Fórum
Kerberos Authentication
william montaz, modificado 15 Anos atrás.
Kerberos Authentication
New Member Postagens: 4 Data de Entrada: 24/09/08 Postagens Recentes
Hi everybody,
I would like to know if Liferay provides connectors for Kerberos authentication ? If so, how to implement it ?
I've been looking almost everywhere without success...
Thanks for reply
Bye
I would like to know if Liferay provides connectors for Kerberos authentication ? If so, how to implement it ?
I've been looking almost everywhere without success...
Thanks for reply
Bye
robain maskey, modificado 15 Anos atrás.
RE: Kerberos Authentication
New Member Postagens: 3 Data de Entrada: 21/10/08 Postagens Recentes
Hi, were you able to get this resolved? am trying to authenticate with kerberos myself. Please post if you get somewhere on this.
Thanks
robain
Thanks
robain
william montaz, modificado 15 Anos atrás.
Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberos Aut
New Member Postagens: 4 Data de Entrada: 24/09/08 Postagens Recentes
Unfortunatly not, I'm sick of never getting answers to what I'm looking for.
By the way, don't upgrade o 5.1.2, it's too buggy....
(Sorry, but right now I have to make a demo to a customer and I'm having
many bugs occuring since upgrading....and It makes me really angry)
On Tue, Oct 21, 2008 at 9:35 PM, robain maskey from liferay.com <
no-reply@liferay.com> wrote:
> Hi, were you able to get this resolved? am trying to authenticate with
> kerberos myself. Please post if you get somewhere on this.
>
> Thanks
> robain
> --
> Liferay Message Boards
>
> https://www.liferay.com/web/guest/community/forums/message_boards/message/1469492
> mb.239393.1469492@events.liferay.com
> http://www.liferay.com
By the way, don't upgrade o 5.1.2, it's too buggy....
(Sorry, but right now I have to make a demo to a customer and I'm having
many bugs occuring since upgrading....and It makes me really angry)
On Tue, Oct 21, 2008 at 9:35 PM, robain maskey from liferay.com <
no-reply@liferay.com> wrote:
> Hi, were you able to get this resolved? am trying to authenticate with
> kerberos myself. Please post if you get somewhere on this.
>
> Thanks
> robain
> --
> Liferay Message Boards
>
> https://www.liferay.com/web/guest/community/forums/message_boards/message/1469492
> mb.239393.1469492@events.liferay.com
> http://www.liferay.com
Sriram Gopalan, modificado 15 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberos
Junior Member Postagens: 39 Data de Entrada: 13/07/08 Postagens Recentes
I implemented thru apache mod_auth_kerb and authentication thru our corporate active directory.
My setup is like this:
Linux,
Apache httpd 2.x,
mod_auth_kerb,
mod_jk,
LR on tomcat
customized auth
If you stack is similar to mine, I can help you to setup seamless sso.
--Sriram
My setup is like this:
Linux,
Apache httpd 2.x,
mod_auth_kerb,
mod_jk,
LR on tomcat
customized auth
If you stack is similar to mine, I can help you to setup seamless sso.
--Sriram
william montaz, modificado 15 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 4 Data de Entrada: 24/09/08 Postagens Recentes
Hy, thanks for your answer.
Your setup seems quite classic except the "customized auth" section
Could you give some clues about what you had to change on Liferay to be able to do that ?
Thanks
Your setup seems quite classic except the "customized auth" section
Could you give some clues about what you had to change on Liferay to be able to do that ?
Thanks
Sriram Gopalan, modificado 15 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
Junior Member Postagens: 39 Data de Entrada: 13/07/08 Postagens Recentes
1. Start with apache setup using mod_auth_kerb
http://modauthkerb.sourceforge.net/
http://grolmsnet.de/kerbtut/
This will enable apache to collect the kerb ticket and do seamless SSO.
2. Next using mod_jk redirect the requests to tomcat (liferay).
Make sure you have JkEnvVar passed over.
JkEnvVar REMOTE_USER "<UNSET>"
JkEnvVar AUTH_TYPE "<UNSET>"
3. Write a custom auth class and configure it in portal-ext.properties
https://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Integration%20with%20Siteminder%20SSO
The above URL is for SiteMinder, but the procedure for Kerberos is not much different.
String aUsername = req.getHeader("SM_USERDN"); should be replace by
String aUsername = req.getHeader("REMOTE_USER");
In my setup I have done auto user creation too.
--Sriram
http://modauthkerb.sourceforge.net/
http://grolmsnet.de/kerbtut/
This will enable apache to collect the kerb ticket and do seamless SSO.
2. Next using mod_jk redirect the requests to tomcat (liferay).
Make sure you have JkEnvVar passed over.
