Uploaded image for project: '[Read Only] - Hippo Repository'
  1. [Read Only] - Hippo Repository
  2. REPO-1589

Repository login relying on external context (e.g. LDAP) can fail when invoked across classloaders

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • High
    • Resolution: Fixed
    • 3.2.0
    • 4.1.0
    • None
    • 1
    • Flagged
    • Platform Sprint 140

    Description

      External authentication through for example LDAP may require loading specific classes like a socketFactory class.
      The loading of such classes should be done through a classloader context of the repository itself (e.g. cms.war or repository.war).

      Currently this is not enforced though, which can cause a ClassNotFoundException when a login is invoked from the ChannelManager which executes from the site context:

      [INFO] [talledLocalContainer] javax.naming.CommunicationException: Loading the socket factory [Root exception is java.lang.ClassNotFoundException: org.hippoecm.repository.security.ldap.TestSocketFactory]
[INFO] [talledLocalContainer]   at com.sun.jndi.ldap.LdapPoolManager.isPoolingAllowed(LdapPoolManager.java:247)
[INFO] [talledLocalContainer]   at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1603)
[INFO] [talledLocalContainer]   at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
[INFO] [talledLocalContainer]   at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
[INFO] [talledLocalContainer]   at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
[INFO] [talledLocalContainer]   at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
[INFO] [talledLocalContainer]   at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
[INFO] [talledLocalContainer]   at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
[INFO] [talledLocalContainer]   at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
[INFO] [talledLocalContainer]   at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
[INFO] [talledLocalContainer]   at javax.naming.InitialContext.init(InitialContext.java:244)
[INFO] [talledLocalContainer]   at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
[INFO] [talledLocalContainer]   at org.hippoecm.repository.security.ldap.LdapContextFactory.getLdapContext(LdapContextFactory.java:240)
[INFO] [talledLocalContainer]   at org.hippoecm.repository.security.ldap.LdapContextFactory.getSystemLdapContext(LdapContextFactory.java:194)
[INFO] [talledLocalContainer]   at org.hippoecm.repository.security.ldap.LdapUserManager.getDnForUser(LdapUserManager.java:330)
[INFO] [talledLocalContainer]   at org.hippoecm.repository.security.ldap.LdapUserManager.authenticate(LdapUserManager.java:123)
[INFO] [talledLocalContainer]   at org.hippoecm.repository.security.SecurityManager.authenticate(SecurityManager.java:291)
[INFO] [talledLocalContainer]   at org.hippoecm.repository.security.HippoLoginModule.login(HippoLoginModule.java:146)
[INFO] [talledLocalContainer]   at org.apache.jackrabbit.core.security.authentication.LocalAuthContext.login(LocalAuthContext.java:86)
[INFO] [talledLocalContainer]   at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1537)
[INFO] [talledLocalContainer]   at org.hippoecm.repository.impl.RepositoryDecorator.login(RepositoryDecorator.java:75)
[INFO] [talledLocalContainer]   at org.hippoecm.repository.HippoRepositoryImpl.login(HippoRepositoryImpl.java:106)
[INFO] [talledLocalContainer]   at org.hippoecm.repository.HippoRepositoryImpl.login(HippoRepositoryImpl.java:118)
[INFO] [talledLocalContainer]   at org.hippoecm.hst.core.jcr.pool.JcrHippoRepository.login(JcrHippoRepository.java:205)
[INFO] [talledLocalContainer]   at org.hippoecm.hst.cmsrest.container.CmsRestSecurityValve.invoke(CmsRestSecurityValve.java:89)

      To fix this, and other similar use-cases, the Repository.login() method needs to temporarily set the current thread ContextClassLoader upon invocation.

      Attachments

        Issue Links

          is backported by

          Bug - A problem which impairs or prevents the functions of the product. REPO-1590 [backport 11.0] Repository login relying on external context (e.g. LDAP) can fail when invoked across classloaders

          • High - High priority, expected behaviour required often required for other tasks
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. REPO-1591 [backport 10.2] Repository login relying on external context (e.g. LDAP) can fail when invoked across classloaders

          • Normal - Normal priority, tasks to be done before next intermediate release
          • Closed

          Activity

            People

              Unassigned Unassigned
              adouma Ate Douma (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: