Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-19935

Fallback db user login fails if the centralized user data store is not reachable.

    Details

      Description

      Summary

      With external identity management (ldap/ad) enabled and fallback to db authentication is enabled, if the centralized user data store is not reachable, and you try to login with the admin@app.activiti.com user (or other db user), application fails to login.

      Steps to Replicate

      • install with ldap/ad synchronization/authentication (activiti-ldap.properties) with ldap.allow.database.authenticaion.fallback=true
      • startup application, test login with both ldap/ad user and admin@app.activiti.com
      • create a new user in IDM as well for testing purposes
      • shut down ldap/ad

      Test1 option:

      • using new browser session try to login with 'admin@app.activiti.com' or your test user

      Test2 option:

      • with ldap/ad still not running, restart the application
      • using new browser session try to login with 'admin@app.activiti.com' or your test user

      Expected Behaviour

      • If the fallback is enabled on a external auth configured install, if the centralized user data store is not reachable, the database users should still be able to login

      Actual Behavior

      • If the fallback is enabled on an external auth configured install, if the centralized user data store is not reachable, the database users can not login
      01:23:36 [http-nio-9999-exec-10] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch  - Searching for user 'redshirt@boo.com', with user search [ searchFilter: '(&(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(|(memberOf=CN=ActJailUser,OU=Alfresco Groups,OU=Alfresco Foo,DC=jps-ad,DC=foo)(memberOf=CN=ActJailAdmin,OU=Alfresco Groups,OU=Alfresco Foo,DC=jps-ad,DC=foo)(memberOf=CN=Wardens)))(sAMAccountName={0}))', searchBase: 'OU=Alfresco Foo,DC=jps-ad,DC=foo', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
      01:23:52 [http-nio-9999-exec-3] ERROR com.activti.idm.ldap.auth.ActivitiLdapAuthenticationProvider  - Unable to perform LDAP authentication
      org.springframework.security.authentication.InternalAuthenticationServiceException: 172.16.190.173:389; nested exception is javax.naming.CommunicationException: 172.16.190.173:389 [Root exception is java.net.ConnectException: Operation timed out (Connection timed out)]
      	at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)
      	at com.activti.idm.ldap.auth.ActivitiLdapAuthenticationProvider.authenticate(ActivitiLdapAuthenticationProvider.java:83)
      	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
      	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
      	at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
      	at com.activiti.web.CustomUsernamePasswordAuthenticationFilter.attemptAuthentication(CustomUsernamePasswordAuthenticationFilter.java:33)
      	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      	at com.activiti.security.CustomStatelessCSRFFilter.doFilterInternal(CustomStatelessCSRFFilter.java:68)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
      	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
      	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
      	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: org.springframework.ldap.CommunicationException: 172.16.190.173:389; nested exception is javax.naming.CommunicationException: 172.16.190.173:389 [Root exception is java.net.ConnectException: Operation timed out (Connection timed out)]
      	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
      	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)
      	at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)
      	at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)
      	at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)
      	at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:316)
      	at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:127)
      	at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:95)
      	at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187)
      	... 61 common frames omitted
      Caused by: javax.naming.CommunicationException: 172.16.190.173:389
      	at com.sun.jndi.ldap.Connection.<init>(Connection.java:226)
      	at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
      	at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)
      	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
      	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
      	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
      	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
      	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
      	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
      	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
      	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
      	at javax.naming.InitialContext.init(InitialContext.java:244)
      	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
      	at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
      	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:343)
      	... 68 common frames omitted
      Caused by: java.net.ConnectException: Operation timed out (Connection timed out)
      	at java.net.PlainSocketImpl.socketConnect(Native Method)
      	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
      	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
      	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
      	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
      	at java.net.Socket.connect(Socket.java:589)
      	at java.net.Socket.connect(Socket.java:538)
      	at java.net.Socket.<init>(Socket.java:434)
      	at java.net.Socket.<init>(Socket.java:211)
      	at com.sun.jndi.ldap.Connection.createSocket(Connection.java:363)
      	at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
      	... 82 common frames omitted
      

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  dgruber Doug Gruber
                  Reporter:
                  jsoria Jennie Soria
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:

                    Structure Helper Panel