I want to configure my LDAP with activiti explorer so I have followed the instructions from the user guide and i created activiti-custom-context.xml file and I did what he said but it didn't work for me and give me this error
in the tomcat log
03:43:35,413 [localhost-startStop-1] ERROR org.activiti.engine.impl.interceptor.CommandContext - Error while closing command context
org.activiti.engine.ActivitiIllegalArgumentException: This query is not supported by the LDAPGroupManager
at org.activiti.ldap.LDAPGroupManager.findGroupByQueryCriteria(LDAPGroupManager.java:94)
at org.activiti.ldap.LDAPGroupManager.findGroupCountByQueryCriteria(LDAPGroupManager.java:100)
at org.activiti.engine.impl.GroupQueryImpl.executeCount(GroupQueryImpl.java:118)
at org.activiti.engine.impl.AbstractQuery.execute(AbstractQuery.java:170)
at org.activiti.engine.impl.interceptor.CommandInvoker.execute(CommandInvoker.java:24)
at org.activiti.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:57)
at org.activiti.spring.SpringTransactionInterceptor$1.doInTransaction(SpringTransactionInterceptor.java:47)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:133)
at org.activiti.spring.SpringTransactionInterceptor.execute(SpringTransactionInterceptor.java:45)
at org.activiti.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:31)
at org.activiti.engine.impl.cfg.CommandExecutorImpl.execute(CommandExecutorImpl.java:40)
at org.activiti.engine.impl.cfg.CommandExecutorImpl.execute(CommandExecutorImpl.java:35)
at org.activiti.engine.impl.AbstractQuery.count(AbstractQuery.java:157)
at org.activiti.explorer.conf.DemoDataConfiguration.createGroup(DemoDataConfiguration.java:118)
at org.activiti.explorer.conf.DemoDataConfiguration.initDemoGroups(DemoDataConfiguration.java:108)
at org.activiti.explorer.conf.DemoDataConfiguration.init(DemoDataConfiguration.java:84)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:349)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:300)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:133)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:408)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1558)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:539)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:755)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:757)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:480)
at org.activiti.explorer.servlet.WebConfigurer.contextInitialized(WebConfigurer.java:40)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1081)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1877)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
03:43:35,417 [localhost-startStop-1] WARN org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Exception encountered during context initialization - cancelling refresh attempt
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'demoDataConfiguration': Invocation of init method failed; nested exception is org.activiti.engine.ActivitiIllegalArgumentException: This query is not supported by the LDAPGroupManager
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:136)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:408)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1558)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:539)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:755)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:757)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:480)
at org.activiti.explorer.servlet.WebConfigurer.contextInitialized(WebConfigurer.java:40)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1081)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1877)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.activiti.engine.ActivitiIllegalArgumentException: This query is not supported by the LDAPGroupManager
at org.activiti.ldap.LDAPGroupManager.findGroupByQueryCriteria(LDAPGroupManager.java:94)
at org.activiti.ldap.LDAPGroupManager.findGroupCountByQueryCriteria(LDAPGroupManager.java:100)
at org.activiti.engine.impl.GroupQueryImpl.executeCount(GroupQueryImpl.java:118)
at org.activiti.engine.impl.AbstractQuery.execute(AbstractQuery.java:170)
at org.activiti.engine.impl.interceptor.CommandInvoker.execute(CommandInvoker.java:24)
at org.activiti.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:57)
at org.activiti.spring.SpringTransactionInterceptor$1.doInTransaction(SpringTransactionInterceptor.java:47)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:133)
at org.activiti.spring.SpringTransactionInterceptor.execute(SpringTransactionInterceptor.java:45)
at org.activiti.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:31)
at org.activiti.engine.impl.cfg.CommandExecutorImpl.execute(CommandExecutorImpl.java:40)
at org.activiti.engine.impl.cfg.CommandExecutorImpl.execute(CommandExecutorImpl.java:35)
at org.activiti.engine.impl.AbstractQuery.count(AbstractQuery.java:157)
at org.activiti.explorer.conf.DemoDataConfiguration.createGroup(DemoDataConfiguration.java:118)
at org.activiti.explorer.conf.DemoDataConfiguration.initDemoGroups(DemoDataConfiguration.java:108)
at org.activiti.explorer.conf.DemoDataConfiguration.init(DemoDataConfiguration.java:84)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:349)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:300)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:133)
... 25 more
this is my activiti-custom-context.xml file
<bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">
<property name="dataSource" ref="dataSource" />
<property name="transactionManager" ref="transactionManager" />
<property name="databaseSchemaUpdate" value="true" />
<property name="jobExecutorActivate" value="true" />
<property name="enableDatabaseEventLogging" value="true" />
<property name="customFormTypes">
<list>
<bean class="org.activiti.explorer.form.UserFormType" />
<bean class="org.activiti.explorer.form.ProcessDefinitionFormType" />
<bean class="org.activiti.explorer.form.MonthFormType" />
</list>
</property>
<property name="configurators">
<list>
<bean class="org.activiti.ldap.LDAPConfigurator">
<!-- Server connection params -->
<property name="server" value="ldap://localhost" />
<property name="port" value="8389" />
<property name="securityAuthentication" value="simple" />
<property name="user" value="uid=admin,ou=system" />
<property name="password" value="secret" />
<!-- Query params -->
<!--<prMY Coperty name="baseDn" value="dc=test,dc=com" />-->
<property name="baseDn" value="o=mojo" />
<!--HANGE END -->
<property name="queryUserByUserId"
value="(&(objectClass=inetOrgPerson)(displayname={0}))" />
<property name="queryUserByFullNameLike"
value="(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))" />
<property name="queryGroupsForUser"
value="(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" />
<property name="userIdAttribute" value="uid" />
<property name="userFirstNameAttribute" value="cn" />
<property name="userLastNameAttribute" value="sn" />
<property name="groupIdAttribute" value="cn" />
<property name="groupNameAttribute" value="cn" />
</bean>
</list>
</property>
</bean>
Related
I would like to configure Pentaho with a multi-tenant SSO login using the SAML Plugin Link (that extends the Spring SAML).
Right now I have declared multiple Service Providers (SPs) and Identity Providers (IDPs) in the blueprint.xml (one for each tenant).
If I log with tenant2, I get a generic error page at URL https://my.application.com/pentaho/saml/SSO
and in the logs I see the exception
AuthNResponse;FAILURE;10.20.1.120;pentaho#tenant.1.name;tenant.2.name;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
[stacktrace]
org.opensaml.common.SAMLException: Local entity is not the intended audience of the assertion in at least one AudienceRestriction
If I check the SAML, the audience sent contains the right tenant (the second one): I think that Pentaho is analyzing any SAML epecting as if it is always from tenant1.
How can I make Pentaho use the right tenant SP to validate the right SAML audience?
Further details from here
Here is an example of the blueprint.xml setup in the SAML Plugin:
<bean id="spResourceFactoryTenant1" class="org.pentaho.platform.spring.security.saml.resources.MetadataResourceFactory">
<argument>
<map key-type="java.lang.String" value-type="java.lang.String">
<entry key="org.opensaml.util.resource.FilesystemResource" value="${saml.sp.metadata.filesystem.tenant1}" />
</map>
</argument>
<argument value="${saml.sp.metadata.classpath.fallback}" />
</bean>
<bean id="spResourceFactoryTenant2" class="org.pentaho.platform.spring.security.saml.resources.MetadataResourceFactory">
<argument>
<map key-type="java.lang.String" value-type="java.lang.String">
<entry key="org.opensaml.util.resource.FilesystemResource" value="${saml.sp.metadata.filesystem.tenant2}" />
</map>
</argument>
<argument value="${saml.sp.metadata.classpath.fallback}" />
</bean>
<bean id="idpResourceFactoryTenant1" class="org.pentaho.platform.spring.security.saml.resources.MetadataResourceFactory">
<argument>
<map key-type="java.lang.String" value-type="java.lang.String">
<entry key="org.opensaml.util.resource.FilesystemResource" value="${saml.idp.metadata.filesystem.tenant1}" />
</map>
</argument>
<argument value="${saml.idp.metadata.classpath.fallback}" />
</bean>
<bean id="idpResourceFactoryTenant2" class="org.pentaho.platform.spring.security.saml.resources.MetadataResourceFactory">
<argument>
<map key-type="java.lang.String" value-type="java.lang.String">
<entry key="org.opensaml.util.resource.FilesystemResource" value="${saml.idp.metadata.filesystem.tenant2}" />
</map>
</argument>
<argument value="${saml.idp.metadata.classpath.fallback}" />
</bean>
<!-- MetadataManager configuration - paths to metadata of IDPs and SP's -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager" depends-on="pentahoSamlBootstrap">
<argument>
<list>
<!-- sp metadata with extended metadata -->
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<argument>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<argument>
<bean class="java.util.Timer"/>
</argument>
<argument>
<bean factory-ref="spResourceFactoryTenant1" factory-method="factoryResource" />
</argument>
<property name="parserPool" ref="parserPool"/>
</bean>
</argument>
<argument>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="${saml.discovery.idp.enabled}"/>
<property name="requireLogoutRequestSigned" value="${ensure.incoming.logout.request.signed}"/>
<property name="alias" value="tenant1sp"/>
<property name="local" value="true"/>
</bean>
</argument>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<argument>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<argument>
<bean class="java.util.Timer"/>
</argument>
<argument>
<bean factory-ref="spResourceFactoryTenant2" factory-method="factoryResource" />
</argument>
<property name="parserPool" ref="parserPool"/>
</bean>
</argument>
<argument>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="${saml.discovery.idp.enabled}"/>
<property name="requireLogoutRequestSigned" value="${ensure.incoming.logout.request.signed}"/>
<property name="alias" value="tenant2sp"/>
<property name="local" value="true"/>
</bean>
</argument>
</bean>
<!-- idp metadata -->
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<argument>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<argument>
<bean class="java.util.Timer"/>
</argument>
<argument>
<bean factory-ref="idpResourceFactoryTenant1" factory-method="factoryResource" />
</argument>
<property name="parserPool" ref="parserPool"/>
</bean>
</argument>
<argument>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="${saml.discovery.idp.enabled}"/>
<property name="requireLogoutRequestSigned" value="${ensure.outgoing.logout.request.signed}"/>
<property name="requireLogoutResponseSigned" value="${ensure.outgoing.logout.response.signed}"/>
<property name="alias" value="tenant1idp"/>
<property name="local" value="true"/>
</bean>
</argument>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<argument>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<argument>
<bean class="java.util.Timer"/>
</argument>
<argument>
<bean factory-ref="idpResourceFactoryTenant2" factory-method="factoryResource" />
</argument>
<property name="parserPool" ref="parserPool"/>
</bean>
</argument>
<argument>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="${saml.discovery.idp.enabled}"/>
<property name="requireLogoutRequestSigned" value="${ensure.outgoing.logout.request.signed}"/>
<property name="requireLogoutResponseSigned" value="${ensure.outgoing.logout.response.signed}"/>
<property name="alias" value="tenant2idp"/>
<property name="local" value="true"/>
</bean>
</argument>
</bean>
</list>
</argument>
<property name="keyManager" ref="keyManager" />
<property name="defaultIDP" value="${saml.idp.url}" />
</bean>
With this configuration, when I go to the url
https://my.application.com/pentaho/alias/tenant2sp/sp?idp=tenant.2.name
I am redirected to the login page exposed by the IDP (WSO2) for the tenant2. After the login I am redirected to the https://my.application.com/pentaho/saml/SSO url getting a generic error: see the screenshot
Sorry, something went wrong.