JkEnvVar REMOTE_USER "<UNSET>"
JkEnvVar AUTH_TYPE "<UNSET>"
3. Write a custom auth class and configure it in portal-ext.properties
https://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Integration%20with%20Siteminder%20SSO
The above URL is for SiteMinder, but the procedure for Kerberos is not much different.
String aUsername = req.getHeader("SM_USERDN"); should be replace by
String aUsername = req.getHeader("REMOTE_USER");
In my setup I have done auto user creation too.
--Sriram
Sriram Gopalan, modificado 15 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
Junior Member Postagens: 39 Data de Entrada: 13/07/08 Postagens Recentes
william montaz, modificado 15 Anos atrás.
Re: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 4 Data de Entrada: 24/09/08 Postagens Recentes
Thanks a lot. I should be able to do something with that.
Anyway I think Liferay community should work on that because Kerberos is a
real enterprise standard and it is really missing with Liferay.
Bye
On Wed, Oct 29, 2008 at 2:39 AM, Sriram Gopalan from liferay.com <
no-reply@liferay.com> wrote:
>
> http://lportal.svn.sourceforge.net/viewvc/lportal/portal/branches/5.1.x/portal-impl/src/com/liferay/portal/security/auth/SiteMinderAutoLogin.java?revision=21190&view=markup
>
> Will be helpful to get started...
> --
> Liferay Message Boards
>
> http://www.liferay.com/web/guest/community/forums/message_boards/message/1503655
> mb.239393.1503655@events.liferay.com
> http://www.liferay.com
Anyway I think Liferay community should work on that because Kerberos is a
real enterprise standard and it is really missing with Liferay.
Bye
On Wed, Oct 29, 2008 at 2:39 AM, Sriram Gopalan from liferay.com <
no-reply@liferay.com> wrote:
>
> http://lportal.svn.sourceforge.net/viewvc/lportal/portal/branches/5.1.x/portal-impl/src/com/liferay/portal/security/auth/SiteMinderAutoLogin.java?revision=21190&view=markup
>
> Will be helpful to get started...
> --
> Liferay Message Boards
>
> http://www.liferay.com/web/guest/community/forums/message_boards/message/1503655
> mb.239393.1503655@events.liferay.com
> http://www.liferay.com
Kamal Pasha Shaikh, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 20 Data de Entrada: 16/03/10 Postagens Recentes
Hi Sriram,
I am using the SpnegoHttpFilter from http://spnego.sourceforge.net/ in my jboss 4.2.3 CP06.
The sample tests for the filter and keytab went fine on jboss. Now, I am trying to use the filter and keytab in my jboss with liferay. In addition to adding the filter in web.xml, I have the following entries in my portal-ext.properties.
portal.ctx=/liferay-ext
jdbc.default.jndi.name=jdbc/LiferayPool
auto.login.hooks=com.custom.liferay.portal.security.auth.SpnegoAutoLogin
auth.forward.by.last.path=true
default.landing.page.path=/liferay-ext/web/guest/
login.events.post=com.liferay.portal.events.LoginPostAction,com.liferay.portal.events.DefaultLandingPageAction
When I access the url http://localhost:8080/liferay-ext, I see the following error in my server.log. The logs indicate that the filter is being invoked but I don't see the SpnegoAutoLogin class (configured in portal-ext.properties) being called. I looked through wiki and forums to check if I am missing any configuration for SSO. But, I couldn't see anything new that I missed. I would like to know how the SpnegoAutoLogin class gets called after the Filter processing is done. Please share your thoughts.
I am attaching the SpnegoAutoLogin.java file for your reference.
Also, the entries for the SpnegoHttpFilter in web.xml is as below.
