blank page after LDAP configuration

79 views
Skip to first unread message

Balaji Muthuvarathan

unread,
Feb 25, 2012, 11:25:45 PM2/25/12
to Eureka Streams Development
Hi,

I am newbie to ES. I followed the build/run instructions and I had it
up and running successfully in Jetty. Now I am trying to integrate it
with ApacheDS ldap. I changed the url,userDn,password etc. both in the
parent pom.xml file and in the spring's ldap configuration file. I
cleaned and rebuilt the whole thing with -Dldap-security flag. And
when I deploy it and goto the localhost:8080, all I am getting is a
blank page. I tested it on IE9, Chrome, FF10.x, Opera on Windows 7,
still blank page every time.

As strange as this may see, I did get the login page once in Chrome
and when I entered the credential it forwarded to requestaccess.html
page. But just that once. Back to blank screen since then.

Any info to get past this would be very helpful.

-bala

Jan Boon

unread,
Feb 26, 2012, 7:41:45 AM2/26/12
to eureka-st...@googlegroups.com
Hi Balla,

I guess with ApacheDS you are on your own. Last friday I finally succeeded in building ES integrated with OpenLDAP completely based on Spring. I used a clone of github including commit 0285b0eaff79b529c6915687fb0ec88dd62e19f4 with resolves an issue with LDAP-based login. I suggest you start from there. It includes many other fixes so I would zip it and call it stable-2.0 to ease the discussion. The other thing you should know is that the -Dldap-security flag does not make a war file that includes the Spring LDAP security configuration. I had to copy that later in by hand at the proper place in the exploded war-tree (as probably other Spring configuration files which are apparently not relevant for LDAP-integration).
Success.

Regards Jan.

2012/2/26 Balaji Muthuvarathan <ba...@sumequal.com>

Balaji Muthuvarathan

unread,
Feb 26, 2012, 1:12:48 PM2/26/12
to Eureka Streams Development
Jan,
Thanks a lot for the quick response. I will start with the new code
base and the spring config migration you have suggested. In the mean
time, here is stack trace I see in the spring.security.log file. I see
the access denied exception before the entire security chain is
exhausted. Let me know if this means anything. Thanks again.