Please try again or contact
your system administrator.
In the logs I see
INFO [SAMLDefaultLogger] AuthNResponse;FAILURE;10.20.1.120;pentaho#tenant.1.name;tenant.2.name;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:265)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
at org.pentaho.platform.spring.security.saml.PentahoSamlAuthenticationProvider.authenticate(PentahoSamlAuthenticationProvider.java:18)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.pentaho.platform.engine.core.system.objfac.spring.BeanBuilder$1.invoke(BeanBuilder.java:162)
at com.sun.proxy.$Proxy118.authenticate(Unknown Source)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.pentaho.platform.spring.security.saml.PentahoAuthenticationManagerDelegate.authenticate(PentahoAuthenticationManagerDelegate.java:47)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:209)
at org.pentaho.platform.spring.security.saml.logout.PentahoSamlLogoutProcessingFilter.processLogout(PentahoSamlLogoutProcessingFilter.java:53)
at org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.saml.SAMLLogoutFilter.processLogout(SAMLLogoutFilter.java:168)
at org.pentaho.platform.spring.security.saml.logout.PentahoSamlLogoutFilter.processLogout(PentahoSamlLogoutFilter.java:78)
at org.springframework.security.saml.SAMLLogoutFilter.doFilter(SAMLLogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.pentaho.platform.web.http.security.HttpSessionReuseDetectionFilter.doFilter(HttpSessionReuseDetectionFilter.java:136)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.pentaho.platform.web.http.filters.HttpSessionPentahoSessionIntegrationFilter.doFilter(HttpSessionPentahoSessionIntegrationFilter.java:276)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.pentaho.platform.web.http.security.CsrfGateFilter.doFilter(CsrfGateFilter.java:136)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.pentaho.platform.web.http.filters.SystemStatusFilter.doFilter(SystemStatusFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.pentaho.platform.web.http.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.pentaho.platform.web.http.filters.WebappRootForwardingFilter.doFilter(WebappRootForwardingFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.pentaho.platform.web.http.filters.PentahoPathDecodingFilter.doFilter(PentahoPathDecodingFilter.java:54)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.opensaml.common.SAMLException: Local entity is not the intended audience of the assertion in at least one AudienceRestriction
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAudience(WebSSOProfileConsumerImpl.java:542)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:494)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:339)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:250)
... 70 more
But if I check in the SAML, the expected tenant audience has been provided:
<saml2:AudienceRestriction>
<saml2:Audience>pentaho</saml2:Audience>
<saml2:Audience>pentaho#tenant.2.name</saml2:Audience>
</saml2:AudienceRestriction>
How can I make Pentaho use the right tenant SP to validate the right SAML audience?
I am trying to authenticating user via LDAP and authorizing via Database.LDAP directory contains user with corresponding group and I want to fetch this group at the time of successful authentication and fetch ROLE with corresponding group from database after authentication.
