-
Type:
Service Pack Request
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: Alfresco Process Services 1.9
-
Fix Version/s: Alfresco Process Services 1.6.4.2
-
Component/s: APS Kickstart/Studio
-
Labels:None
-
Bug Priority:
-
ACT Numbers:
00818406
-
Premier Customer:Yes
-
Regression Since:
Summary
With external identity management (ldap/ad) enabled and fallback to db authentication is enabled, if the centralized user data store is not reachable, and you try to login with the admin@app.activiti.com user (or other db user), application fails to login.
Steps to Replicate
- install with ldap/ad synchronization/authentication (activiti-ldap.properties) with ldap.allow.database.authenticaion.fallback=true
- startup application, test login with both ldap/ad user and admin@app.activiti.com
- create a new user in IDM as well for testing purposes
- shut down ldap/ad
Test1 option:
- using new browser session try to login with 'admin@app.activiti.com' or your test user
Test2 option:
- with ldap/ad still not running, restart the application
- using new browser session try to login with 'admin@app.activiti.com' or your test user
Expected Behaviour
- If the fallback is enabled on a external auth configured install, if the centralized user data store is not reachable, the database users should still be able to login
Actual Behavior
- If the fallback is enabled on an external auth configured install, if the centralized user data store is not reachable, the database users can not login
01:23:36 [http-nio-9999-exec-10] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'redshirt@boo.com', with user search [ searchFilter: '(&(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(|(memberOf=CN=ActJailUser,OU=Alfresco Groups,OU=Alfresco Foo,DC=jps-ad,DC=foo)(memberOf=CN=ActJailAdmin,OU=Alfresco Groups,OU=Alfresco Foo,DC=jps-ad,DC=foo)(memberOf=CN=Wardens)))(sAMAccountName={0}))', searchBase: 'OU=Alfresco Foo,DC=jps-ad,DC=foo', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ] 01:23:52 [http-nio-9999-exec-3] ERROR com.activti.idm.ldap.auth.ActivitiLdapAuthenticationProvider - Unable to perform LDAP authentication org.springframework.security.authentication.InternalAuthenticationServiceException: 172.16.190.173:389; nested exception is javax.naming.CommunicationException: 172.16.190.173:389 [Root exception is java.net.ConnectException: Operation timed out (Connection timed out)] at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206) at com.activti.idm.ldap.auth.ActivitiLdapAuthenticationProvider.authenticate(ActivitiLdapAuthenticationProvider.java:83) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) at com.activiti.web.CustomUsernamePasswordAuthenticationFilter.attemptAuthentication(CustomUsernamePasswordAuthenticationFilter.java:33) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at com.activiti.security.CustomStatelessCSRFFilter.doFilterInternal(CustomStatelessCSRFFilter.java:68) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: org.springframework.ldap.CommunicationException: 172.16.190.173:389; nested exception is javax.naming.CommunicationException: 172.16.190.173:389 [Root exception is java.net.ConnectException: Operation timed out (Connection timed out)] at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108) at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355) at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139) at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158) at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802) at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:316) at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:127) at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:95) at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187) ... 61 common frames omitted Caused by: javax.naming.CommunicationException: 172.16.190.173:389 at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42) at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:343) ... 68 common frames omitted Caused by: java.net.ConnectException: Operation timed out (Connection timed out) at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at java.net.Socket.connect(Socket.java:538) at java.net.Socket.<init>(Socket.java:434) at java.net.Socket.<init>(Socket.java:211) at com.sun.jndi.ldap.Connection.createSocket(Connection.java:363) at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ... 82 common frames omitted