Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] derefAliases broken in 2.2.x

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] derefAliases broken in 2.2.x


Chronological Thread 
  • From: Dan McLaughlin <>
  • To:
  • Subject: Re: [Shib-Dev] derefAliases broken in 2.2.x
  • Date: Wed, 8 Jun 2011 19:31:45 -0500
After enabling DEBUG for shibboleth I'm seeing another exception that
only shows up if DEBUG logging is enabled... I've been stepping
through the code with a debugger and I keep seeing it loop through
readCompositeName multiple times returning the string "ldap:" for name
(line 109) over and over again. This code is all new to me, so I'm
still trying to make since of what's going on. Does any of this make
since to you?

19:19:30.237 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:264]
- Begin abort
19:19:30.301 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:176]
- User authentication for joe-c failed
javax.security.auth.login.LoginException: java.lang.IllegalArgumentException
at java.net.URI.create(URI.java:842)
at
edu.vt.middleware.ldap.handler.FqdnSearchResultHandler.processDn(FqdnSearchResultHandler.java:80)
at
edu.vt.middleware.ldap.handler.CopySearchResultHandler.processResult(CopySearchResultHandler.java:64)
at
edu.vt.middleware.ldap.handler.CopySearchResultHandler.processResult(CopySearchResultHandler.java:27)
at
edu.vt.middleware.ldap.handler.AbstractResultHandler.process(AbstractResultHandler.java:84)
at edu.vt.middleware.ldap.AbstractLdap.search(AbstractLdap.java:231)
at
edu.vt.middleware.ldap.auth.SearchDnResolver.resolve(SearchDnResolver.java:139)
at
edu.vt.middleware.ldap.auth.Authenticator.getDn(Authenticator.java:106)
at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
at
edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:160)
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:49)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:80)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
at
org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
at
org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:647)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:429)
at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
at
org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.net.URISyntaxException: Expected scheme-specific part
at index 5: ldap:
at java.net.URI$Parser.fail(URI.java:2809)
at java.net.URI$Parser.failExpecting(URI.java:2815)
at java.net.URI$Parser.parse(URI.java:3018)
at java.net.URI.<init>(URI.java:578)
at java.net.URI.create(URI.java:840)
... 50 more

at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
~[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
~[na:1.6.0_24]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
~[na:1.6.0_24]
at java.security.AccessController.doPrivileged(Native Method)
~[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
~[na:1.6.0_24]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
~[na:1.6.0_24]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:160)
[shibboleth-identityprovider-2.3.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
[shibboleth-identityprovider-2.3.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:49)
[shibboleth-identityprovider-2.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:80)
[shibboleth-identityprovider-2.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)
[shibboleth-common-1.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[catalina.jar:6.0.32]
at
com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
[tomcat60adaptor-2.2.1.jar:2.2.1]
at
org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
[catalina-ha.jar:6.0.32]
at
org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
[catalina-ha.jar:6.0.32]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:6.0.32]
at
org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:647)
[catalina.jar:6.0.32]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
[catalina.jar:6.0.32]
at
org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:429)
[tomcat-coyote.jar:6.0.32]
at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
[tomcat-coyote.jar:6.0.32]
at
org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
[tomcat-coyote.jar:6.0.32]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
19:19:30.302 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:332] -
Looking up LoginContext with key 31608d9c-762f-4830-a836-2555b6e24cc9
from StorageService parition: loginContexts
19:19:30.302 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:338] -
Retrieved LoginContext with key 31608d9c-762f-4830-a836-2555b6e24cc9
from StorageService parition: loginContexts
19:19:30.303 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:133]
- Redirecting to login page /login.jsp
19:21:45.381 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:264]
- Begin abort


--

Thanks,

Dan McLaughlin

NOTICE: This e-mail message and all attachments transmitted with it
are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is strictly prohibited. The contents of
this e-mail are confidential and may be subject to work product
privileges. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.



On Wed, Jun 8, 2011 at 5:41 PM, Dan McLaughlin
<>
wrote:
> You are correct that FqdnSearchResultHandler.java should have nothing
> to do with the credential exception. Unless there is an exception
> being swallowed somewhere.  My theory until I have a second to step
> through it with the debugger is that there is some other exception
> that occurs in FqdnSearchResultHandler.java when it is trying to read
> the composite name that is eating an exception and things eventually
> bubble up as a missing credential exception.
>
> --
>
> Thanks,
>
> Dan McLaughlin
>
>
> NOTICE: This e-mail message and all attachments transmitted with it
> are for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is strictly prohibited. The contents of
> this e-mail are confidential and may be subject to work product
> privileges. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies of the original message.
>
>
>
>
>
> On Wed, Jun 8, 2011 at 11:11 AM, Daniel Fisher
> <>
> wrote:
>> On Wed, Jun 8, 2011 at 2:07 AM, Dan McLaughlin
>> <>
>> wrote:
>>> Hi Daniel,
>>>
>>> What allowed me to get past the invalid credential error in vt-ldap
>>> 3.3.3 was to revert...
>>>
>>
>> This change has nothing to do with the credential (password). If
>> you're seeing that error the password is either null or empty.
>>
>>> "1877   4/5/11 9:42 AM  4       dfisher SearchResult#getName() returns a
>>> string
>>> representing a composite name, not necessarily an LDAP DN. Use a
>>> CompositeName to parse it correctly. Add test case for entries with
>>> special characters. Fixes vt-ldap 109."
>>>
>>> There was a problem parsing the fqdn url and then things died from
>>> there...  I didn't spend too much time trying to figure out why b/c I
>>> have to get IdP 2.3.0 up and running by the morning.
>>
>> Died how? Was there an exception? Post the trace log and I'll try to
>> decipher it.
>>
>> --Daniel Fisher
>>
>

Archive powered by MHonArc 2.6.16.

Top of Page