My spring security config file is below.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.htm" />
</bean>
<bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
<security:http security="none" pattern="/login.htm"/>
<security:http security="none" pattern="/js/**"/>
<security:http security="none" pattern="/images/**"/>
<security:http security="none" pattern="/css/**"/>
<security:http security="none" pattern="/ckeditor/**"/>
<security:http security="none" pattern="/dhtmlgrid/**"/>
<security:http security="none" pattern="/xmleditor/**"/>
<security:http auto-config="false" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" use-expressions="true">
<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
</security:session-management>
<security:custom-filter position="FORM_LOGIN_FILTER"
ref="cdlAuthenticationProcessingFilter" />
<security:intercept-url pattern="/displayAdminPage.htm" access="hasRole('admin')" />
<security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
<security:access-denied-handler ref="accessDeniedHandler" />
<security:logout logout-success-url="/login.htm" logout-url="/logout"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="customLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="cdlUserDetailService">
</security:authentication-provider>
</security:authentication-manager>
<bean id="customLdapAuthenticationProvider" class="com.qait.cdl.authentication.customfilter.CustomLdapAuthenticationProvider">
<constructor-arg ref="ldapBindAuthenticator"/>
<constructor-arg ref="ldapAuthoritiesPopulator"/>
</bean>
<bean id="ldapBindAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="ldapContextSource" />
<property name="userDnPatterns"><list><value>uid={0},cn=users</value></list></property>
</bean>
<bean id="ldapAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.CdlUserAuthoritiesPopulator">
</bean>
<bean id="ldapContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://172.16.1.121:389/dc=nodomain"/>
<property name="userDn" value="cn=users,dc=nodomain"/>
<property name="password" value="ldap_admin"/>
</bean>
<bean id="cdlUserDetailService" class="com.qait.cdl.authentication.service.impl.UserDetailsServiceImpl">
<property name="userDao" ref="userDao"/>
</bean>
<bean id="cdlAuthenticationProcessingFilter"
class="com.qait.cdl.authentication.customfilter.CustomAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="userDao" ref="userDao"/>
</bean>
<bean id="accessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/WEB-INF/jsp/access-denied/content.jsp"/>
</bean>
</beans>
while debugging whole application I got null value of DirContext in AbstractContextSource that is called by BindAuthenticator.
My LDAP directory structure is below:
dn: uid=user1,cn=users,dc=nodomain
uid: user1
userPassword:user1
I've been struggling with this error from past 2 days.Any help will be appreciated.If you want any extra info, than tell me.May be, my LDAP directory structure is wrong.where I am wrong, I don't know?
How can I configure spring-rabbitmq connection-factory
<rabbit:connection-factory id="connectionFactory" host="${rabbitmq.host}" port="${rabbitmq.port:5672}"
username="guest" password="guest"/>
With a requested heartbeat ?
You can provide the underlying connection factory as a bean, properties set on the rabbit:connection-factory will be overridden.
<rabbit:connection-factory id="connectionFactory" host="${rabbitmq.host}" port="${rabbitmq.port:5672}"
username="guest" password="guest" connection-factory="rcf" />
<bean id="rcf" class="com.rabbitmq.client.ConnectionFactory">
<property name="host" value="${rabbitmq.host}"/>
<property name="requestedHeartbeat" value="10" />
</bean>
You should use requestedHeartbeat property for connectionfacory bean
<bean id="rabbitconnectionFactory" class="com.rabbitmq.client.ConnectionFactory">
<property name="host" value="localhost"/>
<property name="requestedHeartbeat" value="100" />
</bean>
The error is happening when trying to define the wsdl endpoint. The stacktrace is stating that it doesn't exist, however, I can navigate to the url. It is https, and I have the cert stored in my cacerts + root keystore?? Help??
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<!--bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"
p:location="/WEB-INF/jdbc.properties" />
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource"
p:driverClassName="${jdbc.driverClassName}"
p:url="${jdbc.url}"
p:username="${jdbc.username}"
p:password="${jdbc.password}" /-->
<!-- ADD PERSISTENCE SUPPORT HERE (jpa, hibernate, etc) -->
<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory" />
<bean id="abstractClient" abstract="true">
<constructor-arg ref="messageFactory" />
<property name="destinationProvider">
<bean class="org.springframework.ws.client.support.destination.Wsdl11DestinationProvider">
<property name="wsdl" value="https://ws.firstdataglobalgateway.com:443/fdggwsapi/services/order.wsdl"/>
</bean>
</property>
</bean>
<bean id="contextApplicationContextProvider" class="com.intellavia.provider.ApplicationContextProvider"></bean>
<bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller" />
<bean id="httpClientParams" class="org.apache.commons.httpclient.params.HttpClientParams">
