[jira] [Closed] (JSPWIKI-140) Problem with Authentication using JBoss LDAP - custom LDAP roles such as "Authenticated" still required?

Sat, 10 Sep 2011 16:23:32 -0700 

     [ 
https://issues.apache.org/jira/browse/JSPWIKI-140?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Florian Holeczek closed JSPWIKI-140.
------------------------------------


> Problem with Authentication using JBoss LDAP - custom LDAP roles such as 
> "Authenticated" still required?
> --------------------------------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-140
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-140
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>    Affects Versions: 2.6.1
>         Environment: JBoss 4.2.2
> JspWiki 2.6.1 cvs 7
> JRockit R27.4  (= JDK 1.6.0_02)
>            Reporter: Milton Taylor
>            Assignee: Andrew Jaquith
>             Fix For: 2.8
>
>
> I'm having a problem that I think I have tracked down to this change? Maybe 
> it doesn't quite work as it was intended:
> From: Ver 2.5.26 change history
> * Minor enhancement to WikiSession now allows full use of non-JSPWiki
>         supplied JAAS LoginModules in the JSPWiki-custom configuration. 
> Previously,
>         we considered a user to be authenticated only if a LoginModule had 
> added
>         Role.AUTHENTICATED to the Subject's principal set. This is clearly
>         unreasonable for LoginModules that have no knowledge of JSPWiki, such
>         as Sun's supplied modules or third-party modules used for LDAP
>         authentication. Now, we consider a user authenticated if they are
>         not anonymous and not asserted, and we lazily add Role.AUTHENTICATED
>         in these cases, after login.
> I'm using container managed authentication, and JBoss LDAP authenticator 
> module. The authentication itself is not working properly unless the user is 
> also a member of role (ldap group) "Authenticated". I first came across this 
> issue when running an earlier version of 2.5, probably after this change was 
> made I'm not sure.
> I turned on security logging to diagnose what was going on, and 
> authentication itself is succeeding but jspwiki then goes looking for the 
> Authenticated role in the principals, and of course is not finding it.  Is it 
> possible there is a race condition here....(esp as I notice the observed 
> behavior is actually quite erratic once you hit the login button on jspwiki). 
>  If the Role.AUTHENTICATED is being added 'lazily', I think it's not being 
> added quickly enough?

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to