<filter>
<filter-name>SpnegoHttpFilter</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
<init-param>
<param-name>spnego.allow.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.localhost</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.unsecure.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.login.client.module</param-name>
<param-value>spnego-client</param-value>
</init-param>
<init-param>
<param-name>spnego.krb5.conf</param-name>
<param-value>krb5.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.login.conf</param-name>
<param-value>login.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.username</param-name>
<param-value/>
</init-param>
<init-param>
<param-name>spnego.preauth.password</param-name>
<param-value/>
</init-param>
<init-param>
<param-name>spnego.login.server.module</param-name>
<param-value>spnego-server</param-value>
</init-param>
<init-param>
<param-name>spnego.prompt.ntlm</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.logger.level</param-name>
<param-value>1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SpnegoHttpFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
20:43:21,245 ERROR [STDERR] Mar 23, 2010 8:43:21 PM net.sourceforge.spnego.SpnegoHttpFilter doFilter
FINE: principal=XXXXXX@XXXX.XX.XXXXXXXXXXXXX.COM
20:43:21,463 ERROR [STDERR] Mar 23, 2010 8:43:21 PM net.sourceforge.spnego.SpnegoHttpFilter doFilter
FINE: principal=XXXXXX@XXXX.XX.XXXXXXXXXXXXX.COM
20:43:21,588 INFO [STDOUT] 20:43:21,588 DEBUG [ApplicationDispatcher:185] servletPath=/c, pathInfo=/portal/layout, queryString=p_l_id=10139, name=null
20:43:21,588 INFO [STDOUT] 20:43:21,588 DEBUG [ApplicationDispatcher:375] Path Based Forward
20:43:21,620 INFO [STDOUT] 20:43:21,620 ERROR [MainServlet:794] com.liferay.portal.NoSuchUserException: No User exists with the primary key 0
com.liferay.portal.NoSuchUserException: No User exists with the primary key 0
at com.liferay.portal.service.persistence.UserPersistenceImpl.findByPrimaryKey(UserPersistenceImpl.java:622)
at com.liferay.portal.service.impl.UserLocalServiceImpl.getUserById(UserLocalServiceImpl.java:1305)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy136.getUserById(Unknown Source)
at com.liferay.portal.service.UserLocalServiceUtil.getUserById(UserLocalServiceUtil.java:474)
at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:772)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
at com.liferay.portal.servlet.FriendlyURLServlet.service(FriendlyURLServlet.java:143)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:142)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:140)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:282)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.cache.CacheFilter.processFilter(CacheFilter.java:425)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:257)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter.processFilter(OpenSSOFilter.java:73)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:193)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.doFilter(VirtualHostFilter.java:271)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.threadlocalcache.ThreadLocalCacheFilter.processFilter(ThreadLocalCacheFilter.java:55)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterCh
20:43:21,620 INFO [STDOUT] ain.doFilter(ApplicationFilterChain.java:206)
at net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:250)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
20:43:21,635 INFO [STDOUT] 20:43:21,635 DEBUG [ApplicationDispatcher:412] Disabling the response for futher output
20:43:21,635 INFO [STDOUT] 20:43:21,635 DEBUG [ApplicationDispatcher:420] The Response is vehiculed using a wrapper: com.liferay.portal.servlet.filters.strip.StripResponse
I am using the SpnegoHttpFilter from http://spnego.sourceforge.net/ in my jboss 4.2.3 CP06.
The sample tests for the filter and keytab went fine on jboss. Now, I am trying to use the filter and keytab in my jboss with liferay. In addition to adding the filter in web.xml, I have the following entries in my portal-ext.properties.
portal.ctx=/liferay-ext
jdbc.default.jndi.name=jdbc/LiferayPool
auto.login.hooks=com.custom.liferay.portal.security.auth.SpnegoAutoLogin
auth.forward.by.last.path=true
default.landing.page.path=/liferay-ext/web/guest/
login.events.post=com.liferay.portal.events.LoginPostAction,com.liferay.portal.events.DefaultLandingPageAction
When I access the url http://localhost:8080/liferay-ext, I see the following error in my server.log. The logs indicate that the filter is being invoked but I don't see the SpnegoAutoLogin class (configured in portal-ext.properties) being called. I looked through wiki and forums to check if I am missing any configuration for SSO. But, I couldn't see anything new that I missed. I would like to know how the SpnegoAutoLogin class gets called after the Filter processing is done. Please share your thoughts.
I am attaching the SpnegoAutoLogin.java file for your reference.
Also, the entries for the SpnegoHttpFilter in web.xml is as below.
