New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[management-api] Failed to login via LDAP if role-mapping is set to false (default value) #492

Closed
maxwo opened this Issue Mar 9, 2017 · 2 comments

Comments

Projects
None yet
3 participants
@maxwo

maxwo commented Mar 9, 2017

When connecting to the API-Management via LDAP, an exception is thrown.

Expected Behavior

An existing user should log-in as expected.

Current Behavior

An technical exception is thrown:

managementapi_1  | 17:08:29.705 [gravitee-listener-40] WARN  o.e.jetty.servlet.ServletHandler - /management/user/login
managementapi_1  | java.lang.ClassCastException: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl cannot be cast to io.gravitee.management.idp.api.authentication.UserDetails
managementapi_1  |      at io.gravitee.management.security.config.basic.filter.AuthenticationSuccessFilter.doFilter(AuthenticationSuccessFilter.java:80)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
managementapi_1  |      at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:215)
managementapi_1  |      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
managementapi_1  |      at io.gravitee.management.security.config.basic.filter.JWTAuthenticationFilter.doFilter(JWTAuthenticationFilter.java:110)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
managementapi_1  |      at io.gravitee.management.security.config.basic.filter.CORSFilter.doFilter(CORSFilter.java:46)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
managementapi_1  |      at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
managementapi_1  |      at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
managementapi_1  |      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
managementapi_1  |      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
managementapi_1  |      at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
managementapi_1  |      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
managementapi_1  |      at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
managementapi_1  |      at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
managementapi_1  |      at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
managementapi_1  |      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1699)
managementapi_1  |      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582)
managementapi_1  |      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:224)
managementapi_1  |      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)
managementapi_1  |      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)
managementapi_1  |      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
managementapi_1  |      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)
managementapi_1  |      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
managementapi_1  |      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
managementapi_1  |      at org.eclipse.jetty.server.Server.handle(Server.java:523)
managementapi_1  |      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
managementapi_1  |      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
managementapi_1  |      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
managementapi_1  |      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
managementapi_1  |      at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
managementapi_1  |      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
managementapi_1  |      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
managementapi_1  |      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
managementapi_1  |      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
managementapi_1  |      at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
managementapi_1  |      at java.lang.Thread.run(Thread.java:745)

Possible Solution

Steps to Reproduce (for bugs)

Here is an excerpt of the LDAP configuration, nothing fancy (some values have been changed):

    - type: ldap
      # This is default LDAP configuration for ApacheDS
      context-source-username: "CN=The username,OU=PIC,OU=Users,OU=Technical Accounts,DC=htm-group,DC=com"
      context-source-password: "The password"
      context-source-url: "ldap://ldapad.myldapserver:389/"
      # context-source-base: "OU=users,OU=XXX,DC=htm-group,DC=com" # the context source base
      # The 'user-dn-patterns' value is a specific pattern used to build the user's DN, for example "uid={0},ou=people". The key "{0}" must be present and will be substituted with the username.
      user-dn-patterns: "sAMAccountName={0}"
      # Search base for user searches. Defaults to "". Only used with user-search-filter.
      user-search-base: "OU=users,OU=XXX,DC=htm-group,DC=com"
      # The LDAP filter used to search for users (optional). For example "(uid={0})". The substituted parameter is the user's login name.
      user-search-filter: "sAMAccountName={0}"
      # The search base for group membership searches. Defaults to "".
      group-search-base: "OU=Technical Accounts,DC=htm-group,DC=com"
      # The LDAP filter to search for groups. Defaults to "(uniqueMember={0})". The substituted parameter is the DN of the user.
      group-search-filter: "member={0}"

Then, just log in with an existing LDAP user.

Context

Your Environment

Gravitee 1.3.3 running in a container via Docker 1.12.6.

@brasseld brasseld changed the title from Failed to login via LDAP to [management-api] Failed to login via LDAP Mar 9, 2017

@brasseld brasseld added the type: bug label Mar 9, 2017

@brasseld brasseld self-assigned this Mar 9, 2017

@brasseld

This comment has been minimized.

Member

brasseld commented Mar 9, 2017

Hi @maxwo,

I do not have the complete configuration but, according to what I'm seeing, it seems that
role-mapping attribute is set to false (by default).
As a workaround, please set it to true. We are looking for a fix.

Regards,

brasseld added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Mar 9, 2017

@brasseld brasseld added this to the 1.4.0 milestone Mar 9, 2017

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Mar 9, 2017

@brasseld brasseld changed the title from [management-api] Failed to login via LDAP to [management-api] Failed to login via LDAP if role-mapping is set to false (default value) Mar 9, 2017

@brasseld

This comment has been minimized.

Member

brasseld commented Mar 9, 2017

Fix available in v.1.4.0 scheduled for next tuesday

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment