pwm logout loop
162 views
Skip to first unread message
Con
Aug 3, 2011, 5:13:28 PM8/3/11
to pwm-general
Hi Jason,
I have spent some time integrating pwm with Websphere. The only
change I have made is that I have modified BasicAuthInfo to check for
web container authentication, in the form of a JAAS Subject Public
Credential, in addition to a Basic Auth header. I've built some code
in Websphere to set the user credentials into this credential at login
time. So all works well, no BasicAuth headers bouncing back and forth.
It all works great, until I expire a password in Novell Ldap. The flow
is then;
1. WebSphere binds to LDAP as part of login, all is OK. (It doesn't
understant password expiration.)
2. It then redirects to /pwm/CommandServlet?processAction=checkExpire.
3. This retrieves the user credentials (as described above), and
checks the password (again). It decides it's expired, and calls the
changePassword page. All great so far.
4. I change the password, and then pwm changes it successfully in
LDAP, and redirects to the logoutURL. This URL is basically my portal
start page, and back to step (1) we go.
The problem is that pwm is permenantly logging me out after this. In
the logs, when I next call commandServlet&action=checkExpire, I can
see:
SessionFilter - talks about forwardURL and logoutURL being set
BasicAuth reading the credentials, this time the new ones.
Authentication filter doing it's thing OK. (As far as I can see)
CommandServlet: "received request for action checkExpire"
and then it gets into this piece of code:
// log the user out if our finish action is currently set to
log out.
if (ssBean.getFinishAction() ==
SessionStateBean.FINISH_ACTION.LOGOUT) {
LOGGER.trace(pwmSession, "logging out user; password has
been modified");
resp.sendRedirect(SessionFilter.rewriteRedirectURL(PwmConstants.URL_SERVLET_LOGOUT,
req, resp));
return;
}
and out we go.
I'm so close to having this as a really neat solution with Websphere,
I would really appreciate it if you can point out what I'm doing
wrong?
Cheers,
Con
I have spent some time integrating pwm with Websphere. The only
change I have made is that I have modified BasicAuthInfo to check for
web container authentication, in the form of a JAAS Subject Public
Credential, in addition to a Basic Auth header. I've built some code
in Websphere to set the user credentials into this credential at login
time. So all works well, no BasicAuth headers bouncing back and forth.
It all works great, until I expire a password in Novell Ldap. The flow
is then;
1. WebSphere binds to LDAP as part of login, all is OK. (It doesn't
understant password expiration.)
2. It then redirects to /pwm/CommandServlet?processAction=checkExpire.
3. This retrieves the user credentials (as described above), and
checks the password (again). It decides it's expired, and calls the
changePassword page. All great so far.
4. I change the password, and then pwm changes it successfully in
LDAP, and redirects to the logoutURL. This URL is basically my portal
start page, and back to step (1) we go.
The problem is that pwm is permenantly logging me out after this. In
the logs, when I next call commandServlet&action=checkExpire, I can
see:
SessionFilter - talks about forwardURL and logoutURL being set
BasicAuth reading the credentials, this time the new ones.
Authentication filter doing it's thing OK. (As far as I can see)
CommandServlet: "received request for action checkExpire"
and then it gets into this piece of code:
// log the user out if our finish action is currently set to
log out.
if (ssBean.getFinishAction() ==
SessionStateBean.FINISH_ACTION.LOGOUT) {
LOGGER.trace(pwmSession, "logging out user; password has
been modified");
resp.sendRedirect(SessionFilter.rewriteRedirectURL(PwmConstants.URL_SERVLET_LOGOUT,
req, resp));
return;
}
and out we go.
I'm so close to having this as a really neat solution with Websphere,
I would really appreciate it if you can point out what I'm doing
wrong?
Cheers,
Con
Jason Rivard
Aug 3, 2011, 5:26:59 PM8/3/11
to pwm-g...@googlegroups.com
Try setting General -> Logout After Password Change to false.
Con
Aug 3, 2011, 5:55:54 PM8/3/11
to pwm-general
Hi Jason,
I see I'm not the only lunatic still working at this time of
night :-) I did actually try that, but the code fails when I log out
of my Websphere Application, and then try to log in again. The new
credentials are passed to the AuthenticationFilter, (via
BasicAuthInfo) who gets very upset that the new credentials and the
existing session credentials don't match.
So, I can see exactly why one would want a session termination after a
password change. I just can't see why it's not working!
Cheers,
Con
I see I'm not the only lunatic still working at this time of
night :-) I did actually try that, but the code fails when I log out
of my Websphere Application, and then try to log in again. The new
credentials are passed to the AuthenticationFilter, (via
BasicAuthInfo) who gets very upset that the new credentials and the
existing session credentials don't match.
So, I can see exactly why one would want a session termination after a
password change. I just can't see why it's not working!
Cheers,
Con
Message has been deleted
Jason Rivard
Aug 4, 2011, 12:29:36 AM8/4/11
to pwm-g...@googlegroups.com
I'm guessing you'll want to comment out lines 113-134 of AuthenticationFilter.java:
From the comments:
| // if we get here then user is using basic auth, and header has changed since last request |
| // this means something is screwy, so log out the session Good Luck. |
Con
Aug 4, 2011, 2:22:00 PM8/4/11
to pwm-general
Hi Jason,
no need, I managed to figure out how it all hangs together, and
thence the bug. Basically, in the ChangePasswordServlet, if the
password is successfully changes, the code sets a "finishAction" in
the SessionStateBean to "LOGOUT".
Back in the CommandServlet, this action is checked, and if set, logs
out.
However, the "finishAction" is never reset, so if I come back into the
CommandServlet within 5 minutes (The HTTP Session timeout), the same
SessionStateBean exists, and has "finishAction" still set to "LOGOUT",
so the CommandServlet obeys.
I added a line to the "unauthenticateUser" method in the PwmSesion
class, to reset the "finishAction" to "FORWARD".
All working great now with WebSphere.
Many thanks for your support, and a great piece of code.
Cheers,
Con
On Aug 4, 5:29 am, Jason Rivard <jriv...@gmail.com> wrote:
> I'm guessing you'll want to comment out lines 113-134 of
> AuthenticationFilter.java:
>
> http://code.google.com/p/pwm/source/browse/trunk/pwm/servlet/src/pass...
no need, I managed to figure out how it all hangs together, and
thence the bug. Basically, in the ChangePasswordServlet, if the
password is successfully changes, the code sets a "finishAction" in
the SessionStateBean to "LOGOUT".
Back in the CommandServlet, this action is checked, and if set, logs
out.
However, the "finishAction" is never reset, so if I come back into the
CommandServlet within 5 minutes (The HTTP Session timeout), the same
SessionStateBean exists, and has "finishAction" still set to "LOGOUT",
so the CommandServlet obeys.
I added a line to the "unauthenticateUser" method in the PwmSesion
class, to reset the "finishAction" to "FORWARD".
All working great now with WebSphere.
Many thanks for your support, and a great piece of code.
Cheers,
Con
On Aug 4, 5:29 am, Jason Rivard <jriv...@gmail.com> wrote:
> I'm guessing you'll want to comment out lines 113-134 of
> AuthenticationFilter.java:
>
Reply all
Reply to author
Forward
0 new messages