Skip to main content

error when integrating JavaEE/LdapRealm into my couchbase-manager

No replies
rickyepoderi
Offline
Joined: 2009-03-05

Hi everybody,

I'm trying to implement a couchbase session manager for Glassfish (see http://blogs.nologin.es/rickyepoderi/index.php?/categories/22-couchbase-...) but I run into problems when integrating JavaEE security with my manager (actually the issue is related to the ldap realm).

Now my implementation only saves in the external repository the username (not all the principals just the username). I do that cos the principal variable is transient in the session and it seems the replicated manager does the same (check http://java.net/projects/glassfish/sources/svn/content/trunk/main/appser...). So only username is saved in the external repository and when the client accesses another server, the manager recovers the username from the store and uses RealmAdapter.createFailOveredPrincipal (http://java.net/projects/glassfish/sources/svn/content/trunk/main/appser...) to re-establish the principals in the session (I also check ReplicationStore which does the same).

It works for FileRealm but not for LdapReal... Using the LdapRealm I run into the following exception:

[#|2012-07-28T16:21:28.190+0200|WARNING|glassfish3.1.2|javax.enterprise.system.core.security.com.sun.enterprise.security.auth.realm|_ThreadID=24;_ThreadName=Thread-2;|SEC1114: Exception in LdapRealm when trying to locate groups for user.
java.io.IOException: Incorrect AVA format
at sun.security.x509.AVA.readChar(AVA.java:564)
at sun.security.x509.AVA.(AVA.java:185)
at sun.security.x509.AVA.(AVA.java:145)
at sun.security.x509.RDN.(RDN.java:151)
at sun.security.x509.X500Name.parseDN(X500Name.java:935)
at sun.security.x509.X500Name.(X500Name.java:165)
at sun.security.x509.X500Name.(X500Name.java:152)
at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.getGroups(LDAPRealm.java:368)
at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.getGroupNames(LDAPRealm.java:416)
at com.sun.enterprise.security.auth.login.LoginContextDriver.loginPrincipal(LoginContextDriver.java:294)
at com.sun.web.security.RealmAdapter.loginForRunAs(RealmAdapter.java:659)
at com.sun.web.security.RealmAdapter.createFailOveredPrincipal(RealmAdapter.java:714)
at es.rickyepoderi.couchbasemanager.session.CouchbaseWrapperSession.fill(CouchbaseWrapperSession.java:363)
at es.rickyepoderi.couchbasemanager.session.CouchbaseManager.doSessionLoad(CouchbaseManager.java:766)
at es.rickyepoderi.couchbasemanager.session.CouchbaseManager.findSession(CouchbaseManager.java:488)
at es.rickyepoderi.couchbasemanager.session.CouchbaseManager.findSession(CouchbaseManager.java:540)
at org.apache.catalina.connector.Request.doGetSession(Request.java:2860)
at org.apache.catalina.connector.Request.getSessionInternal(Request.java:2777)
at org.apache.catalina.connector.Request.lockSession(Request.java:4154)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:312)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849)
at com.sun.grizzly.http.ajp.AjpProcessorTask.invokeAdapter(AjpProcessorTask.java:125)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:679)
|#]

The reason is the getGroups method in the LdapRealm expects the username as a DN (LDAP DistinguishedName) and only the plain username is found...

I don't know what to do now... Is this a BUG of the LdapReam or I better implement another way of recover the principals in the second server? I don't know, maybe storing all the SecurityContext in the repo... Please give me some clue.

Thanks in advance!