<filter>
<filter-name>SpnegoHttpFilter</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
<init-param>
<param-name>spnego.allow.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.localhost</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.unsecure.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.login.client.module</param-name>
<param-value>spnego-client</param-value>
</init-param>
<init-param>
<param-name>spnego.krb5.conf</param-name>
<param-value>krb5.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.login.conf</param-name>
<param-value>login.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.username</param-name>
<param-value/>
</init-param>
<init-param>
<param-name>spnego.preauth.password</param-name>
<param-value/>
</init-param>
<init-param>
<param-name>spnego.login.server.module</param-name>
<param-value>spnego-server</param-value>
</init-param>
<init-param>
<param-name>spnego.prompt.ntlm</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.logger.level</param-name>
<param-value>1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SpnegoHttpFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
20:43:21,245 ERROR [STDERR] Mar 23, 2010 8:43:21 PM net.sourceforge.spnego.SpnegoHttpFilter doFilter
FINE: principal=XXXXXX@XXXX.XX.XXXXXXXXXXXXX.COM
20:43:21,463 ERROR [STDERR] Mar 23, 2010 8:43:21 PM net.sourceforge.spnego.SpnegoHttpFilter doFilter
FINE: principal=XXXXXX@XXXX.XX.XXXXXXXXXXXXX.COM
20:43:21,588 INFO [STDOUT] 20:43:21,588 DEBUG [ApplicationDispatcher:185] servletPath=/c, pathInfo=/portal/layout, queryString=p_l_id=10139, name=null
20:43:21,588 INFO [STDOUT] 20:43:21,588 DEBUG [ApplicationDispatcher:375] Path Based Forward
20:43:21,620 INFO [STDOUT] 20:43:21,620 ERROR [MainServlet:794] com.liferay.portal.NoSuchUserException: No User exists with the primary key 0
com.liferay.portal.NoSuchUserException: No User exists with the primary key 0
at com.liferay.portal.service.persistence.UserPersistenceImpl.findByPrimaryKey(UserPersistenceImpl.java:622)
at com.liferay.portal.service.impl.UserLocalServiceImpl.getUserById(UserLocalServiceImpl.java:1305)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy136.getUserById(Unknown Source)
at com.liferay.portal.service.UserLocalServiceUtil.getUserById(UserLocalServiceUtil.java:474)
at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:772)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
at com.liferay.portal.servlet.FriendlyURLServlet.service(FriendlyURLServlet.java:143)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:142)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:140)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:282)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.cache.CacheFilter.processFilter(CacheFilter.java:425)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:257)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter.processFilter(OpenSSOFilter.java:73)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:193)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.doFilter(VirtualHostFilter.java:271)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.threadlocalcache.ThreadLocalCacheFilter.processFilter(ThreadLocalCacheFilter.java:55)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterCh
20:43:21,620 INFO [STDOUT] ain.doFilter(ApplicationFilterChain.java:206)
at net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:250)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
20:43:21,635 INFO [STDOUT] 20:43:21,635 DEBUG [ApplicationDispatcher:412] Disabling the response for futher output
20:43:21,635 INFO [STDOUT] 20:43:21,635 DEBUG [ApplicationDispatcher:420] The Response is vehiculed using a wrapper: com.liferay.portal.servlet.filters.strip.StripResponse
Anexos:
Sriram Gopalan, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
Junior Member Postagens: 39 Data de Entrada: 13/07/08 Postagens Recentes
I have not used spnego filter, so I might not have a complete picture on what's going on.
I didn't have a chance to go over your code.
Based on the stack trace, i would suggest to check the following.
Kerberos would give the login as "<username>@fully-qualified-domainname", so its up-to to your login filter to take it and map it to LR user.
I mapped <username> part to ScreenName
So What I do is take the <username> and first check if user is already there, if not retrieve other properties from LDAP and create the user.
If user is already there, I simply create the LR session.
Hope this helps, please post back your findings.
--Sriram
I didn't have a chance to go over your code.
Based on the stack trace, i would suggest to check the following.
Kerberos would give the login as "<username>@fully-qualified-domainname", so its up-to to your login filter to take it and map it to LR user.
I mapped <username> part to ScreenName
So What I do is take the <username> and first check if user is already there, if not retrieve other properties from LDAP and create the user.
If user is already there, I simply create the LR session.
Hope this helps, please post back your findings.
--Sriram
Sriram Gopalan, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
Junior Member Postagens: 39 Data de Entrada: 13/07/08 Postagens Recentes
Also which version of Liferay you are using ?
Kamal Pasha Shaikh, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 20 Data de Entrada: 16/03/10 Postagens Recentes
Hi Sriram,
Thanks for your response.
I am able to see from the logs that kerberos is giving me the login correctly as you said.
"<username>@fully-qualified-domainname
The SpnegoAutoLogin class is supposed to map the kerberos principal returned to Liferay screen name. I might need to make some changes based on my troubleshooting. But, somehow right now SpnegoAutoLogin is not being called even though auto.login.hooks has a reference to that class. This is where I need some help. I don't know how the filter configured in web.xml calls the AutoLogin class configured in auto.login.hooks property in portal-ext.properties.
I am using Liferay 5.2.3 and Jboss 4.3 GA CP06.
Let me know if you need more info.
Thanks,
Kamal
Thanks for your response.
I am able to see from the logs that kerberos is giving me the login correctly as you said.
"<username>@fully-qualified-domainname
The SpnegoAutoLogin class is supposed to map the kerberos principal returned to Liferay screen name. I might need to make some changes based on my troubleshooting. But, somehow right now SpnegoAutoLogin is not being called even though auto.login.hooks has a reference to that class. This is where I need some help. I don't know how the filter configured in web.xml calls the AutoLogin class configured in auto.login.hooks property in portal-ext.properties.
