connectionProtocol - currently, the only supported value is a blank string.
In future, this option will allow you to select the Secure Socket Layer (SSL) for the connection to the directory server.
This option must be set explicitly to an empty string, because it has no default value.
*/
connectionProtocol=""
/*
connectionPool - boolean, enable the LDAP connection pool property 'com.sun.jndi.ldap.connect.pool'. Note that the pool is configured at the jvm level with system properties.
*/
connectionPool=true
/*
connectionTimeout - specifies the string representation of an integer representing the connection timeout in milliseconds.
If the LDAP provider cannot establish a connection within that period, it aborts the connection attempt. The integer should be greater than zero.
An integer less than or equal to zero means to use the network protocol's (i.e., TCP's) timeout value.
If connectionTimeout is not specified, the default is to wait for the connection to be established or until the underlying network times out.
When connection pooling has been requested for a connection, this property also determines the maximum wait time for a connection when all connections in the pool are in use and the maximum pool size has been reached.
If the value of this property is less than or equal to zero under such circumstances, the provider will wait indefinitely for a connection to become available; otherwise,
the provider will abort the wait when the maximum wait time has been exceeded. See connectionPool for more details.
*/
connectionTimeout="0"
/*
readTimeout - specifies the string representation of an integer representing the read timeout in milliseconds for LDAP operations. If the LDAP provider cannot get a LDAP response within that period,
it aborts the read attempt. The integer should be greater than zero. An integer less than or equal to zero means no read timeout is specified which is equivalent to waiting for the response infinitely until it is received.
If readTimeout is not specified, the default is to wait for the response until it is received.
*/
readTimeout="60000"
/*
userBase - selects a particular subtree of the DIT to search for user entries. The subtree is specified by a DN, which specifes the base node of the subtree.
For example, by setting this option to ou=User,ou=ActiveMQ,ou=system, the search for user entries is restricted to the subtree beneath the ou=User,ou=ActiveMQ,ou=system node.
*/
userBase="DC=main,DC=corp,DC=fenaco,DC=com"
/*
userSearchMatching - specifies an LDAP search filter, which is applied to the subtree selected by userBase. Before passing to the LDAP search operation,
the string value you provide here is subjected to string substitution, as implemented by the java.text.MessageFormat class.
Essentially, this means that the special string, {0}, is substituted by the username, as extracted from the incoming client credentials.
After substitution, the string is interpreted as an LDAP search filter, where the LDAP search filter syntax is defined by the IETF standard, RFC 2254.
A short introduction to the search filter syntax is available from Oracle's JNDI tutorial, Search Filters.
For example, if this option is set to (uid={0}) and the received username is jdoe, the search filter becomes (uid=jdoe) after string substitution.
If the resulting search filter is applied to the subtree selected by the user base, ou=User,ou=ActiveMQ,ou=system, it would match the entry,
uid=jdoe,ou=User,ou=ActiveMQ,ou=system (and possibly more deeply nested entries, depending on the specified search depth—see the userSearchSubtree option).
*/
userSearchMatching="(sAMAccountName={0})"
/*
userSearchSubtree - specify the search depth for user entries, relative to the node specified by userBase. This option is a boolean.
- false indicates it will try to match one of the child entries of the userBase node (maps to javax.naming.directory.SearchControls.ONELEVEL_SCOPE).
- true indicates it will try to match any entry belonging to the subtree of the userBase node (maps to javax.naming.directory.SearchControls.SUBTREE_SCOPE).
*/
userSearchSubtree=true
/*
userRoleName - specifies the name of the multi-valued attribute of the user entry that contains a list of role names for the user (where the role names are interpreted as group names by the broker's authorization plug-in).
If you omit this option, no role names are extracted from the user entry.
*/
userRoleName="memberOf"
/*
roleBase - if you want to store role data directly in the directory server, you can use a combination of role options (roleBase, roleSearchMatching, roleSearchSubtree, and roleName)
as an alternative to (or in addition to) specifying the userRoleName option. This option selects a particular subtree of the DIT to search for role/group entries.
The subtree is specified by a DN, which specifes the base node of the subtree. For example, by setting this option to ou=Group,ou=ActiveMQ,ou=system,
the search for role/group entries is restricted to the subtree beneath the ou=Group,ou=ActiveMQ,ou=system node.
*/
roleBase="DC=main,DC=corp,DC=fenaco,DC=com"
/*
roleName - specifies the attribute type of the role entry that contains the name of the role/group (e.g. C, O, OU, etc.). If you omit this option, the role search feature is effectively disabled.
*/
roleName="cn"
/*
roleSearchMatching - specifies an LDAP search filter, which is applied to the subtree selected by roleBase. This works in a similar manner to the userSearchMatching option,
except that it supports two substitution strings, as follows:
- {0} - substitutes the full DN of the matched user entry (that is, the result of the user search).
For example, for the user, jdoe, the substituted string could be uid=jdoe,ou=User,ou=ActiveMQ,ou=system.
- {1} - substitutes the received username. For example, jdoe.
For example, if this option is set to (member=uid={1}) and the received username is jdoe, the search filter becomes (member=uid=jdoe) after string substitution (assuming ApacheDS search filter syntax).
