Shibboleth Developers

[Daniel Fisher <>]

Try adding this to your jaas config:

searchResultHandlers="edu.vt.middleware.ldap.handler.FqdnSearchResultHandler{{removeUrls=false}}"

and then post your logs.

--Daniel Fisher

On Wed, Jun 8, 2011 at 8:31 PM, Dan McLaughlin
<>
 wrote:
> After enabling DEBUG for shibboleth I'm seeing another exception that
> only shows up if DEBUG logging is enabled...  I've been stepping
> through the code with a debugger and I keep seeing it loop through
> readCompositeName multiple times returning the string "ldap:" for name
> (line 109) over and over again.  This code is all new to me, so I'm
> still trying to make since of what's going on.  Does any of this make
> since to you?
>
> 19:19:30.237 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:264]
> - Begin abort
> 19:19:30.301 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:176]
> - User authentication for joe-c failed
> javax.security.auth.login.LoginException: java.lang.IllegalArgumentException
>        at java.net.URI.create(URI.java:842)
>        at 
> edu.vt.middleware.ldap.handler.FqdnSearchResultHandler.processDn(FqdnSearchResultHandler.java:80)
>        at 
> edu.vt.middleware.ldap.handler.CopySearchResultHandler.processResult(CopySearchResultHandler.java:64)
>        at 
> edu.vt.middleware.ldap.handler.CopySearchResultHandler.processResult(CopySearchResultHandler.java:27)
>        at 
> edu.vt.middleware.ldap.handler.AbstractResultHandler.process(AbstractResultHandler.java:84)
>        at edu.vt.middleware.ldap.AbstractLdap.search(AbstractLdap.java:231)
>        at 
> edu.vt.middleware.ldap.auth.SearchDnResolver.resolve(SearchDnResolver.java:139)
>        at 
> edu.vt.middleware.ldap.auth.Authenticator.getDn(Authenticator.java:106)
>        at 
> edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
>        at 
> edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
>        at 
> edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
>        at 
> edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
>        at 
> edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>        at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>        at java.lang.reflect.Method.invoke(Method.java:597)
>        at 
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
>        at 
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
>        at 
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>        at java.security.AccessController.doPrivileged(Native Method)
>        at 
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>        at 
> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>        at 
> edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:160)
>        at 
> edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at 
> edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:49)
>        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at 
> edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:80)
>        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at 
> edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)
>        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
>        at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>        at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>        at 
> com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
>        at 
> org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
>        at 
> org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
>        at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>        at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>        at 
> org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:647)
>        at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>        at 
> org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:429)
>        at 
> org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
>        at 
> org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
>        at java.lang.Thread.run(Thread.java:662)
> Caused by: java.net.URISyntaxException: Expected scheme-specific part
> at index 5: ldap:
>        at java.net.URI$Parser.fail(URI.java:2809)
>        at java.net.URI$Parser.failExpecting(URI.java:2815)
>        at java.net.URI$Parser.parse(URI.java:3018)
>        at java.net.URI.<init>(URI.java:578)
>        at java.net.URI.create(URI.java:840)
>        ... 50 more
>
>        at 
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
> ~[na:1.6.0_24]
>        at 
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> ~[na:1.6.0_24]
>        at 
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> ~[na:1.6.0_24]
>        at java.security.AccessController.doPrivileged(Native Method) 
> ~[na:1.6.0_24]
>        at 
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> ~[na:1.6.0_24]
>        at 
> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
> ~[na:1.6.0_24]
>        at 
> edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:160)
> [shibboleth-identityprovider-2.3.0.jar:na]
>        at 
> edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
> [shibboleth-identityprovider-2.3.0.jar:na]
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> [servlet-api.jar:na]
>        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
>        at 
> edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:49)
> [shibboleth-identityprovider-2.3.0.jar:na]
>        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
>        at 
> edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:80)
> [shibboleth-identityprovider-2.3.0.jar:na]
>        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
>        at 
> edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)
> [shibboleth-common-1.3.0.jar:na]
>        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> [catalina.jar:6.0.32]
>        at 
> com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
> [tomcat60adaptor-2.2.1.jar:2.2.1]
>        at 
> org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
> [catalina-ha.jar:6.0.32]
>        at 
> org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
> [catalina-ha.jar:6.0.32]
>        at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:647)
> [catalina.jar:6.0.32]
>        at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> [catalina.jar:6.0.32]
>        at 
> org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:429)
> [tomcat-coyote.jar:6.0.32]
>        at 
> org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
> [tomcat-coyote.jar:6.0.32]
>        at 
> org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
> [tomcat-coyote.jar:6.0.32]
>        at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
> 19:19:30.302 - TRACE
> [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:332] -
> Looking up LoginContext with key 31608d9c-762f-4830-a836-2555b6e24cc9
> from StorageService parition: loginContexts
> 19:19:30.302 - TRACE
> [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:338] -
> Retrieved LoginContext with key 31608d9c-762f-4830-a836-2555b6e24cc9
> from StorageService parition: loginContexts
> 19:19:30.303 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:133]
> - Redirecting to login page /login.jsp
> 19:21:45.381 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:264]
> - Begin abort
>
>
> --
>
> Thanks,
>
> Dan McLaughlin
>
> NOTICE: This e-mail message and all attachments transmitted with it
> are for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is strictly prohibited. The contents of
> this e-mail are confidential and may be subject to work product
> privileges. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies of the original message.
>
>
>
> On Wed, Jun 8, 2011 at 5:41 PM, Dan McLaughlin
> <>
>  wrote:
>> You are correct that FqdnSearchResultHandler.java should have nothing
>> to do with the credential exception. Unless there is an exception
>> being swallowed somewhere.  My theory until I have a second to step
>> through it with the debugger is that there is some other exception
>> that occurs in FqdnSearchResultHandler.java when it is trying to read
>> the composite name that is eating an exception and things eventually
>> bubble up as a missing credential exception.
>>
>> --
>>
>> Thanks,
>>
>> Dan McLaughlin
>>
>>
>> NOTICE: This e-mail message and all attachments transmitted with it
>> are for the sole use of the intended recipient(s) and may contain
>> confidential and privileged information. Any unauthorized review, use,
>> disclosure or distribution is strictly prohibited. The contents of
>> this e-mail are confidential and may be subject to work product
>> privileges. If you are not the intended recipient, please contact the
>> sender by reply e-mail and destroy all copies of the original message.
>>
>>
>>
>>
>>
>> On Wed, Jun 8, 2011 at 11:11 AM, Daniel Fisher 
>> <>
>>  wrote:
>>> On Wed, Jun 8, 2011 at 2:07 AM, Dan McLaughlin
>>> <>
>>>  wrote:
>>>> Hi Daniel,
>>>>
>>>> What allowed me to get past the invalid credential error in vt-ldap
>>>> 3.3.3 was to revert...
>>>>
>>>
>>> This change has nothing to do with the credential (password). If
>>> you're seeing that error the password is either null or empty.
>>>
>>>> "1877   4/5/11 9:42 AM  4       dfisher SearchResult#getName() returns a 
>>>> string
>>>> representing a composite name, not necessarily an LDAP DN. Use a
>>>> CompositeName to parse it correctly. Add test case for entries with
>>>> special characters. Fixes vt-ldap 109."
>>>>
>>>> There was a problem parsing the fqdn url and then things died from
>>>> there...  I didn't spend too much time trying to figure out why b/c I
>>>> have to get IdP 2.3.0 up and running by the morning.
>>>
>>> Died how? Was there an exception? Post the trace log and I'll try to
>>> decipher it.
>>>
>>> --Daniel Fisher
>>>
>>
>