I am using Liferay 5.2.3 and Jboss 4.3 GA CP06.
Let me know if you need more info.
Thanks,
Kamal
Sriram Gopalan, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
Junior Member Postagens: 39 Data de Entrada: 13/07/08 Postagens Recentes
I see that you have AutoLoginFilter setup. So it should work.
I would download the LR source and setup a debug session to walk thru.
The AutoLogin.java in the LR source calls the auto login hooks. So I am not sure whats happening here. I would definitely love the see the execution path in debugger.
AutoLogin
106 if ((remoteUser == null) && (jUserName == null)) {
107 for (String autoLoginHook : PropsValues.AUTO_LOGIN_HOOKS) {
108 AutoLogin autoLogin = (AutoLogin)InstancePool.get(
109 autoLoginHook);
110
111 try {
I would download the LR source and setup a debug session to walk thru.
The AutoLogin.java in the LR source calls the auto login hooks. So I am not sure whats happening here. I would definitely love the see the execution path in debugger.
AutoLogin
106 if ((remoteUser == null) && (jUserName == null)) {
107 for (String autoLoginHook : PropsValues.AUTO_LOGIN_HOOKS) {
108 AutoLogin autoLogin = (AutoLogin)InstancePool.get(
109 autoLoginHook);
110
111 try {
Kamal Pasha Shaikh, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 20 Data de Entrada: 16/03/10 Postagens Recentes
Hi Sriram,
Thanks for your response. I am debugging the LR source code and spnego-filter source code in eclipse as we speak. I'll post my findings. The AutoLogin.java in the LR source code is an interface with login method signature. All the AutoLogin implementation classes that LR provides (e.g. CASAutoLogin, SiteMinderAutoLogin etc.) implements this interface. Can you double check which file it is that you are referring to?
Thanks again.
Kamal
Thanks for your response. I am debugging the LR source code and spnego-filter source code in eclipse as we speak. I'll post my findings. The AutoLogin.java in the LR source code is an interface with login method signature. All the AutoLogin implementation classes that LR provides (e.g. CASAutoLogin, SiteMinderAutoLogin etc.) implements this interface. Can you double check which file it is that you are referring to?
Thanks again.
Kamal
Kamal Pasha Shaikh, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 20 Data de Entrada: 16/03/10 Postagens Recentes
This is the source code from AutoLogin.java
/**
* Copyright (c) 2000-2009 Liferay, Inc. All rights reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
package com.liferay.portal.security.auth;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* <a href="AutoLogin.java.html"><b><i>View Source</i></b></a>
*
* @author Brian Wing Shun Chan
*
*/
public interface AutoLogin {
/**
* Set a request attribute with this variable to tell the AutoLoginFilter to
* redirect the user to a specified location.
*/
public static final String AUTO_LOGIN_REDIRECT = "AUTO_LOGIN_REDIRECT";
public String[] login(
HttpServletRequest request, HttpServletResponse response)
throws AutoLoginException;
}
It looks like it expects to set the value for AUTO_LOGIN_REDIRECT using request.setAttribute. I am wondering whether it has to be done in the filter code or the code that implements AutoLogin interface. Also, what should be the value of this attribute?
Any ideas.
/**
* Copyright (c) 2000-2009 Liferay, Inc. All rights reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
package com.liferay.portal.security.auth;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* <a href="AutoLogin.java.html"><b><i>View Source</i></b></a>
*
* @author Brian Wing Shun Chan
*
*/
public interface AutoLogin {
/**
* Set a request attribute with this variable to tell the AutoLoginFilter to
* redirect the user to a specified location.
*/
public static final String AUTO_LOGIN_REDIRECT = "AUTO_LOGIN_REDIRECT";
public String[] login(
HttpServletRequest request, HttpServletResponse response)
throws AutoLoginException;
}
It looks like it expects to set the value for AUTO_LOGIN_REDIRECT using request.setAttribute. I am wondering whether it has to be done in the filter code or the code that implements AutoLogin interface. Also, what should be the value of this attribute?
Any ideas.
Sriram Gopalan, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
Junior Member Postagens: 39 Data de Entrada: 13/07/08 Postagens Recentes
http://svn.liferay.com/browse/portal/trunk/portal-impl/src/com/liferay/portal/servlet/filters/autologin/AutoLoginFilter.java?r=47025
1. Read thru processFilter method, it might give you some valuable points for troubleshooting.
2. Enable DEBUG settings for com.liferay.portal.servlet.filters.autologin
3. A quick debug with breakpoint on AutoLoginFilter.java will help you to narrow down.
What is the filter mapping for "Auto Login Filter" on web.xml.
From my understanding, AutoLoginFilter calls your custom hook.