If the resulting search filter is applied to the subtree selected by the role base, ou=Group,ou=ActiveMQ,ou=system, it matches all role entries that have a member attribute
equal to uid=jdoe (the value of a member attribute is a DN).
This option must always be set, even if role searching is disabled, because it has no default value.
If you use OpenLDAP, the syntax of the search filter is (member:=uid=jdoe)
*/
roleSearchMatching="(member:1.2.840.113556.1.4.1941:={0})"
/*
roleSearchSubtree - specify the search depth for role entries, relative to the node specified by roleBase. This option can take boolean values, as follows:
- false (default) - try to match one of the child entries of the roleBase node (maps to javax.naming.directory.SearchControls.ONELEVEL_SCOPE).
- true — try to match any entry belonging to the subtree of the roleBase node (maps to javax.naming.directory.SearchControls.SUBTREE_SCOPE).
*/
roleSearchSubtree=true
/*
authenticateUser - boolean flag to disable authentication. Useful as an optimisation when this module is used just for role mapping of a Subject's existing authenticated principals;
default is false
*/
authenticateUser=true
/*
referral - specify how to handle referrals; valid values: ignore, follow, throw;
default is ignore
*/
referral="ignore"
/*
ignorePartialResultException - boolean flag for use when searching Active Directory (AD). AD servers don't handle referrals automatically,
which causes a PartialResultException to be thrown when referrals are encountered by a search, even if referral is set to ignore. Set to true to ignore these exceptions;
default is false
*/
ignorePartialResultException=true
/*
expandRoles - boolean indicating whether to enable the role expansion functionality or not;
default false.
If enabled, then roles within roles will be found. For example, role A is in role B. User X is in role A, which means user X is in role B by virtue of being in role A
*/
expandRoles=false
/*
expandRolesMatching - specifies an LDAP search filter which is applied to the subtree selected by roleBase. Before passing to the LDAP search operation,
the string value you provide here is subjected to string substitution, as implemented by the java.text.MessageFormat class.
Essentially, this means that the special string, {0}, is substituted by the role name as extracted from the previous role search.
This option must always be set to enable role expansion because it has no default value. Example value: (member={0})
*/
expandRolesMatching="(member:1.2.840.113556.1.4.1941:={0})"
reload=true;
};
there are many of these error messages "PartialResultException"
2021-11-23 14:53:39,282 WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.28.84.139:57345. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,282 INFO [org.apache.activemq.audit.resource] AMQ601716: User anonymous#172.28.84.139:57345 failed authentication, reason: AMQ229031: Unable to validate user from /172.28.84.139:57345. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,285 WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.28.84.139:57346. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,285 INFO [org.apache.activemq.audit.resource] AMQ601716: User anonymous#172.28.84.139:57346 failed authentication, reason: AMQ229031: Unable to validate user from /172.28.84.139:57346. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,285 WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.28.84.139:57347. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,285 INFO [org.apache.activemq.audit.resource] AMQ601716: User anonymous#172.28.84.139:57347 failed authentication, reason: AMQ229031: Unable to validate user from /172.28.84.139:57347. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,287 WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.28.84.139:57349. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,287 INFO [org.apache.activemq.audit.resource] AMQ601716: User anonymous#172.28.84.139:57349 failed authentication, reason: AMQ229031: Unable to validate user from /172.28.84.139:57349. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,288 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] User CN=lot-fenit.mds.test,OU=Admins,OU=fou-fenit,DC=main,DC=corp,DC=fenaco,DC=com successfully bound.
2021-11-23 14:53:39,288 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get user roles.
2021-11-23 14:53:39,288 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user roles in LDAP with
2021-11-23 14:53:39,288 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: DC=main,DC=corp,DC=fenaco,DC=com
2021-11-23 14:53:39,288 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (member:1.2.840.113556.1.4.1941:=CN=lot-fenit.mds.test,OU=Admins,OU=fou-fenit,DC=main,DC=corp,DC=fenaco,DC=com)
2021-11-23 14:53:39,290 WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.28.84.139:57348. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,290 INFO [org.apache.activemq.audit.resource] AMQ601716: User anonymous#172.28.84.139:57348 failed authentication, reason: AMQ229031: Unable to validate user from /172.28.84.139:57348. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,290 WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.28.84.139:57350. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,290 INFO [org.apache.activemq.audit.resource] AMQ601716: User anonymous#172.28.84.139:57350 failed authentication, reason: AMQ229031: Unable to validate user from /172.28.84.139:57350. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,292 WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.28.84.139:57351. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,293 INFO [org.apache.activemq.audit.resource] AMQ601716: User anonymous#172.28.84.139:57351 failed authentication, reason: AMQ229031: Unable to validate user from /172.28.84.139:57351. Username: lot-b4l9992.fenmqtst; SSL certificate subject DN: unavailable
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] User CN=lot-sfmsri.fenmqtst,OU=Service_Accounts,OU=Admins,OU=fou-fenaco,DC=main,DC=corp,DC=fenaco,DC=com successfully bound.
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] User CN=lot-fenit.mds.test,OU=Admins,OU=fou-fenit,DC=main,DC=corp,DC=fenaco,DC=com successfully bound.
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get user roles.
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user roles in LDAP with
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get user roles.
