1 Reply Latest reply: Oct 7, 2011 5:04 AM by 580566 RSS

    Help with WindowsDesktopSSO and AMIdentity.getAttributes

    580566
      Hi guys and girls,
      I need some help from you experts.

      I successfully setup, thanks to this guide

      http://blogs.oracle.com/knittel/entry/opensso_windowsdesktopsso

      and a lot of trial & errors and googling a Kerberos authentication between OpenAM version 9.5.2 and an Active Directory Server.
      When I navigate to openAM page (from a domain machine) http://<openAMhost>:<port>/opensso, it doesn't ask for credentials ...
      and I can see, with ieHttpHeaders, kerberos data exchange.

      Without creating an Active Directory DataStore (pointing to the same domain where I use kerberos data) in openAM,
      when I navigate (from a domain machine) to /opensso/idm/EndUser page, it always gives me:

      "Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered an ldap exception. LDAP Error 32: The entry specified in the request does not exist."

      Since my aim was to get user information from a web app ... I thought I could have done this with an agent/SDK call as I usually do with "classic" authentication.

      Now I created a J2EE Agent (on openAM) to protect one of my application deployed on a JBoss 4.2.1-GA server.
      Agent configured with default options and these changes:

      Agent Filter Mode: J2EE_POLICY
      User Mapping Mode: USER_ID
      User Attribute Name: tried both with employeenumber and uid
      User Principal Flag: enabled
      User Token Name: UserToken
      FQDN Check: tried both with enabled and disabled
      WebAuthentication Available : Enabled

      In my application WEB-INF/jboss-web.xml looks like this:

           <?xml version="1.0" encoding="UTF-8"?>
           <jboss-web>
                <security-domain>java:/jaas/AMRealm</security-domain>
           </jboss-web>
      Usually, when I authenticate with "classic" (internal datastore) login, I can get user attributes programmatically with a code like this:
             private String getCredenzialiUtente(HttpServletRequest request)
              {
                  String                 SSOUsername      = null;
                  SSOToken               ssoToken      = null;
                  SSOTokenManager        manager           = null;

                    try
                    {
                      manager = SSOTokenManager.getInstance();
                      if ( manager == null)
                           throw new RuntimeException("Unable to Get: SSOTokenManager");

                      String ssoTokenID = AmFilterManager.getAmSSOCache().getSSOTokenForUser(request);
                      ssoToken = manager.createSSOToken(ssoTokenID);
                     
                      if ( ssoToken == null )
                            throw new RuntimeException("Unable to Get: TokenForUser");
                             
                      AMIdentity amid = new AMIdentity(ssoToken);
                      if(amid == null)
                         throw new RuntimeException("Unable to Get: UserIdentity");

                      SSOUsername  = amid.getName();
                      System.out.println("######### USERNAME FROM SSO: " + SSOUsername);

                      Set<String> info = new HashSet<String>();
                      info.add("uid");
                      info.add("givenName");
                     
                      java.util.Map mappa = amid.getAttributes(info);
                     
                      if ( mappa != null )
                      {
                          java.util.Set insieme = mappa.keySet();
                          java.util.Iterator it = insieme.iterator();
                         
                          while ( it.hasNext() )
                          {
                              String n = it.next().toString();
                              System.out.println( n + " ==> " + mappa.get(n) );
                          }
                         
                      }
                      else
                      {
                          System.err.println(" DAMN - NO ATTR ");
                      }
                            
                }
                catch (Exception exception)
                {
                  exception.getMessage();
                  exception.printStackTrace();
                }