1. Read thru processFilter method, it might give you some valuable points for troubleshooting.
2. Enable DEBUG settings for com.liferay.portal.servlet.filters.autologin
3. A quick debug with breakpoint on AutoLoginFilter.java will help you to narrow down.
What is the filter mapping for "Auto Login Filter" on web.xml.
From my understanding, AutoLoginFilter calls your custom hook.
Kamal Pasha Shaikh, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 20 Data de Entrada: 16/03/10 Postagens Recentes
Hi Sriram,
Thanks for your response.
Ok. It's AutoLoginFilter.java that you were referring to. I got confused with AutoLogin.java. I'll put a debug on that. Thanks for your suggestions.
The filter-mapping in web.xml for AutoLoginFilter is as below.
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/fckeditor</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/layout</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/login</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/render_portlet</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/update_password</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/update_reminder_query</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/group/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/user/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/web/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
Thanks for your response.
Ok. It's AutoLoginFilter.java that you were referring to. I got confused with AutoLogin.java. I'll put a debug on that. Thanks for your suggestions.
The filter-mapping in web.xml for AutoLoginFilter is as below.
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/fckeditor</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/layout</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/login</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/render_portlet</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/update_password</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/update_reminder_query</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/group/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/user/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/web/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
Kamal Pasha Shaikh, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 20 Data de Entrada: 16/03/10 Postagens Recentes
Hi Sriram,
While debugging I found that I am getting "Basic" as the authentication scheme in the http header instead of "Negotiate". I checked my browser settings and the "Enable Integrated Windows Authentication" checkbox is selected. Is there anything else I need to set to change the authentication scheme from Basic to Negotiate?
Thanks,
Kamal
While debugging I found that I am getting "Basic" as the authentication scheme in the http header instead of "Negotiate". I checked my browser settings and the "Enable Integrated Windows Authentication" checkbox is selected. Is there anything else I need to set to change the authentication scheme from Basic to Negotiate?
Thanks,
Kamal
Sriram Gopalan, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
Junior Member Postagens: 39 Data de Entrada: 13/07/08 Postagens Recentes
Are you getting prompted on the browser for Authentication ? or it Auto login you ?
Kamal Pasha Shaikh, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 20 Data de Entrada: 16/03/10 Postagens Recentes
I am getting prompted for the first time if I open a new IE window.
Also, I had a question regarding AutoLoginFilter. When you wrote your SPNEGO filter, did you extend the AutoLoginFilter or just Filter class. I was looking at other SSO filters that LR provides (e.g. NtlmFilter, CASFilter etc.) and they are extending some other filters but not AutoLoginFilter.
Let me know what you think.
Also, I had a question regarding AutoLoginFilter. When you wrote your SPNEGO filter, did you extend the AutoLoginFilter or just Filter class. I was looking at other SSO filters that LR provides (e.g. NtlmFilter, CASFilter etc.) and they are extending some other filters but not AutoLoginFilter.
Let me know what you think.
Sriram Gopalan, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
Junior Member Postagens: 39 Data de Entrada: 13/07/08 Postagens Recentes
If the browser is prompting then the SPENGO filter is not doing its job. It should not prompt. I would first troubleshoot that.
Liferay provides filters to support some standard SSO(LDAP, NTLM, SiteMinder,etc..)
If your needs are to implement some custom sso then you use AutoLogin Filter and auto login hooks.
I run 4.2.2 in PRD. At that time we didn't have Kerberos support so I used AutoLogin Filter and autologin hooks to provide sso support.
We are in Development for 5.2 upgrade. Here I am using NTLM so no autologin hooks.
In your case since you are using SPENGO you have use auto login hooks method. I believe liferay has a kerberos filter with limited support. Sharepoint support is one i want to try out and there is no Kerberos support for it.
Hope this explains.
Liferay provides filters to support some standard SSO(LDAP, NTLM, SiteMinder,etc..)
If your needs are to implement some custom sso then you use AutoLogin Filter and auto login hooks.
I run 4.2.2 in PRD. At that time we didn't have Kerberos support so I used AutoLogin Filter and autologin hooks to provide sso support.
We are in Development for 5.2 upgrade. Here I am using NTLM so no autologin hooks.
In your case since you are using SPENGO you have use auto login hooks method. I believe liferay has a kerberos filter with limited support. Sharepoint support is one i want to try out and there is no Kerberos support for it.
Hope this explains.
Kamal Pasha Shaikh, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 20 Data de Entrada: 16/03/10 Postagens Recentes
Hi Sriram,
Since the spnego was not working correctly with the SpnegoHttpFilter from sourceforge, I am now using the IIS forwarding (using isapi_redirect) for the same. SPNEGO is working now as I don't get a login dialog box and I can see the request.getRemoteUser returning <DOMAIN_NAME>\<my user id>.