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: DC=main,DC=corp,DC=fenaco,DC=com
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (member:1.2.840.113556.1.4.1941:=CN=lot-sfmsri.fenmqtst,OU=Service_Accounts,OU=Admins,OU=fou-fenaco,DC=main,DC=corp,DC=fenaco,DC=com)
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user roles in LDAP with
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: DC=main,DC=corp,DC=fenaco,DC=com
2021-11-23 14:53:39,314 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (member:1.2.840.113556.1.4.1941:=CN=lot-fenit.mds.test,OU=Admins,OU=fou-fenit,DC=main,DC=corp,DC=fenaco,DC=com)
2021-11-23 14:53:39,507 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] PartialResultException encountered and ignored: javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=main,DC=corp,DC=fenaco,DC=com'
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3022) [java.naming:]
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996) [java.naming:]
at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:148) [java.naming:]
at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:217) [java.naming:]
at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) [java.naming:]
at org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.addRoles(LDAPLoginModule.java:499) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.resolveRolesForDN(LDAPLoginModule.java:290) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.authenticate(LDAPLoginModule.java:270) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.login(LDAPLoginModule.java:196) [artemis-server-2.19.0.jar:2.19.0]
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) [java.base:]
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) [java.base:]
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) [java.base:]
at java.base/java.security.AccessController.doPrivileged(Native Method) [java.base:]
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) [java.base:]
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) [java.base:]
at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:138) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.authenticate(ActiveMQJAASSecurityManager.java:91) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:175) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1681) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handleCreateSession(ActiveMQPacketHandler.java:183) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handlePacket(ActiveMQPacketHandler.java:97) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.handlePacket(ChannelImpl.java:820) [artemis-core-client-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.doBufferReceived(RemotingConnectionImpl.java:428) [artemis-core-client-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.bufferReceived(RemotingConnectionImpl.java:396) [artemis-core-client-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:688) [artemis-server-2.19.0.jar:2.19.0]
at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73) [artemis-core-client-2.19.0.jar:2.19.0]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-all-4.1.68.Final.jar:4.1.68.Final]
at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) [artemis-commons-2.19.0.jar:2.19.0]
Related
Kerberos is not set up . You cannot login - Keycloak
I had configured the keycloak under the user federation settings as kerberos. I had also entered the realm ,service principal and the keytab file directory as stated . But I get the issue as : Kerberos is not set up . You cannot login In firefox I has enabled SPNEGO as per the below docs : http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html I am attaching from the log snippet : 2021-06-30 11:43:31,234 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-1) Selections when trying execution 'auth-spnego' : [ authSelection - auth-spnego] 2021-06-30 11:43:31,234 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) invoke authenticator.authenticate: auth-spnego 2021-06-30 11:43:31,235 TRACE [org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (default task-1) Sending back WWW-Authenticate: Negotiate Reference to the same issue : https://marc.info/?l=keycloak-user&m=154803677131797&w=2 Do consider to help us with the concrete solution . Thanks in advance !
Not able to authenticate SMTP clients on Debian+Postfix+SASL with rimap
I'm having a strange problem. I followed few guides from the net. My goal is to create a SMTP postfix that will use Cyrus SASL to authenticate users upon sending email with different imap server. Making all more simple: have to transfer/replace current smtp server with new one as current is on public cloud and gets on black lists pretty often. What I managed so far is: Working Postfix Authentication working when using : testsaslauthd -u user#domain.com -p password I'm getting Ok "Success" so I assume sasl itself work. When I invoke saslfinger -s I'm getting: There is no smtpd.conf that defines what SASL should do for Postfix. SMTP AUTH can't work! but it seems that all is fine within the configuration files: /etc/postfix/sasls/smtp.conf: pwcheck_method: saslauthd mech_list: PLAIN LOGIN /etc/postfix/main.cf: smtpd_recipient_restrictions = reject_invalid_hostname, permit permit_mynetworks, permit_sasl_authenticated disable_vrfy_command = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous /etc/default/saslauthd-postfix: START=yes MECHANISMS="rimap" MECH_OPTIONS="domain.com -r" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" I'm running postfix chroot'ed so had to create a symlink but like I said. It all seems to work independently, just need to be linked somehow. When I try to setup account in outlook, I got wrong name or password. The log on Debian says: May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL NTLM authentication failed: authentication failure May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: SASL authentication failure: unable to canonify user and get auxprops May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL DIGEST-MD5 authentication failed: authentication failure May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL LOGIN authentication failed: authentication failure May 11 23:35:43 smtp-test postfix/smtpd[741]: lost connection after AUTH from unknown[192.168.108.1] May 11 23:35:43 smtp-test postfix/smtpd[741]: disconnect from unknown[192.168.108.1] Strange thing is it tries NTLM(not mentioned anywhere) instead of RIMAP. And cannot make canonical name of user even after adding -r switch that should combine name and realm/domain name. I guess that is related to first warning from saslfinger but cannot find the cause. All updated to newest available versions. Any help?
cas client call service validate url /serviceValidate and got CAS server login page html,not xml result
i'm using shiro-cas client 1.2.3 in my webapp and cas server 4.2.0 as sso server,I found my cas client got login page html content when call url /ucas/serviceValidate validate service ticket,it seems /serviceValidate had been redirected to cas server login page.
i got these log form server:
[INFO][2017-04-2914:02:49][org.jasig.cas.authentication.PolicyBasedAuthenticationManager]UcasAuthenticationHandler successfully authenticated admin
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver]Attempting to resolve a principal...
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver]Creating SimplePrincipal for [admin]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver]Principal id [admin] could not be found
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver]Retrieved [4] attribute(s) from the repository
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.PolicyBasedAuthenticationManager]org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver#11e7f88e resolved admin from admin
[INFO][2017-04-2914:02:49][org.jasig.cas.authentication.PolicyBasedAuthenticationManager]Authenticated admin with credentials [admin].
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.PolicyBasedAuthenticationManager]Attribute map for admin: {uid=uid, eduPersonAffiliation=eduPersonAffiliation, memberOf=[faculty, staff, org], groupMembership=groupMembership}
[DEBUG][2017-04-2914:02:49][org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver]Resolving argument [AuthenticationTransaction] for audit
[DEBUG][2017-04-2914:02:49][org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver]Resolving argument [UsernamePasswordCredential] for audit
[INFO][2017-04-2914:02:49][org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: Supplied credentials: [admin]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Sat Apr 29 14:02:49 CST 2017
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationTransactionManager]Successful authentication; Collecting authentication result [org.jasig.cas.authentication.ImmutableAuthentication#ef8c9139]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationTransactionManager]Transaction ignored since there are no credentials to authenticate
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collecting authentication history based on [1] authentication events
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Evaluating authentication principal [admin] for inclusion in context
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collected principal attributes [{uid=uid, memberOf=[faculty, staff, org], groupMembership=groupMembership, eduPersonAffiliation=eduPersonAffiliation}] for inclusion in context for principal [admin]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collected single authentication attribute [authenticationMethod] -> [UcasAuthenticationHandler]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collected single authentication attribute [successfulAuthenticationHandlers] -> [[UcasAuthenticationHandler]]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Finalized authentication attributes [{authenticationMethod=UcasAuthenticationHandler, successfulAuthenticationHandlers=[UcasAuthenticationHandler]}] for inclusion in authentication context
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultPrincipalElectionStrategy]Nominated [admin] as the primary principal
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Determined primary authentication principal to be [admin]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collected authentication attributes for this context are [{authenticationMethod=UcasAuthenticationHandler, successfulAuthenticationHandlers=[UcasAuthenticationHandler]}]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Authentication context commenced at [2017-04-29T14:02:49.773+08:00]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Building an authentication context for authentication org.jasig.cas.authentication.ImmutableAuthentication#835b2f9 and service http://localhost:8081/eadp_oa/shiro-cas
[DEBUG][2017-04-2914:02:49][org.jasig.cas.ticket.registry.DefaultTicketRegistry]Added ticket [TGT-**********************************************gw1L7hkf06-localhost] to registry.
[DEBUG][2017-04-2914:02:49][org.jasig.cas.CentralAuthenticationServiceImpl]Publishing org.jasig.cas.support.events.CasTicketGrantingTicketCreatedEvent#200cbbb8[ticketGrantingTicket=TGT-**********************************************gw1L7hkf06-localhost]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver]Resolving argument [DefaultAuthenticationContext] for audit
[INFO][2017-04-2914:02:49][org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-**********************************************gw1L7hkf06-localhost
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat Apr 29 14:02:49 CST 2017
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================
[DEBUG][2017-04-2914:02:49][org.jasig.cas.web.support.WebUtils]Evaluating request to determine if warning cookie should be generated
[DEBUG][2017-04-2914:02:49][org.jasig.cas.web.WarningCookieRetrievingCookieGenerator]Removed cookie with name [CASPRIVACY]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.web.flow.SendTicketGrantingTicketAction]Setting TGC for current session.
[DEBUG][2017-04-2914:02:49][org.jasig.cas.web.support.DefaultCasCookieValueManager]Encoding cookie value [TGT-**********************************************gw1L7hkf06-localhost#0:0:0:0:0:0:0:1#Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.util.DefaultCipherExecutor]Encrypting via [A128CBC-HS256]
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.PlaintextNoneAlgorithm#6c7c98cd registered for alg algorithm none
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.HmacUsingShaAlgorithm$HmacSha256#7c145051 registered for alg algorithm HS256
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.HmacUsingShaAlgorithm$HmacSha384#53065946 registered for alg algorithm HS384
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.HmacUsingShaAlgorithm$HmacSha512#76b1d1bc registered for alg algorithm HS512
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.EcdsaUsingShaAlgorithm$EcdsaP256UsingSha256#24f91458 registered for alg algorithm ES256
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.EcdsaUsingShaAlgorithm$EcdsaP384UsingSha384#3e4e71e0 registered for alg algorithm ES384
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.EcdsaUsingShaAlgorithm$EcdsaP521UsingSha512#305aeea0 registered for alg algorithm ES512
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.RsaUsingShaAlgorithm$RsaSha256#52085950 registered for alg algorithm RS256
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.RsaUsingShaAlgorithm$RsaSha384#4859575d registered for alg algorithm RS384
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]org.jose4j.jws.RsaUsingShaAlgorithm$RsaSha512#5788725d registered for alg algorithm RS512
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]PS256 is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]PS384 is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm]PS512 is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]org.jose4j.jwe.RsaKeyManagementAlgorithm$Rsa1_5#cdfd4c8 registered for alg algorithm RSA1_5
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]org.jose4j.jwe.RsaKeyManagementAlgorithm$RsaOaep#194d93b6 registered for alg algorithm RSA-OAEP
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]org.jose4j.jwe.RsaKeyManagementAlgorithm$RsaOaep256#7af5b7bb registered for alg algorithm RSA-OAEP-256
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]org.jose4j.jwe.DirectKeyManagementAlgorithm#20800faf registered for alg algorithm dir
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]org.jose4j.jwe.AesKeyWrapManagementAlgorithm$Aes128#1b44ad0 registered for alg algorithm A128KW
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]A192KW is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]A256KW is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]org.jose4j.jwe.EcdhKeyAgreementAlgorithm#15bd9ee4 registered for alg algorithm ECDH-ES
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]org.jose4j.jwe.EcdhKeyAgreementWithAesKeyWrapAlgorithm$EcdhKeyAgreementWithAes128KeyWrapAlgorithm#4c06729d registered for alg algorithm ECDH-ES+A128KW
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]ECDH-ES+A192KW is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]ECDH-ES+A256KW is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]org.jose4j.jwe.Pbes2HmacShaWithAesKeyWrapAlgorithm$HmacSha256Aes128#395d8c76 registered for alg algorithm PBES2-HS256+A128KW
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]PBES2-HS384+A192KW is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]PBES2-HS512+A256KW is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]org.jose4j.jwe.AesGcmKeyEncryptionAlgorithm$Aes128Gcm#3f84cdcf registered for alg algorithm A128GCMKW
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]A192GCMKW is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm]A256GCMKW is unavailable so will not be registered for alg algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm]org.jose4j.jwe.AesCbcHmacSha2ContentEncryptionAlgorithm$Aes128CbcHmacSha256#6354da9f registered for enc algorithm A128CBC-HS256
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm]A192CBC-HS384 is unavailable so will not be registered for enc algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm]A256CBC-HS512 is unavailable so will not be registered for enc algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm]org.jose4j.jwe.AesGcmContentEncryptionAlgorithm$Aes128Gcm#1d495668 registered for enc algorithm A128GCM
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm]A192GCM is unavailable so will not be registered for enc algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm]A256GCM is unavailable so will not be registered for enc algorithms.
[DEBUG][2017-04-2914:02:49][class org.jose4j.jwa.AlgorithmFactory->CompressionAlgorithm]org.jose4j.zip.DeflateRFC1951CompressionAlgorithm#3c82ae83 registered for zip algorithm DEF
[DEBUG][2017-04-2914:02:49][org.jasig.cas.web.support.TGCCookieRetrievingCookieGenerator]Added cookie with name [TGC] and value [eyJhbGciOiJIUzUxMiJ9.WlhsS2FHSkhZMmxQYVVwcllWaEphVXhEU214aWJVMXBUMmxLUWsxVVNUUlJNRXBFVEZWb1ZFMXFWVEpKYmpBdUxraEhPSFZIWVV4blZsTmxZM2haV0RocFNYTmxWWGN1T1ZwemNWOWZNWFEzVG1aSFJVSnNObXRQYW5CUmVucHVibkZHT0ZObVJGRnlTa1ZzTmt4MlNraHlTMnRGV21WblRrTmxWVXhZU0ZGSGVuRkNWWFpDTmtsd1kxOVpaRWhvVWtsWE1VOXNka1p4VUZkbVNtUjJkVVZmWlhOMWRFMXRha2R0YW1KdmVVOVpTbVZLZDBRMlMxWnNVV1pmWTIxeE5GcEdOWEI2TmtSVmVqQkdVVTVOVjNSWWFHeG1MVWc1WWtwd1FqbHdSMHBPVkVGcE1EY3hOMjlPWkcxVldVbHJibTV2Ukd0V1J6UkplamRDU21WcFlWRkJOMUpFTURNNVpIUnVXVkUxYVc1bWJGQjZWekZ0V0ZZeE1YcEdXblpoY2pOSmRteGxVazk1WWpGVk4zbEhjbmswV21jM2QwRmlTbkJOTjNGMFJFOXFXRTV0VkRCRFFVSjNjRlJOTTJaMlExRlpZbFJSYjFwdVlrbGlNMmN1WWt4NU5GVmZTM2R5T0ZWcWRWRklVakpzZDJaalVRPT0.OeZ8ypOngQWnheTEoAeRNJSa7D4R6xGvNINzr2YQldo6WUXjFzKfUEon7TsH3e54V-qf7Pa0QSMENJnZmbYrcQ]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.ticket.registry.DefaultTicketRegistry]Attempting to retrieve ticket [TGT-**********************************************gw1L7hkf06-localhost]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.ticket.registry.DefaultTicketRegistry]Ticket [TGT-**********************************************gw1L7hkf06-localhost] found in registry.