                System.out.println("OUT getCredenzialiUtente: " + SSOUsername);
                return SSOUsername;
              }       
      When I log to console with default "ldapService" module (outside the domain), I can get something like:
           2011-09-29 13:14:38,733 INFO  [STDOUT]  ####################################### USER = amadmin
           2011-09-29 13:15:32,250 INFO  [STDOUT] IN getCredenzialiLAit
           2011-09-29 13:15:32,260 INFO  [STDOUT] ######### USERNAME DA SSO: a2zarrillo
           2011-09-29 13:15:32,291 INFO  [STDOUT] uid ==> [a2zarrillo]
           2011-09-29 13:15:32,291 INFO  [STDOUT] givenName ==> [Antonio2]
           2011-09-29 13:15:32,311 INFO  [STDOUT] OUT getCredenziali: a2zarrillo
           2011-09-29 13:15:32,321 INFO  [STDOUT]  ####################################### USER = a2zarrillo
      but when i try to login from inside the domain (with kerberos, so no credentials) with a domain user, I get:
           2011-09-29 13:15:39,496 INFO  [STDOUT] IN getCredenzialiLAit
           2011-09-29 13:15:39,503 INFO  [STDOUT] ######### USERNAME DA SSO: tonyweb
           2011-09-29 13:15:39,550 ERROR [STDERR] Message:Plug-in  encountered an ldap exception.  LDAP Error 32: The entry specified in the request does not exist.
           2011-09-29 13:15:39,554 ERROR [STDERR]      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
           2011-09-29 13:15:39,560 ERROR [STDERR]      at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
           2011-09-29 13:15:39,562 ERROR [STDERR]      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
           2011-09-29 13:15:39,566 ERROR [STDERR]      at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
           2011-09-29 13:15:39,574 ERROR [STDERR]      at com.sun.identity.shared.jaxrpc.SOAPClient$SOAPContentHandler.createResourceBasedException(SOAPClient.java:834)
           2011-09-29 13:15:39,575 ERROR [STDERR]      at com.sun.identity.shared.jaxrpc.SOAPClient$SOAPContentHandler.endDocument(SOAPClient.java:800)
           2011-09-29 13:15:39,578 ERROR [STDERR]      at org.apache.xerces.parsers.AbstractSAXParser.endDocument(Unknown Source)
           2011-09-29 13:15:39,582 ERROR [STDERR]      at org.apache.xerces.impl.XMLDocumentScannerImpl.endEntity(Unknown Source)
           2011-09-29 13:15:39,587 ERROR [STDERR]      at org.apache.xerces.impl.XMLEntityManager.endEntity(Unknown Source)
           2011-09-29 13:15:39,592 ERROR [STDERR]      at org.apache.xerces.impl.XMLEntityScanner.load(Unknown Source)
           2011-09-29 13:15:39,598 ERROR [STDERR]      at org.apache.xerces.impl.XMLEntityScanner.skipSpaces(Unknown Source)
           2011-09-29 13:15:39,600 ERROR [STDERR]      at org.apache.xerces.impl.XMLDocumentScannerImpl$TrailingMiscDispatcher.dispatch(Unknown Source)
           2011-09-29 13:15:39,604 ERROR [STDERR]      at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
           2011-09-29 13:15:39,607 ERROR [STDERR]      at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
           2011-09-29 13:15:39,609 ERROR [STDERR]      at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
           2011-09-29 13:15:39,613 ERROR [STDERR]      at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
           2011-09-29 13:15:39,616 ERROR [STDERR]      at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
           2011-09-29 13:15:39,621 ERROR [STDERR]      at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
           2011-09-29 13:15:39,625 ERROR [STDERR]      at com.sun.identity.shared.jaxrpc.SOAPClient.send(SOAPClient.java:343)
           2011-09-29 13:15:39,633 ERROR [STDERR]      at com.sun.identity.shared.jaxrpc.SOAPClient.send(SOAPClient.java:311)
           2011-09-29 13:15:39,636 ERROR [STDERR]      at com.sun.identity.idm.remote.IdRemoteServicesImpl.getAttributes(IdRemoteServicesImpl.java:229)
           2011-09-29 13:15:39,639 ERROR [STDERR]      at com.sun.identity.idm.remote.IdRemoteCachedServicesImpl.getAttributes(IdRemoteCachedServicesImpl.java:402)
           2011-09-29 13:15:39,642 ERROR [STDERR]      at com.sun.identity.idm.AMIdentity.getAttributes(AMIdentity.java:344)
           2011-09-29 13:15:39,645 ERROR [STDERR]      at org.apache.jsp.MainPageJSP_jsp.getCredenzialiUtente(MainPageJSP_jsp.java:63)
           2011-09-29 13:15:39,648 ERROR [STDERR]      at org.apache.jsp.MainPageJSP_jsp._jspService(MainPageJSP_jsp.java:217)
           2011-09-29 13:15:39,653 ERROR [STDERR]      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
           2011-09-29 13:15:39,660 ERROR [STDERR]      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
           2011-09-29 13:15:39,664 ERROR [STDERR]      at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
           2011-09-29 13:15:39,666 ERROR [STDERR]      at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
           2011-09-29 13:15:39,669 ERROR [STDERR]      at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
           2011-09-29 13:15:39,673 ERROR [STDERR]      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
           2011-09-29 13:15:39,676 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
           2011-09-29 13:15:39,678 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           2011-09-29 13:15:39,683 ERROR [STDERR]      at com.sun.identity.agents.filter.AmAgentBaseFilter.allowRequestToContinue(AmAgentBaseFilter.java:127)
           2011-09-29 13:15:39,685 ERROR [STDERR]      at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:76)
           2011-09-29 13:15:39,690 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           2011-09-29 13:15:39,697 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           2011-09-29 13:15:39,701 ERROR [STDERR]      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