I started the jboss in debug mode and put a break point on AutoLoginFilter. The line
String remoteUser = request.getRemoteUser();
in AutoLoginFilter.java is returning <DOMAIN_NAME>\<my user id> as expected.
However, after that it calls the BaseFilter and returns a blank page and does not go to the SpnegoAutoLogin configured through auto.login.hooks. Looking at the code below from AutoLoginFilter.java, you will notice that the reason it doesn't call auto.login.hooks is because of the if condition. The if condition allows the AutoLoginFilter to call the SpnegoAutoLogin class configured in auto.login.hooks only when remoteUser is null. This doesn't make any sense to me. Let me know your thoughts.
String remoteUser = request.getRemoteUser();
String jUserName = (String)session.getAttribute("j_username");
if ((remoteUser == null) && (jUserName == null)) {
for (AutoLogin autoLogin : _autoLogins) {
try {
String[] credentials = autoLogin.login(request, response);
Since the spnego was not working correctly with the SpnegoHttpFilter from sourceforge, I am now using the IIS forwarding (using isapi_redirect) for the same. SPNEGO is working now as I don't get a login dialog box and I can see the request.getRemoteUser returning <DOMAIN_NAME>\<my user id>.
I started the jboss in debug mode and put a break point on AutoLoginFilter. The line
String remoteUser = request.getRemoteUser();
in AutoLoginFilter.java is returning <DOMAIN_NAME>\<my user id> as expected.
However, after that it calls the BaseFilter and returns a blank page and does not go to the SpnegoAutoLogin configured through auto.login.hooks. Looking at the code below from AutoLoginFilter.java, you will notice that the reason it doesn't call auto.login.hooks is because of the if condition. The if condition allows the AutoLoginFilter to call the SpnegoAutoLogin class configured in auto.login.hooks only when remoteUser is null. This doesn't make any sense to me. Let me know your thoughts.
String remoteUser = request.getRemoteUser();
String jUserName = (String)session.getAttribute("j_username");
if ((remoteUser == null) && (jUserName == null)) {
for (AutoLogin autoLogin : _autoLogins) {
try {
String[] credentials = autoLogin.login(request, response);
Kamal Pasha Shaikh, modificado 14 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 20 Data de Entrada: 16/03/10 Postagens Recentes
Hi Sriram,
I made a custom AutoLogin filter and changed the if condition in AutoLoginFilter.java from
if ((remoteUser == null) && (jUserName == null))
to
if ((remoteUser != null) || (jUserName != null))
By doing the above change, I was able to call my custom auto.login.hooks implementation when remoteUser was passed via the HTTP header. My SSO is working now using Kerberos SPNEGO.
The problem that I am having now is that when I sign out, I get the error message
ERROR [MainServlet:794] com.liferay.portal.NoSuchUserException: No User exists with the primary key 0
I have posted more details about this problem in another similar thread.
http://www.liferay.com/community/forums/-/message_boards/message/2564292?_19_redirect=%2Fcommunity%2Fforums%2F-%2Fmessage_boards%2Fsearch%3F_19_redirect%3D%252Fcommunity%252Fforums%26_19_breadcrumbsCategoryId%3D0%26_19_searchCategoryId%3D0%26_19_keywords%3DAntti%2BAhvenlampi
Any thoughts or ideas?
I made a custom AutoLogin filter and changed the if condition in AutoLoginFilter.java from
if ((remoteUser == null) && (jUserName == null))
to
if ((remoteUser != null) || (jUserName != null))
By doing the above change, I was able to call my custom auto.login.hooks implementation when remoteUser was passed via the HTTP header. My SSO is working now using Kerberos SPNEGO.
The problem that I am having now is that when I sign out, I get the error message
ERROR [MainServlet:794] com.liferay.portal.NoSuchUserException: No User exists with the primary key 0
I have posted more details about this problem in another similar thread.
http://www.liferay.com/community/forums/-/message_boards/message/2564292?_19_redirect=%2Fcommunity%2Fforums%2F-%2Fmessage_boards%2Fsearch%3F_19_redirect%3D%252Fcommunity%252Fforums%26_19_breadcrumbsCategoryId%3D0%26_19_searchCategoryId%3D0%26_19_keywords%3DAntti%2BAhvenlampi
Any thoughts or ideas?
Jayson Ilagan, modificado 11 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 7 Data de Entrada: 01/12/11 Postagens Recentes
We successfully implemented this configuration. Liferay -> CAS + SPNEGO + Kerberos ->LDAP
We are using:
Microsoft Windows Server 2008 R2 (Application Server)
Active Directory
Liferay 6.1 CE
CAS 3.4.11
Tomcat 7.0
JRE 1.6.19
1. First step, you must have or someone have access with the Domain Controller to set SPN at the same time creating of keytab file this is necessary to have trust link between the CAS server and KDC.
2. Prepare needed files such as: login.conf, kbr5.conf., Look for sample configuration then configure it as fit to your needs.
3. Configuration of your CAS. You need to configure your login-webflow.xml, cas-servlet, deployerConfigContext and lastly pom.xml that is located in Maven.
You also need to add necessary jar file to your CAS lib. That is being used in all the configuration you've done in CAS.
4. Configure your Liferay to CAS.
That all the step we did to accomplish this.
We are using:
Microsoft Windows Server 2008 R2 (Application Server)
Active Directory
Liferay 6.1 CE
CAS 3.4.11
Tomcat 7.0
JRE 1.6.19
1. First step, you must have or someone have access with the Domain Controller to set SPN at the same time creating of keytab file this is necessary to have trust link between the CAS server and KDC.
2. Prepare needed files such as: login.conf, kbr5.conf., Look for sample configuration then configure it as fit to your needs.
3. Configuration of your CAS. You need to configure your login-webflow.xml, cas-servlet, deployerConfigContext and lastly pom.xml that is located in Maven.
You also need to add necessary jar file to your CAS lib. That is being used in all the configuration you've done in CAS.
4. Configure your Liferay to CAS.
That all the step we did to accomplish this.
Thomas Ludescher, modificado 11 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Mensagem: 1 Data de Entrada: 25/10/12 Postagens Recentes
Hello Jayson,
can you please give some more details about the file changes, especially the /WEB-INF/login-webflow.xml file.
At https://wiki.jasig.org/display/CASUM/SPNEGO CAS wrote the following:
And 2 existing transitions need to be update:
In the decision-state gatewayRequestCheck, replace reference to viewLoginForm by startAuthenticate
In the decision-state renewRequestCheck, replace reference to viewLoginForm by startAuthenticate
I am not sure what I should do with this. Can you give me a hint?
I get no error while starting, but during authentication I see some messages in the cas.log:
=============================================================
WHO: [username: user@OWNREALM]
WHAT: supplied credentials: [username:user@OWNREALM]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Thu Oct 25 15:55:36 CEST 2012
CLIENT IP ADDRESS: 172.16.84.220
SERVER IP ADDRESS: 172.16.84.162
=============================================================
>
2012-10-25 15:55:36,845 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: user@OWNREALM]
WHAT: error.authentication.credentials.bad
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Oct 25 15:55:36 CEST 2012
CLIENT IP ADDRESS: 172.16.84.220
SERVER IP ADDRESS: 172.16.84.162
=============================================================
Thanks a lot
Ludi
can you please give some more details about the file changes, especially the /WEB-INF/login-webflow.xml file.
At https://wiki.jasig.org/display/CASUM/SPNEGO CAS wrote the following:
And 2 existing transitions need to be update:
In the decision-state gatewayRequestCheck, replace reference to viewLoginForm by startAuthenticate
In the decision-state renewRequestCheck, replace reference to viewLoginForm by startAuthenticate
I am not sure what I should do with this. Can you give me a hint?
I get no error while starting, but during authentication I see some messages in the cas.log:
=============================================================
WHO: [username: user@OWNREALM]
WHAT: supplied credentials: [username:user@OWNREALM]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Thu Oct 25 15:55:36 CEST 2012
CLIENT IP ADDRESS: 172.16.84.220
SERVER IP ADDRESS: 172.16.84.162
=============================================================
>
2012-10-25 15:55:36,845 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: user@OWNREALM]
WHAT: error.authentication.credentials.bad
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Oct 25 15:55:36 CEST 2012
CLIENT IP ADDRESS: 172.16.84.220
SERVER IP ADDRESS: 172.16.84.162
=============================================================
Thanks a lot
Ludi
Jayson Ilagan, modificado 11 Anos atrás.
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
New Member Postagens: 7 Data de Entrada: 01/12/11 Postagens Recentes
Hi Ludi,
for desicion state gatewayRequestCheck you can change else = generateLoginTicket
for desicion state renewRequestCheck you can change then = generateLoginTicket
Since we need to point them to startAuthenticate, And as you can see generateLoginTicket is pointing to startAuthenticate
Regards,
Jayson
for desicion state gatewayRequestCheck you can change else = generateLoginTicket
for desicion state renewRequestCheck you can change then = generateLoginTicket
Since we need to point them to startAuthenticate, And as you can see generateLoginTicket is pointing to startAuthenticate
Regards,
Jayson