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collecting authentication history based on [1] authentication events
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Evaluating authentication principal [admin] for inclusion in context
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collected principal attributes [{uid=uid, memberOf=[faculty, staff, org], groupMembership=groupMembership, eduPersonAffiliation=eduPersonAffiliation}] for inclusion in context for principal [admin]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collected single authentication attribute [authenticationMethod] -> [UcasAuthenticationHandler]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collected single authentication attribute [successfulAuthenticationHandlers] -> [[UcasAuthenticationHandler]]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Finalized authentication attributes [{authenticationMethod=UcasAuthenticationHandler, successfulAuthenticationHandlers=[UcasAuthenticationHandler]}] for inclusion in authentication context
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultPrincipalElectionStrategy]Nominated [admin] as the primary principal
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Determined primary authentication principal to be [admin]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Collected authentication attributes for this context are [{authenticationMethod=UcasAuthenticationHandler, successfulAuthenticationHandlers=[UcasAuthenticationHandler]}]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Authentication context commenced at [2017-04-29T14:02:49.898+08:00]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.DefaultAuthenticationContextBuilder]Building an authentication context for authentication org.jasig.cas.authentication.ImmutableAuthentication#efafdf4 and service http://localhost:8081/eadp_oa/shiro-cas
[DEBUG][2017-04-2914:02:49][org.jasig.cas.ticket.registry.DefaultTicketRegistry]Attempting to retrieve ticket [TGT-**********************************************gw1L7hkf06-localhost]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.ticket.registry.DefaultTicketRegistry]Ticket [TGT-**********************************************gw1L7hkf06-localhost] found in registry.
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository]DefaultPrincipalAttributesRepository will return the collection of attributes directly associated with the principal object
[DEBUG][2017-04-2914:02:49][org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository]Found [4] cached attributes for principal [admin]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy]No required attributes are specified
[DEBUG][2017-04-2914:02:49][org.jasig.cas.ticket.DefaultServiceTicketFactory]Looking up service ticket id generator for [org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.ticket.registry.DefaultTicketRegistry]Added ticket [ST-1-TI2dqfpSJIm9BTQs0tZE-localhost] to registry.
[INFO][2017-04-2914:02:49][org.jasig.cas.CentralAuthenticationServiceImpl]Granted ticket [ST-1-TI2dqfpSJIm9BTQs0tZE-localhost] for service [http://localhost:8081/eadp_oa/shiro-cas] and principal [admin]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.CentralAuthenticationServiceImpl]Publishing org.jasig.cas.support.events.CasServiceTicketGrantedEvent#4de8af38[ticketGrantingTicket=TGT-**********************************************gw1L7hkf06-localhost,serviceTicket=ST-1-TI2dqfpSJIm9BTQs0tZE-localhost]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver]Resolving argument [String] for audit
[DEBUG][2017-04-2914:02:49][org.jasig.cas.ticket.registry.DefaultTicketRegistry]Attempting to retrieve ticket [TGT-**********************************************gw1L7hkf06-localhost]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.ticket.registry.DefaultTicketRegistry]Ticket [TGT-**********************************************gw1L7hkf06-localhost] found in registry.
[INFO][2017-04-2914:02:49][org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-1-TI2dqfpSJIm9BTQs0tZE-localhost for http://localhost:8081/eadp_oa/shiro-cas
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat Apr 29 14:02:49 CST 2017
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================
[DEBUG][2017-04-2914:02:49][org.jasig.cas.web.flow.InitialFlowSetupAction]Warning cookie path is set to null and path /ucas/
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.flow.InitialFlowSetupAction]TGC cookie path is set to null and path /ucas/
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.support.DefaultArgumentExtractor]Created http://localhost:8081/eadp_oa/shiro-cas based on org.jasig.cas.authentication.principal.WebApplicationServiceFactory#7fec2fde
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.support.DefaultArgumentExtractor]Extractor generated service for: http://localhost:8081/eadp_oa/shiro-cas
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.flow.InitialFlowSetupAction]Placing service in context scope: [http://localhost:8081/eadp_oa/shiro-cas]
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.flow.InitialFlowSetupAction]Placing registered service [^(https|http|imaps)://.*] with id [10000001] in context scope
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.flow.GenerateLoginTicketAction]Generated login ticket LT-2-d4WAw9gubZB9FE6AzWx5-localhost
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.flow.InitialFlowSetupAction]Warning cookie path is set to null and path /ucas/
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.flow.InitialFlowSetupAction]TGC cookie path is set to null and path /ucas/
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.support.DefaultArgumentExtractor]Created http://localhost:8081/eadp_oa/shiro-cas based on org.jasig.cas.authentication.principal.WebApplicationServiceFactory#7fec2fde
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.support.DefaultArgumentExtractor]Extractor generated service for: http://localhost:8081/eadp_oa/shiro-cas
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.flow.InitialFlowSetupAction]Placing service in context scope: [http://localhost:8081/eadp_oa/shiro-cas]
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.flow.InitialFlowSetupAction]Placing registered service [^(https|http|imaps)://.*] with id [10000001] in context scope
[DEBUG][2017-04-2914:02:50][org.jasig.cas.web.flow.GenerateLoginTicketAction]Generated login ticket LT-3-OOjFkWBQzVOWPtkCpPJN-localhost
[DEBUG][2017-04-2914:03:42][org.jasig.cas.util.CasSpringBeanJobFactory]Created job org.jasig.cas.services.DefaultServicesManagerImpl$ServiceRegistryReloaderJob#6bbdc5de for bundle org.quartz.spi.TriggerFiredBundle#52eb5693
[DEBUG][2017-04-2914:03:42][org.jasig.cas.util.CasSpringBeanJobFactory]Autowired job per the application context
[INFO][2017-04-2914:03:42][org.jasig.cas.services.DefaultServicesManagerImpl]Reloading registered services.
[DEBUG][2017-04-2914:03:42][org.jasig.cas.services.DefaultServicesManagerImpl]Adding registered service ^(https|http|imaps)://.*
[DEBUG][2017-04-2914:03:42][org.jasig.cas.services.DefaultServicesManagerImpl]Adding registered service ^https://www.apereo.org
[INFO][2017-04-2914:03:42][org.jasig.cas.services.DefaultServicesManagerImpl]Loaded 2 services from JsonServiceRegistryDao.
[DEBUG][2017-04-2914:03:48][org.jasig.cas.util.CasSpringBeanJobFactory]Created job org.jasig.cas.ticket.registry.DefaultTicketRegistry#3b2942e1 for bundle org.quartz.spi.TriggerFiredBundle#4e4cda28
[DEBUG][2017-04-2914:03:48][org.jasig.cas.util.CasSpringBeanJobFactory]Autowired job per the application context
[INFO][2017-04-2914:03:48][org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor]JSR-330 'javax.inject.Inject' annotation found and supported for autowiring
[INFO][2017-04-2914:03:48][org.jasig.cas.ticket.registry.DefaultTicketRegistry]Beginning ticket cleanup...
[INFO][2017-04-2914:03:48][org.jasig.cas.ticket.registry.DefaultTicketRegistry]0 expired tickets found and removed.
shiro-cas client got xml analysis fail exception,because it got the html page content not xml
[DEBUG][2017-04-2914:02:49][org.jasig.cas.client.session.SingleSignOutHandler]Recording session for token ST-1-TI2dqfpSJIm9BTQs0tZE-localhost
[DEBUG][2017-04-2914:02:49][org.jasig.cas.client.session.HashMapBackedSessionMappingStorage]Attempting to remove Session=[5963FECCB62C5342CB3E599CF5BD6549]
[DEBUG][2017-04-2914:02:49][org.jasig.cas.client.session.HashMapBackedSessionMappingStorage]No mapping for session found. Ignoring.
[DEBUG][2017-04-2914:02:49][org.jasig.cas.client.validation.Cas20ServiceTicketValidator]Placing URL parameters in map.
[DEBUG][2017-04-2914:02:49][org.jasig.cas.client.validation.Cas20ServiceTicketValidator]Calling template URL attribute map.
[DEBUG][2017-04-2914:02:49][org.jasig.cas.client.validation.Cas20ServiceTicketValidator]Loading custom parameters from configuration.
[DEBUG][2017-04-2914:02:49][org.jasig.cas.client.validation.Cas20ServiceTicketValidator]Constructing validation url: http://localhost:8080/ucas/serviceValidate?ticket=ST-1-TI2dqfpSJIm9BTQs0tZE-localhost&service=http%3A%2F%2Flocalhost%3A8081%2Feadp_oa%2Fshiro-cas
[DEBUG][2017-04-2914:02:49][org.jasig.cas.client.validation.Cas20ServiceTicketValidator]Retrieving response from server.
[DEBUG][2017-04-2914:02:50][org.jasig.cas.client.validation.Cas20ServiceTicketValidator]Server response: <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>CAS – Central Authentication Service</title>
<meta name="_csrf" content=""/>
<meta name="_csrf_header" content=""/>
<link rel="stylesheet" href="/ucas/css/cas.css" />
<link rel="icon" href="/ucas/favicon.ico" type="image/x-icon" />
...
i read cas protocal doc and search it,still couldn't understand why it happends,What i need to do more? Please advice me.
solved
i rollback all custom configuration and compare it,finally figure out what's happen.
i add these tx spring conf in cas server file:
<tx:annotation-driven transaction-manager="transactionManager" proxy-target-class="true" />
it cause some final class cannot be initialize by spring, like:
org.jasig.cas.adaptors.jdbc.QueryAndEncodeDatabaseAuthenticationHandler
org.jasig.cas.authentication.FileTrustStoreSslSocketFactory
org.jasig.cas.services.DefaultServicesManagerImpl
so i override these final class, and it cause sso server cannot validate service ticket.
i remove this property:
proxy-target-class="true"
now sso server work.