<property name="authenticationPreemptive" value="true" />
<property name="connectionManagerClass" value="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager" />
</bean>
<bean id="httpClient" class="org.apache.commons.httpclient.HttpClient">
<constructor-arg ref="httpClientParams" />
</bean>
<bean id="credentials" class="org.apache.commons.httpclient.UsernamePasswordCredentials">
<constructor-arg value="*********" />
<constructor-arg value="*********" />
</bean>
<bean id="messageSender" class="org.springframework.ws.transport.http.CommonsHttpMessageSender">
<constructor-arg ref="httpClient"></constructor-arg>
<property name="credentials" ref="credentials" />
</bean>
<bean id="fdggwsapiorder" parent="abstractClient" class="com.api.client.order">
<property name="marshaller" ref="marshaller" />
<property name="unmarshaller" ref="marshaller" />
<property name="messageSender" ref="messageSender" />
</bean>
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.ws.client.support.destination.Wsdl11DestinationProvider#7424ce' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Error setting property values; nested exception is org.springframework.beans.PropertyBatchUpdateException; nested PropertyAccessExceptions (1) are:
PropertyAccessException 1: org.springframework.beans.MethodInvocationException: Property 'wsdl' threw exception; nested exception is java.lang.IllegalArgumentException: URL [https://ws.firstdataglobalgateway.com:443/fdggwsapi/services/order.wsdl] does not exist
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1279)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1010)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
at java.security.AccessController.doPrivileged(Native Method)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:219)
... 26 more
The server I was trying to retrieve the wsdl from was expecting a key and password combination . The JVM also required that the SSL cert be stored in the cacerts file as a trusted entity. I was setting the keystore property programmatically, however this request was being processed before the switch.
After loading ApplicationContext I got a warning like this:
_ INFO: No authentication manager set. Reauthentication of users when changing passwords will not be performed. _
My Context.XML file is like this:
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.6.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<!-- =============== Security =============== -->
<sec:method-security-metadata-source
id="method-security-metadata-source">
<sec:protect access="MyAccess"
method="springsecuritytest._00_base.AuthenticationTester.*" />
</sec:method-security-metadata-source>
<sec:global-method-security
access-decision-manager-ref="accessDecisionManager"
secured-annotations="enabled" pre-post-annotations="enabled"
proxy-target-class="true">
<sec:protect-pointcut
expression="execution(* springsecuritytest._00_base.AuthenticationTester.*(..))"
access="ROLE_USER_BASIC_099" />
<!-- <sec:protect-pointcut access="ROLE_USER_BASIC_099" expression="execution(*
springsecuritytest._00_base.AuthenticationTester.* (..))" /> -->
</sec:global-method-security>
<sec:authentication-manager alias="authenticationManager"
erase-credentials="true">
<sec:authentication-provider>
<sec:jdbc-user-service data-source-ref="dataSource" />
<!-- role-prefix="ROLE_" /> -->
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter" />
<!-- <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/> -->
</list>
</property>
</bean>
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost:3306/spring_security" />
<property name="username" value="root" />
<property name="password" value="" />
</bean>
any body can help me?
I found it, it seems to be caused by the bean definition model I used.
I too was experiencing this nebulous message in the log. I had to add a reference to my authentication manager in the http and UserDetailsManager in the xml configuration file. This will depend on how Spring security is configured, but hopefully it will help!
<security:http auto-config="true" authentication-manager-ref="authenticationManager" use-expressions="true">
<security:remember-me data-source-ref="dataSource" user-service-ref="userDetailsManagerDao" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/home" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/registration" access="permitAll" />
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<security:form-login login-page="/login" default-target-url="/default" login-processing-url="/login/authenticate"
username-parameter="username" password-parameter="password" authentication-failure-url="/login?error" />
<security:logout logout-url="/logout" logout-success-url="/login?logout" />
</security:http>
<bean id="userDetailsManagerDao" class="com.alphatek.tylt.repository.UserDetailsManagerJdbcDao">
<property name="dataSource" ref="dataSource" />
<property name="enableAuthorities" value="false" />
<property name="enableGroups" value="true" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider user-service-ref="userDetailsManagerDao">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>