ntainer:shindig-container.js'; pattern is /**; matched=true
2012-02-26 01:53:32,200 DEBUG
org.springframework.security.intercept.AbstractSecurityInterceptor -
Secure object: FilterInvocation: URL: /gadgets/js/
core:rpc:eurekastreams-container:shindig-container.js?
c=1&container=eureka&debug=0; ConfigAttributes: [ROLE_USER]
2012-02-26 01:53:32,200 DEBUG
org.springframework.security.intercept.AbstractSecurityInterceptor -
Previously Authenticated:
org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@69ec09e9:
Principal: roleAnonymous; Password: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.ui.WebAuthenticationDetails@957e:
RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities:
ROLE_ANONYMOUS
2012-02-26 01:53:32,200 DEBUG
org.springframework.security.ui.ExceptionTranslationFilter - Access is
denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.AccessDeniedException: Access is denied
at
org.springframework.security.vote.AffirmativeBased.decide(AffirmativeBased.java:
68)
at
org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:
262)
at
org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:
106)
at
org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:
83)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(SessionFixationProtectionFilter.java:
52)
at
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org.springframework.security.oauth.provider.OAuthProviderProcessingFilter.doFilter(OAuthProviderProcessingFilter.java:
173)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org.springframework.security.oauth.provider.OAuthProviderProcessingFilter.doFilter(OAuthProviderProcessingFilter.java:
193)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:
277)
at
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org.springframework.security.oauth.provider.OAuthProviderProcessingFilter.doFilter(OAuthProviderProcessingFilter.java:
193)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:
101)
at
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFilterHttp(AnonymousProcessingFilter.java:
105)
at
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org.springframework.security.ui.rememberme.RememberMeProcessingFilter.doFilterHttp(RememberMeProcessingFilter.java:
109)
at
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:
91)
at
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at .......
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
293)
at
org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:
877)
at org.apache.coyote.http11.Http11AprProtocol
$Http11ConnectionHandler.process(Http11AprProtocol.java:594)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:
1675)
at java.lang.Thread.run(Thread.java:662)
2012-02-26 01:53:32,200 DEBUG
org.springframework.security.ui.ExceptionTranslationFilter -
Authentication entry point being called; SavedRequest added to
Session: SavedRequest[http://localhost:8080/gadgets/js/
core:rpc:eurekastreams-container:shindig-container.js?
c=1&container=eureka&debug=0]
2012-02-26 01:53:32,200 DEBUG
org.springframework.security.context.HttpSessionContextIntegrationFilter
- SecurityContextHolder now cleared, as request processing completed
2012-02-26 01:53:32,215 DEBUG
org.springframework.security.ui.ExceptionTranslationFilter - Chain
processed normally
2012-02-26 01:53:32,215 DEBUG
org.springframework.security.context.HttpSessionContextIntegrationFilter
- HttpSession is null, but SecurityContextHolder has not changed from
default: '
org.springframework.security.context.SecurityContextImpl@ffffffff:
Null authentication'; not creating HttpSession or storing
SecurityContextHolder contents
2012-02-26 01:53:32,215 DEBUG
org.springframework.security.context.HttpSessionContextIntegrationFilter
- SecurityContextHolder now cleared, as request processing completed
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - Converted URL to
lowercase, from: '/no_credentials.html'; to: '/no_credentials.html'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - Candidate is: '/
no_credentials.html'; pattern is /requestaccess.html; matched=false
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - Converted URL to
lowercase, from: '/no_credentials.html'; to: '/no_credentials.html'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - Candidate is: '/
no_credentials.html'; pattern is /requestaccess_connect.html;
matched=false
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - Converted URL to
lowercase, from: '/no_credentials.html'; to: '/no_credentials.html'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - Candidate is: '/
no_credentials.html'; pattern is /**; matched=true
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 1 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.context.HttpSessionContextIntegrationFilter
- HttpSession returned null object for SPRING_SECURITY_CONTEXT
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.context.HttpSessionContextIntegrationFilter
- New SecurityContext instance will be associated with
SecurityContextHolder
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 2 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 3 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 4 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.ui.savedrequest.SavedRequest - pathInfo:
both null (property equals)
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.ui.savedrequest.SavedRequest -
queryString: arg1=1330238516902; arg2=null (property not equals)
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.wrapper.SavedRequestAwareWrapper -
Wrapper not replaced; SavedRequest was: SavedRequest[http://localhost:
8080/eureka.nocache.js?1330238516902]
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 5 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1200; ]'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 6 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ]'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.providers.anonymous.AnonymousProcessingFilter
- Populated SecurityContextHolder with anonymous token:
'org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@9611369f:
Principal: roleAnonymous; Password: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.ui.WebAuthenticationDetails@fffdaa08:
RemoteIpAddress: 127.0.0.1; SessionId:
D3715F9CD33E0A8AC2867B618EBD6DFB; Granted Authorities: ROLE_ANONYMOUS'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 7 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 8 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.oauth.provider.UnauthenticatedRequestTokenProcessingFilter@452d4b9c'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.oauth.provider.UnauthenticatedRequestTokenProcessingFilter
- Request does not require authentication. OAuth processing skipped.
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 9 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.oauth.provider.UserAuthorizationProcessingFilter[ order=1416; ]'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html at position 10 of 13 in additional filter chain;
firing Filter:
'org.springframework.security.oauth.provider.AccessTokenProcessingFilter@20bf123f'
2012-02-26 01:53:32,325 DEBUG
org.springframework.security.oauth.provider.AccessTokenProcessingFilter
- Request does not require authentication. OAuth processing skipped.
2012-02-26 01:53:32,32
.....
.....
2012-02-26 01:53:32,512 DEBUG
org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource
- Candidate is: '/no_credentials.html'; pattern is /
no_credentials.html; matched=true
2012-02-26 01:53:32,512 DEBUG
org.springframework.security.intercept.AbstractSecurityInterceptor -
Secure object: FilterInvocation: URL: /no_credentials.html;
ConfigAttributes: [ROLE_ANONYMOUS, ROLE_USER]
2012-02-26 01:53:32,512 DEBUG
org.springframework.security.intercept.AbstractSecurityInterceptor -
Previously Authenticated:
org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@69edb66b:
Principal: roleAnonymous; Password: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.ui.WebAuthenticationDetails@12afc:
RemoteIpAddress: 127.0.0.1; SessionId:
BC43D8A62DEBAC4D09587C420AB7D7B4; Granted Authorities: ROLE_ANONYMOUS
2012-02-26 01:53:32,512 DEBUG
org.springframework.security.intercept.AbstractSecurityInterceptor -
Authorization successful
2012-02-26 01:53:32,512 DEBUG
org.springframework.security.intercept.AbstractSecurityInterceptor -
RunAsManager did not change Authentication object
2012-02-26 01:53:32,512 DEBUG
org.springframework.security.util.FilterChainProxy - /
no_credentials.html reached end of additional filter chain; proceeding
with original chain
2012-02-26 01:53:32,512 DEBUG
org.springframework.security.ui.ExceptionTranslationFilter - Chain
processed normally
2012-02-26 01:53:32,512 DEBUG
org.springframework.security.context.HttpSessionContextIntegrationFilter
- SecurityContextHolder now cleared, as request processing completed

Jan Boon

unread,
Feb 26, 2012, 3:43:29 PM2/26/12
to eureka-st...@googlegroups.com
When I only refresh the login screen repeatedly I get each time 90kb of logging in spring.security.log and exact the same access denied exception. After that I can normally login with LDAP validation. The ES-wiring between Spring and GWT is beyond my comprehension.


