Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RoleMapper getRoles() returns Anonymous with ldap authenticator

8 views
Skip to first unread message

anand raman

unread,
Apr 13, 2004, 2:16:37 AM4/13/04
to

hi guys

I am trying to integrate an openldap authentication provider with weblogic 7.0.

Looking at the log files I can say that the openldap authenticator is looking
into the ldap for principal and credential information and successfully
authenticates the user. However the AUTHORIZATION FAILS. Please refer to the
attached log file for more details. I have appended line numbers so that it is
easier to refer.

line 8: tries to authenticate user against the default authentication store,
but fails as the user doesnt exist
line 27: figures out the groups which contain the user "rbedi"
line 40: user authentication SUCCESS
line 50: figuring out the roles for the given subject, and resource
line 52: Default RoleMapper returns Anonymous and hence the request fails

SETUP
----------
1. created and configured an instance of openldap authentication provider
2. Set the "Control Flag" for both the authentication (default and openldap)
providers to "SUFFICIENT"
3. Using the default role mapper
4. I have created a role with the following condition
role1: Caller is a member of the group "users"

QUESTIONS
----------
I am unable to understand why the Default Role Mapper is not returning the
configured roles for my user. My understanding is that though users and groups
information stays in the ldap server, the roles information is entered under
Security >> Realms >> myRealm >> Roles. Am I correct??. Where could I be going
wrong?

Also the same setup works fine, if I just use the default authentication store.

Thanks for your time

anand raman

anand raman

unread,
Apr 13, 2004, 3:34:33 AM4/13/04
to

For some reason the trace log file wasnt attached here it is..

anand raman

anand raman

unread,
Apr 13, 2004, 6:34:40 AM4/13/04
to

I believe that file attachments are no longer allowed on the bea newsgroups site.
Atleast I havent been able to see it so far.

Sorry for the spam, but this is security trace log

1 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <PrincipalAuthenticator.authenticate>
2 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <LDAP ATN LoginModule
initialized>
3 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn Login>
4 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn Login
username: rbedi>
5 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <getConnection
return conn:weblogic.ldap.EmbeddedLDAPConnection@699ce5>
6 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <authenticate
user:rbedi, passwd:helloworld>
7 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <getDNForUser
search("ou=people,ou=myrealm,dc=testbed", "(&(uid=rbedi)(objectclass=person))",
base DN & below)>
8 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <returnConnection
conn:weblogic.ldap.EmbeddedLDAPConnection@699ce5>
javax.security.auth.login.FailedLoginException: Authentication Failed: User
rbedi denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:170)
at weblogic.security.service.DelegateLoginModuleImpl.login(DelegateLoginModuleImpl.java:70)
at java.lang.reflect.Method.invoke(Native Method)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:595)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:125)
at javax.security.auth.login.LoginContext$3.run(LoginContext.java:531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528)
at javax.security.auth.login.LoginContext.login(LoginContext.java:449)
at weblogic.security.service.PrincipalAuthenticator.authInternal(PrincipalAuthenticator.java:325)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:278)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:324)
at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:200)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:190)
at weblogic.servlet.security.internal.FormSecurityModule.checkA(FormSecurityModule.java:157)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:144)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3022)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2588)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:213)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:189)
9 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <LDAP ATN LoginModule
initialized>
10 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn
Login>
11 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn
Login username: rbedi>
12 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <new LDAP
connection to host woody.sapient.com port 389 use local connection is false>
13 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <created new
LDAP connection netscape.ldap.LDAPConnection@42bd13>
14 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <connection
succeeded>
15 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <getConnection
return conn:netscape.ldap.LDAPConnection@42bd13>
16 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <authenticate
user:rbedi, passwd:helloworld>
17 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <getDNForUser
search("ou=people, dc=sapient, dc=com", "(&(cn=rbedi)(objectclass=person))", base
DN + 1)>
18 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <DN for user
rbedi: cn=rbedi,ou=people,dc=sapient,dc=com>
19 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <returnConnection
conn:netscape.ldap.LDAPConnection@42bd13>
20 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn
Authenticated User rbedi>
21 <Apr 13, 2004 11:18:54 AM IST> <Debug> <SecurityDebug> <000000> <List groups
that member: rbedi belongs to>
22 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <getConnection
return conn:netscape.ldap.LDAPConnection@42bd13>
23 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <getDNForUser
search("ou=people, dc=sapient, dc=com", "(&(cn=rbedi)(objectclass=person))", base
DN + 1)>
24 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <DN for user
rbedi: cn=rbedi,ou=people,dc=sapient,dc=com>
25 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <search("ou=groups,
dc=sapient, dc=com", "(&(member=cn=rbedi,ou=people,dc=sapient,dc=com)(objectclass=groupOfNames))",
base DN + 1)>
26 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Result has
more elements: true>
27 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn
added group users to user rbedi>
28 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <List groups
that member: users belongs to>
29 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <new LDAP
connection to host woody.sapient.com port 389 use local connection is false>
30 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <created new
LDAP connection netscape.ldap.LDAPConnection@1e3bdb>
31 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <connection
succeeded>
32 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <getConnection
return conn:netscape.ldap.LDAPConnection@1e3bdb>
33 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <getDNForUser
search("ou=people, dc=sapient, dc=com", "(&(cn=users)(objectclass=person))", base
DN + 1)>
34 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <search("ou=groups,
dc=sapient, dc=com", "(&(ou=users)(objectclass=organizationalUnit))", base DN
+ 1)>
35 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <DN for group
users: ou=users,ou=groups,dc=sapient,dc=com>
36 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <search("ou=groups,
dc=sapient, dc=com", "(&(member=ou=users,ou=groups,dc=sapient,dc=com)(objectclass=groupOfNames))",
base DN + 1)>
37 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Result has
more elements: false>
38 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <returnConnection
conn:netscape.ldap.LDAPConnection@1e3bdb>
39 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <returnConnection
conn:netscape.ldap.LDAPConnection@42bd13>
40 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <login succeeded
for username rbedi>
41 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn
Commit>
42 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn
Commit>
43 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn
Principal Added>
44 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <LDAP Atn
Group Added>
45 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Signed WLS
principal rbedi>
46 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Signed WLS
principal users>
47 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <PrincipalAuthenticator.validateIdentity>
48 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Validate
WLS principal rbedi returns true>
49 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Validate
WLS principal users returns true>
50 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <RoleManager.getRoles
subject: Subject: 2
Principal = class weblogic.security.principal.WLSUserImpl("rbedi")
Principal = class weblogic.security.principal.WLSGroupImpl("users")
Resource: type=<url>, application=web, contextPath=/web, uri=/security/index.jsp,
httpMethod=GET>
51 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Default RoleMapper
getRoles(): input arguments:
Subject: 2
Principal = class weblogic.security.principal.WLSUserImpl("rbedi")
Principal = class weblogic.security.principal.WLSGroupImpl("users")

