Re: Issue with form based authentication

Mon, 12 Apr 2021 08:43:20 -0700

I already answered in the same direction over a week ago on one of the first messages: 

Hi,
I might be wrong, but I think the problem is that as soon as you configure the forms based auth handler, you don't have a handler for other paths like /system/console. Your logs show this statement 
"No handler for request (1 handlers available)"
So, you have two options: define a default handler for "/" or configure SlingAuthenticator to treat everything that is not handled by a handler via basic auth (auth.http configuration) 

Regards

Carsten

Am 12.04.2021 um 17:32 schrieb Cris Rockwell:

Hi Juerg

Regarding the first error, if the following occurred

1. you signed into Sling using the login page (/system/sling/login.html)
2. you changed the `path` property for 
org.apache.sling.auth.form.FormAuthenticationHandler from '/' to  ‘/content/a/b'

Then, perhaps auth access and errors should be expected for requests for any 
path that is not under  /content/a/b
For example, /system/console/configMgr is not under /content/a/b, so your 
previous forms auth credential is no longer applicable.

Also, is org.apache.sling.engine.impl.auth.SlingAuthenticator configured to 
disable auth.http?
if so, then I think the NoAuthenticationHandlerException would be expected.

The fact that http://localhost:8080/system/sling/form/login 
<http://localhost:8080/system/sling/form/login> is 403 is odd
You may want to double check 
org.apache.sling.engine.impl.auth.SlingAuthenticator
Authentication Requirements includes "-/system/sling/login"

Regards
Cris


On Apr 12, 2021, at 10:05 AM, JCR <j...@proxymit.net> wrote:

Hello,

I post this issue here because I have not got any answer on the user's list.
The thread comprises of two messages, whereas the second details the error from 
error.log. I use Sling 11 and Java 11.

Thanks,
Juerg Meier


***************************************

On 12.03.21 12:30, JCR wrote:
I tried to configure form based authentication for a certain subtree under 
/content.

So I added the path in the Felix console the Sling Form Based Authentication 
Handler configuration, providing the absolute path /content/a/b, being the 
admin user.
But saving the changed configuration resulted in this error:

HTTP ERROR 500
Problem accessing 
/system/console/configMgr/org.apache.sling.auth.form.FormAuthenticationHandler. 
Reason:

     Server Error

Caused by:
org.apache.sling.api.auth.NoAuthenticationHandlerException
     at 
org.apache.sling.auth.core.impl.SlingAuthenticator.login(SlingAuthenticator.java:588)
     at 
org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2.authenticate(SlingWebConsoleSecurityProvider2.java:91)
     at 
org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)
     at 
org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:406)
     at 
org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58)
     at 
org.apache.felix.http.base.internal.dispatch.Dispatcher$1.doFilter(Dispatcher.java:146)
     at 
org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1014)
     at 
org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:97)
     ...

Note that at that point in time, the Apache Sling Form Based Authentication 
Handlerorg.apache.sling.auth.form bundle (V 1.0.12) was active.

And, the changed record got actually written to file 
/sling/config/org/apache/sling/auth/form/FormAuthenticationHandler.config :

:org.apache.felix.configadmin.revision:=L"1"^M
form.auth.name="sling.formauth"^M
form.auth.storage="cookie"^M
form.auth.timeout=I"30"^M
form.credentials.name="sling.formauth"^M
form.default.cookie.domain=""^M
form.login.form="/system/sling/form/login"^M
form.onexpire.login=B"false"^M
form.token.fastseed=B"false"^M
form.token.file="cookie-tokens.bin"^M
jaas.controlFlag="sufficient"^M
jaas.ranking=I"1000"^M
jaas.realmName="jackrabbit.oak"^M
path=[ \^M
   "/content/a/b", \^M
   ]^M
preferReasonCode=B"false"^M
service.pid="org.apache.sling.auth.form.FormAuthenticationHandler"^M
service.ranking=I"0"^M
useInclude=B"false"^M


The login page (/system/sling/login.html) returned with Http status 403:

The requested URL /system/sling/login.html resulted in an error in 
org.apache.sling.auth.core.impl.LoginServlet.
Request Progress:

       0 TIMER_START{Request Processing}
       3 COMMENT timer_end format is {<elapsed microseconds>,<timer name>} 
<optional message>
      13 LOG Method=GET, PathInfo=null
      14 TIMER_START{handleSecurity}
    1277 TIMER_END{1260,handleSecurity} authenticator 
org.apache.sling.auth.core.impl.SlingAuthenticator@232f04d8 returns true
    2061 TIMER_START{ResourceResolution}
    2254 TIMER_END{189,ResourceResolution} URI=/system/sling/login.html 
resolves to Resource=ServletResource, 
servlet=org.apache.sling.auth.core.impl.LoginServlet, path=/system/sling/login
    2273 LOG Resource Path Info: SlingRequestPathInfo: 
path='/system/sling/login', selectorString='null', extension='html', 
suffix='null'
    2274 TIMER_START{ServletResolution}
    2282 TIMER_START{resolveServlet(/system/sling/login)}
    2306 TIMER_END{23,resolveServlet(/system/sling/login)} Using servlet 
org.apache.sling.auth.core.impl.LoginServlet
    2311 TIMER_END{36,ServletResolution} URI=/system/sling/login.html handled 
by Servlet=org.apache.sling.auth.core.impl.LoginServlet
    2328 LOG Applying Requestfilters
    2339 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter
    2347 LOG Calling filter: 
org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter
    2355 LOG Applying Componentfilters
    2370 TIMER_START{org.apache.sling.auth.core.impl.LoginServlet#0}
    2753 LOG Applying Error filters
    2758 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter
    2769 TIMER_START{handleError:status=403}
    3509 TIMER_END{736,handleError:status=403} Using handler 
org.apache.sling.servlets.resolver.internal.defaults.DefaultErrorHandlerServlet
    4880 TIMER_END{4878,Request Processing} Dumping SlingRequestProgressTracker 
Entries

The login page only returns back to normal after completely removing (manually) 
the three path lines in FormAuthenticationHandler.config. So there seems to be 
a problem with the path entry.

What goes wrong here?

Thanks,
Juerg

************************************

Here are further details on the NoAuthenticationHandlerException below (from 
error.log, upon saving the configuration change.