2012/2/26 Balaji Muthuvarathan <ba...@sumequal.com>

Balaji Muthuvarathan

unread,
Feb 26, 2012, 9:58:43 PM2/26/12
to Eureka Streams Development
Yeah, I just figured the exception had to do with GWT RPC.
But, thanks to you, I got the new code and ES is up, running, and
connecting to ldap and I get the login page.

But I still am not able to login ( unable find user xyz in directory).
I don't think it is picking up the baseLdapPath from the spring ldap
config. I do see the file being loaded by spring, but no matter what I
put in the spring ldap config file it doesn't seem to affect anything
(yeah the file isn't under webinf/classes/conf but under webinf/
classes/org/es/server/conf). Digging deeper.

thanks again,

-bala

On Feb 26, 3:43 pm, Jan Boon <janboon...@gmail.com> wrote:
> When I only refresh the login screen repeatedly I get each time 90kb of
> logging in spring.security.log and exact the same access denied exception.
> After that I can normally login with LDAP validation. The ES-wiring between
> Spring and GWT is beyond my comprehension.
>
> 2012/2/26 Balaji Muthuvarathan <b...@sumequal.com>
> > org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(Exc eptionTranslationFilter.java:
> > 101)
> >        at
>
> > org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurit yFilter.java:
> > 53)
> >        at org.springframework.security.util.FilterChainProxy
> > $VirtualFilterChain.doFilter(FilterChainProxy.java:390)
> >        at
>
> > org.springframework.security.providers.anonymous.AnonymousProcessingFilter. doFilterHttp(AnonymousProcessingFilter.java:
> > 105)
> >        at
>
> > org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurit yFilter.java:
> > 53)
> >        at org.springframework.security.util.FilterChainProxy
> > $VirtualFilterChain.doFilter(FilterChainProxy.java:390)
> >        at
>
> > org.springframework.security.ui.rememberme.RememberMeProcessingFilter.doFil terHttp(RememberMeProcessingFilter.java:
> > 109)
> >        at
>
> > org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurit yFilter.java:
> > 53)
> >        at org.springframework.security.util.FilterChainProxy
> > $VirtualFilterChain.doFilter(FilterChainProxy.java:390)
> >        at
>
> > org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilte r.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:
> > 91)
> >        at
>
> > org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurit yFilter.java:
> ...
>
> read more »

ba...@sumequal.com

unread,
Feb 27, 2012, 12:29:43 AM2/27/12
to eureka-st...@googlegroups.com
I believe I found the issue with my ldap search. Users are defined as objectclass=person in my ldap, but ES is looking for objectclass=user. I would like to change it in ES. I do see  objectclass=user is set in server project's applicationContext-security-ldap.xml file. But I don't see it being actually used in the web app. 

So, applicationContext-framework-ldap.xml is in the ROOT.war but I don't see it being used at all (at least not for the LDAP context/connection information). And applicationContext-security-ldap.xml  seems to have the knob I want to turn, but I don't see that packaged in ROOT.war. hmmm..



Balaji Muthuvarathan

unread,
Feb 27, 2012, 2:01:26 AM2/27/12
to Eureka Streams Development
finally, I made contact with ApacheDS. Long story short:

1.Download the code with LDAP fix
(0285b0eaff79b529c6915687fb0ec88dd62e19f4 )
2. Update the following 3 files with all relevant LDAP connection/
query information:
parent pom.xml file, (filtered into es server.properties file)
sharedresource project's applicationContext-framework-ldap.xml
(copied into war)
server projects applicationContext-security-ldap.xml (packaged
in server.jar)


Jan Boon

unread,
Feb 27, 2012, 2:53:28 AM2/27/12
to eureka-st...@googlegroups.com
Good. The framework-ldap.xml is used in a cron-job to synchronise users. With the correct attributes new LDAP-users are inserted in the database. I used the attribute ou=Eureka on the settings-page of a sysadmin to select them. Users not found in LDAP are disabled in ES.
Just to check I also copied the security-common.xml in the exploded WAR-tree. But I just keep the exception just by refreshing the login-page. Maybe lm can shine some light on this.
 

2012/2/27 Balaji Muthuvarathan <ba...@sumequal.com>
Reply all
Reply to author
Forward
0 new messages