Resource: type=<url>, application=web, contextPath=/web, uri=/security/index.jsp,
httpMethod=GET>
52 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Default RoleMapper
getRoles(): returning roles: Anonymous>
53 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <RoleManager.getRoles
Subject: Subject: 2
Principal = class weblogic.security.principal.WLSUserImpl("rbedi")
Principal = class weblogic.security.principal.WLSGroupImpl("users")
Resource: <url> type=<url>, application=web, contextPath=/web, uri=/security/index.jsp,
httpMethod=GET Anonymous roles.>
54 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Default Authorization
isAccessAllowed(): input arguments:>
55 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> < Subject:
2
Principal = class weblogic.security.principal.WLSUserImpl("rbedi")
Principal = class weblogic.security.principal.WLSGroupImpl("users")
>
56 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> < Roles:Anonymous>
57 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> < Resource:
type=<url>, application=web, contextPath=/web, uri=/security/index.jsp, httpMethod=GET>
58 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> < Direction:
ONCE>
59 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <Default Authorization
isAccessAllowed(): returning DENY>
60 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <DefaultAdjudicatorImpl.adjudicate
results: DENY >
61 <Apr 13, 2004 11:18:55 AM IST> <Debug> <SecurityDebug> <000000> <AuthorizationManager.isAccessAllowed
returning adjudicated: false>
62 <Apr 13, 2004 11:18:55 AM IST> <Info> <HTTP> <101047> <[ServletContext(id=2809030,name=web,context-path=/web)]
Generated java file: D:\tools\bea702\projects\testbed\myserver\.wlnotdelete\web_web_2809030\jsp_servlet\_security\__error.java>

thanks
anand raman

Tony

unread,
Apr 14, 2004, 7:36:06 AM4/14/04
to
Maybe there is a case sensitivity difference in the group names in the
different LDAP stores.

Check that the case of name of the group "users" matches in the LDAP stores
and the group
name matches the case in the Role as well.

If the case/names match exactly, can you post a debug log that shows the
Default ATN succeeding
for comparison?

thanks
Tony

"anand raman" <my_publ...@yahoo.co.in> wrote in message
news:407b...@newsgroups.bea.com...

Tony

unread,
Apr 14, 2004, 7:47:25 AM4/14/04
to
I'm not sure whether the previous debug had the RoleMapper debug turned on,
the following debug flags should be turned on, if not, can you post the
failure log
again with these turned on:

<ServerDebug
DebugSecurityAtn="true"
DebugSecurityAtz="true"
DebugSecurityAdjudicator="true"
DebugSecurityRoleMap="true"/>

thanks
Tony


"Tony" <TonyV> wrote in message news:407d...@newsgroups.bea.com...

0 new messages