tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phil Mocek <pmocek-list-tomcat-u...@mocek.org>
Subject Tomcat 5, JAASRealm, JNDILoginModule: error digesting user credentials
Date Fri, 17 Dec 2004 19:08:11 GMT
I'm attempting to cause Tomcat (I've tried versions 5.0.28 and
5.0.30) to perform user authentication against an LDAP server with
the JAASRealm and the JAAS JndiLoginModule.

I've ruled out LDAP server problems because things work properly
if I configure Tomcat to use the JNDIRealm instead of JAASRealm by
placing the following in Tomcat's server.xml:

    <Realm className="org.apache.catalina.realm.JNDIRealm"
       connectionURL="ldap://localhost:389"
         userPattern="uid={0},ou=associates,dc=mocek,dc=com"
            roleBase="ou=groups,dc=mocek,dc=com"
            roleName="cn"
          roleSearch="(uniqueMember={0})" />

It's my understanding that the JNDIRealm is now able to
authenticate with an LDAP server either by performing a bind
operation or by comparing passwords, but that the JAASRealm's
JndiLoginModule is only capable of the latter.  In order to allow
for this, my LDAP server is configured to allow anonymous read
access to the userPassword attribute.


I want to do exactly what happens with the above configuration,
except with JAAS inserted between Tomcat and the LDAP server.
I've substituted the above Realm element with the following (note
that digest is set to SHA and I've verified that my userPassword
on the LDAP server is SHA-digested):

   <Realm className="org.apache.catalina.realm.JAASRealm" debug="99"                 
            appName="someApplication"       
             digest="SHA"
     userClassNames="com.sun.security.auth.UnixPrincipal"
     roleClassNames="com.sun.security.auth.UnixNumericGroupPrincipal" />


I started Tomcat with the following option:

    -Djava.security.auth.login.config==$CATALINA_HOME/conf/jaas.login.config


and included the following in $CATALINA_HOME/conf/jaas.login.config:

    someApplication {
        com.sun.security.auth.module.JndiLoginModule required  debug=true
         user.provider.url="ldap://localhost:389/ou=associates,dc=mocek,dc=com"
        group.provider.url="ldap://localhost:389/ou=groups,dc=mocek,dc=com";
    };

I'm testing with the stock Tomcat manager and admin applications.

After I submit the login form of the admin app, login fails and
Tomcat writes the following to standard output:

    Dec 16, 2004 3:35:45 PM org.apache.struts.util.PropertyMessageResources <init>
    INFO: Initializing, config='org.apache.struts.taglib.html.LocalStrings', returnNull=true
    Dec 16, 2004 3:35:45 PM org.apache.struts.util.PropertyMessageResources <init>
    INFO: Initializing, config='org.apache.struts.util.LocalStrings', returnNull=true
    Dec 16, 2004 3:35:45 PM org.apache.struts.util.PropertyMessageResources <init>
    INFO: Initializing, config='org.apache.struts.taglib.bean.LocalStrings', returnNull=true
    Dec 16, 2004 3:35:45 PM org.apache.struts.util.PropertyMessageResources <init>
    INFO: Initializing, config='org.apache.struts.taglib.html.LocalStrings', returnNull=true
                    [JndiLoginModule] user provider: ldap://localhost:389/ou=associates,dc=mocek,dc=com
                    [JndiLoginModule] group provider: ldap://localhost:389/ou=groups,dc=mocek,dc=com
                    [JndiLoginModule] attemptAuthentication() failed
                    [JndiLoginModule] regular authentication failed
                    [JndiLoginModule]: aborted authentication failed
    Dec 16, 2004 3:36:40 PM org.apache.struts.util.PropertyMessageResources <init>
    INFO: Initializing, config='org.apache.struts.taglib.html.LocalStrings', returnNull=true
    Dec 16, 2004 3:36:40 PM org.apache.struts.util.PropertyMessageResources <init>
    INFO: Initializing, config='org.apache.struts.taglib.html.LocalStrings', returnNull=true


When I instead attempt to run the manager application (i.e., load
/manager in a browser), the browser produces a login window, and
Tomcat writes the following to standard output -- before I've
entered my user name and password:

    Dec 16, 2004 3:47:12 PM org.apache.catalina.realm.RealmBase digest
    SEVERE: Error digesting user credentials
    java.lang.NullPointerException
            at org.apache.catalina.realm.RealmBase.digest(RealmBase.java:1062)
            at org.apache.catalina.realm.JAASCallbackHandler.<init>(JAASCallbackHandler.java:73)
            at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:358)
            at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:129)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
            at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
            at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
            at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)
            at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
            at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
            at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
            at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
            at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
            at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
            at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
            at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
            at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
            at java.lang.Thread.run(Thread.java:534)
                    [JndiLoginModule] user provider: ldap://localhost:389/ou=associates,dc=mocek,dc=com
                    [JndiLoginModule] group provider: ldap://localhost:389/ou=groups,dc=mocek,dc=com
                    [JndiLoginModule]: User not found
                    [JndiLoginModule] regular authentication failed
                    [JndiLoginModule]: aborted authentication failed


I then fill in user name and password and click `okay'.  Login fails,
and Tomcat writes the following to standard output:

                    [JndiLoginModule] user provider: ldap://localhost:389/ou=associates,dc=mocek,dc=com
                    [JndiLoginModule] group provider: ldap://localhost:389/ou=groups,dc=mocek,dc=com
                    [JndiLoginModule] attemptAuthentication() failed
                    [JndiLoginModule] regular authentication failed
                    [JndiLoginModule]: aborted authentication failed

There doesn't seem to be much information on JAASRealm on the Web
yet, and even less about JndiLoginModule.  I've scanned this
list's archive and see no discussion of this error.  Can someone
suggest where I should go with this?

-- 
Phil Mocek

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message