           2011-09-29 13:15:39,705 ERROR [STDERR]      at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
           2011-09-29 13:15:39,710 ERROR [STDERR]      at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
           2011-09-29 13:15:39,713 ERROR [STDERR]      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
           2011-09-29 13:15:39,716 ERROR [STDERR]      at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:408)
           2011-09-29 13:15:39,725 ERROR [STDERR]      at com.sun.faces.application.ViewHandlerImpl.executePageToBuildView(ViewHandlerImpl.java:442)
           2011-09-29 13:15:39,729 ERROR [STDERR]      at com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:115)
           2011-09-29 13:15:39,730 ERROR [STDERR]      at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:178)
           2011-09-29 13:15:39,734 ERROR [STDERR]      at com.cid.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:92)
           2011-09-29 13:15:39,741 ERROR [STDERR]      at com.sun.rave.web.ui.appbase.faces.ViewHandlerImpl.renderView(ViewHandlerImpl.java:295)
           2011-09-29 13:15:39,744 ERROR [STDERR]      at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106)
           2011-09-29 13:15:39,747 ERROR [STDERR]      at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
           2011-09-29 13:15:39,750 ERROR [STDERR]      at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
           2011-09-29 13:15:39,753 ERROR [STDERR]      at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
           2011-09-29 13:15:39,761 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
           2011-09-29 13:15:39,765 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           2011-09-29 13:15:39,768 ERROR [STDERR]      at com.cid.faces.webapp.CidWebUIFilter._invokeDoFilter(CidWebUIFilter.java:239)
           2011-09-29 13:15:39,776 ERROR [STDERR]      at com.cid.faces.webapp.CidWebUIFilter._doFilterImpl(CidWebUIFilter.java:196)
           2011-09-29 13:15:39,780 ERROR [STDERR]      at com.cid.faces.webapp.CidWebUIFilter.doFilter(CidWebUIFilter.java:80)
           2011-09-29 13:15:39,788 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           2011-09-29 13:15:39,793 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           2011-09-29 13:15:39,797 ERROR [STDERR]      at com.sun.identity.agents.filter.AmAgentBaseFilter.allowRequestToContinue(AmAgentBaseFilter.java:127)
           2011-09-29 13:15:39,803 ERROR [STDERR]      at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:76)
           2011-09-29 13:15:39,807 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           2011-09-29 13:15:39,810 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           2011-09-29 13:15:39,813 ERROR [STDERR]      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
           2011-09-29 13:15:39,820 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           2011-09-29 13:15:39,825 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           2011-09-29 13:15:39,829 ERROR [STDERR]      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
           2011-09-29 13:15:39,833 ERROR [STDERR]      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
           2011-09-29 13:15:39,836 ERROR [STDERR]      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
           2011-09-29 13:15:39,843 ERROR [STDERR]      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
           2011-09-29 13:15:39,846 ERROR [STDERR]      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
           2011-09-29 13:15:39,851 ERROR [STDERR]      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
           2011-09-29 13:15:39,854 ERROR [STDERR]      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
           2011-09-29 13:15:39,857 ERROR [STDERR]      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
           2011-09-29 13:15:39,860 ERROR [STDERR]      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
           2011-09-29 13:15:39,862 ERROR [STDERR]      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
           2011-09-29 13:15:39,866 ERROR [STDERR]      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
           2011-09-29 13:15:39,870 ERROR [STDERR]      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
           2011-09-29 13:15:39,874 ERROR [STDERR]      at java.lang.Thread.run(Thread.java:619)
           2011-09-29 13:15:39,877 INFO  [STDOUT] OUT getCredenziali: tonyweb
      As you can see I'm using the "sample" agentApp.war.     
      What am I missing ? It "crashes" as for getAttributes() call :/

      I thought it could be because I didn't setup LDAP DataStore ... so I set up Active Directory Data Store.
      While in openAM console (from outside domain) I can see (from Subjects tab) Active Directory users and relative information
      (like FirstName (=givenName), Surname (=sn), Full Name (=cn), etc.) ... when I try again with idm/EndUser (from a domain machine)
      I get the same error:
           Message:Plug-in  encountered an ldap exception.  LDAP Error 32: The entry specified in the request does not exist.
      What should I do now ?
      If you need more clarifications ... just ask :)


      Thank you in advance and sorry for the big post.

      Best Regards,
      Tony

      P.D. By the way, my OpenAM configuration does not create any "amAuthWindowsDesktopSSO.log" :(
      I setup, from opensso/Debug.jsp message level for Authentication ... but it still doesn't create this log ... can you please tell me how to let openAM write it ?
           
      Again thank you
        • 1. Solved
          580566
          Weird enough, changing to ADAM data store (and not "standard" AD datastore) solved the problem :D
          I still wonder why since both plugins share the same java [implementing] class...

          Regards,
          Tony