20.03.2021 19:46:06.617 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form Service 
[org.apache.sling.auth.form.FormAuthenticationHandler,244, 
[org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent 
UNREGISTERING
20.03.2021 19:46:06.620 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form Service [LoginModule Support for 
FormAuthenticationHandler,245, [org.apache.felix.jaas.LoginModuleFactory]] 
ServiceEvent UNREGISTERING
20.03.2021 19:46:06.622 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.felix.jaas Deregistering LoginModuleFactory 
OsgiLoginModuleProvider{className=org.apache.sling.auth.form.impl.jaas.JaasHelper$1,
 ranking=1000, flag=LoginModuleControlFlag: sufficient, 
realmName='jackrabbit.oak'}
20.03.2021 19:46:06.624 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form Service 
[org.apache.sling.auth.form.FormAuthenticationHandler,1101, 
[org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent REGISTERED
20.03.2021 19:46:06.625 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form Service [LoginModule Support for 
FormAuthenticationHandler,1102, [org.apache.felix.jaas.LoginModuleFactory]] 
ServiceEvent REGISTERED
20.03.2021 19:46:06.627 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.felix.jaas Registering LoginModuleFactory LoginModule Support for 
FormAuthenticationHandler (org.apache.sling.auth.form.impl.jaas.FormLoginModule)
20.03.2021 19:46:06.627 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form.impl.jaas.JaasHelper Registered 
FormLoginModuleFactory
20.03.2021 19:46:06.628 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form.impl.FormAuthenticationHandler Login Form URL 
/system/sling/form/login
20.03.2021 19:46:06.628 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form.impl.FormAuthenticationHandler Using Cookie store 
with name sling.formauth
20.03.2021 19:46:06.628 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form.impl.FormAuthenticationHandler Setting Auth Data 
attribute name sling.formauth
20.03.2021 19:46:06.628 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form.impl.FormAuthenticationHandler Setting session 
timeout 30 minutes
20.03.2021 19:46:06.628 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form.impl.FormAuthenticationHandler Storing tokens in 
/home/juerg/bin/sling11/sling/felix/bundle114/data/cookie-tokens.bin
20.03.2021 19:46:06.628 *INFO*[CM Event Dispatcher (Fire ConfigurationEvent: 
pid=org.apache.sling.auth.form.FormAuthenticationHandler)] 
org.apache.sling.auth.form.impl.TokenStore Seeding the secure random number 
generator can take up to several minutes on some operating systems depending 
upon environment factors. If this is a problem for you, set the system property 
'java.security.egd' to 'file:/dev/./urandom' or enable the Fast Seed Generator 
in the Web Console
20.03.2021 19:46:06.661 *ERROR*[qtp128006962-1044] 
org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2
 authenticate: Expected user ID anonymous to refer to a user
20.03.2021 19:46:06.661 *INFO*[qtp128006962-1044] 
org.apache.sling.auth.core.impl.SlingAuthenticator login: No handler for 
request (1 handlers available)
20.03.2021 19:46:06.662 *ERROR*[qtp128006962-1044] org.apache.felix.http.jetty 
Exception while processing request to /system/console/configMgr 
(org.apache.sling.api.auth.NoAuthenticationHandlerException)
org.apache.sling.api.auth.NoAuthenticationHandlerException: null
     at 
org.apache.sling.auth.core.impl.SlingAuthenticator.login(SlingAuthenticator.java:588)
 [org.apache.sling.auth.core:1.4.2]
     at 
org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2.authenticate(SlingWebConsoleSecurityProvider2.java:91)
 [org.apache.sling.extensions.webconsolesecurityprovider:1.2.0]
     at 
org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)
 [org.apache.felix.webconsole:4.3.8]
     at 
org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:406)
 [org.apache.felix.http.jetty:4.0.6]
     at 
org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58)
 [org.apache.felix.http.jetty:4.0.6]
     at 
org.apache.felix.http.base.internal.dispatch.Dispatcher$1.doFilter(Dispatcher.java:146)
 [org.apache.felix.http.jetty:4.0.6]
     at 
org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1014)
 [org.apache.felix.http.jetty:4.0.6]
     at 
org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:97) 
[org.apache.felix.http.sslfilter:1.2.6]
     at 
org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:133)
 [org.apache.felix.http.jetty:4.0.6]
     at 
org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1020)
 [org.apache.felix.http.jetty:4.0.6]
     at 
org.apache.felix.http.base.internal.whiteboard.WhiteboardManager.invokePreprocessors(WhiteboardManager.java:1024)
 [org.apache.felix.http.jetty:4.0.6]
     at 
org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:91)
 [org.apache.felix.http.jetty:4.0.6]
     at 
org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)
 [org.apache.felix.http.jetty:4.0.6]
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) 
[org.apache.felix.http.servlet-api:1.1.2]
     ....

A few comments:

- no idea what role user id 'anonymous' plays in here. What I do know, however, 
is that it is a registered user in the system:

    "anonymous": {
     "memberOf": [],
     "declaredMemberOf": [],
     "path": "/home/users/g/gktXr8UiIxG9fmuKU5sM7"
     }

- the change in the config was done with user 'admin'
- generating a token "taking minutes": would be no problem.

Thanks for any help on this!

Regards,
Juerg






--
--
Carsten Ziegeler
Adobe Research Switzerland
cziege...@apache.org

Reply via email to