Apache Sling Authentication Service Anonymous Password Change Disabled Access to Login
I made a change to the Apache Sling Authentication Service Anonymous account user password and enabled anonymous access. I also went into the anonymous user and changed the account password to match. Unfortunately after this change, access to the login page was locked out with a continuous push to http://localhost:8080/um/login and a 403 error with a "This website requires you to log in." for any URL related to AEM. The JEE links (LiveCycle) still work. i.e.: /adminui. Is there a way to "factory reset" both the values of the Apache Sling Authentication Service? 17:07:24,613 ERROR [com.adobe.idp.um.provider.authentication.LDAPAuthProviderImpl] (Thread-272) UserM:GENERIC_SEVERE: [Thread Hashcode: 1678680974] User Name or Password is null 17:07:24,644 WARN [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] (Thread-272) Authentication failed for user [anonymous] (Scheme - Username/Password) Reason: Username or password is incorrect . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details 17:07:24,800 ERROR [com.adobe.idp.um.provider.authentication.LDAPAuthProviderImpl] (Thread-272) UserM:GENERIC_SEVERE: [Thread Hashcode: 1678680974] User Name or Password is null 17:07:24,816 WARN [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] (Thread-272) Authentication failed for user [anonymous] (Scheme - Username/Password) Reason: Username or password is incorrect . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details 17:07:24,879 ERROR [com.adobe.idp.um.provider.authentication.LDAPAuthProviderImpl] (Thread-272) UserM:GENERIC_SEVERE: [Thread Hashcode: 1678680974] User Name or Password is null 17:07:24,894 WARN [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] (Thread-272) Authentication failed for user [anonymous] (Scheme - Username/Password) Reason: Username or password is incorrect . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details 17:07:25,050 ERROR [com.adobe.idp.um.provider.authentication.LDAPAuthProviderImpl] (Thread-272) UserM:GENERIC_SEVERE: [Thread Hashcode: 1678680974] User Name or Password is null 17:07:25,066 WARN [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] (Thread-272) Authentication failed for user [anonymous] (Scheme - Username/Password) Reason: Username or password is incorrect . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details 17:07:25,144 ERROR [com.adobe.idp.um.provider.authentication.LDAPAuthProviderImpl] (Thread-272) UserM:GENERIC_SEVERE: [Thread Hashcode: 1678680974] User Name or Password is null
In order for these changes to take effect the AEM instance needs to be restarted.
Jasig CAS - 404 code after successful service ticket validation
We are currently trying to deploy CAS 4.0.1 on a JBoss EAP 6.3.0 server. The login webflow was customised in order to redirect to a specific login form depending on the service calling CAS for authentication. Depending on these forms, we use specific authentication handlers, and a specific Credential model. Besides that, the configuration is rather standard. At the moment, we are experiencing the following issue: when a user attempts to access a service secured by CAS, he is correctly redirected to the portal, and the expected login view is rendered ; upon successful login, the Service Ticket is delivered to the authentication filter on the service side (standard j_spring_cas_security_check), which then validates it successfully against CAS' ticket registry. We see in the logs that CAS is rendering the cas2ServiceSuccessView ; however, instead of delivering the expected XML response, the user is redirected to the login form. We then confirmed that we were in fact getting a 404 error after the cas2ServiceSuccessView... Any idea what could trigger such behaviour/what we could have done wrong ? Note that we are getting the same error regardless of how we call CAS for the ST validation: whether it is manually through /serviceValidate?ticket=ST-YYY&service=XXX, or via the /j_spring_cas_security_check on the service side... Edit: we have the same behaviour running CAS on Tomcat 7. Thanks in advance. Below the debug logs that we are getting: 08:54:10,806 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Last-Modified value for [/cas/serviceValidate] is: -1 08:54:10,809 INFO [org.perf4j.TimingLogger] (http-/0.0.0.0:8080-7) start[1433314450807] time[2] tag[VALIDATE_SERVICE_TICKET] 08:54:10,810 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] (http-/0.0.0.0:8080-7) Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-3-uecoOwdbdIn4bc2WvXfe-cas-test ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Wed Jun 03 08:54:10 CEST 2015 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ============================================================= 08:54:10,810 DEBUG [org.springframework.validation.DataBinder] (http-/0.0.0.0:8080-7) DataBinder requires binding of required fields [renew] 08:54:10,811 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Rendering view [org.springframework.web.servlet.view.InternalResourceView: name 'cas2ServiceSuccessView'; URL [/WEB-INF/view/jsp/cas2ServiceSuccessView.jsp]] in DispatcherServlet with name 'cas' 08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Added model object 'assertion' of type [org.jasig.cas.validation.ImmutableAssertion] to request in view with name 'cas2ServiceSuccessView' 08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Removed model object 'pgtIou' from request in view with name 'cas2ServiceSuccessView' 08:54:10,811 DEBUG [org.springframework.web.servlet.view.InternalResourceView] (http-/0.0.0.0:8080-7) Forwarding to resource [/WEB-INF/view/jsp/cas2ServiceSuccessView.jsp] in InternalResourceView 'cas2ServiceSuccessView' 08:54:10,812 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) Successfully completed request 08:54:10,814 DEBUG [org.springframework.web.servlet.DispatcherServlet] (http-/0.0.0.0:8080-7) DispatcherServlet with name 'cas' processing GET request for [/cas/login] 08:54:10,814 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] (http-/0.0.0.0:8080-7) Mapping request with URI '/cas/login' to flow with id 'login'
In SpringSecurity 4.x, CasAuthenticationFilter's defaultFilterProcessesUrl path is changed. So Change '/j_spring_cas_security_check' to '/login/cas' in Configuration.
... and of course, the cause was rather silly: somehow (I have to look at our merge/git history), the viewResolver bean defined in cas-servlet.xml did not have a basenames property set.