Unable to Login by Internal Users if LDAP Server is Unavailable

Issue Description

Customer configured TIBCO JasperReports® Server to perform external authentication with LDAP server.

When the LDAP server is unavailable (due to shut down or network issues), customer can't login to TIBCO JasperReports® Server even as internal users (superuser, jasperadmin)

Resolution

The applicationContext-externalAuth-LDAP-mt.xml file contains the bean ldapAuthenticationManager

which lists the available authentication providers:

    <bean id="ldapAuthenticationManager" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.JSProviderManager">        <property name="providers">            <list>                <ref local="ldapAuthenticationProvider"/>                <ref bean="${bean.daoAuthenticationProvider}"/>            </list>        </property>    </bean>[/code]

The providers in the list are invoked in the order they appear in the configuration file until one of them authenticates the user.

The rest of the providers are then skipped.

The final provider in the list, ${bean.daoAuthenticationProvider} authenticates against the jasperserver internal database.

By default, TIBCO JasperReports® Server performs authentication against LDAP server first.

If the server is unavailable, authentication process fails and users can't login even with internal accounts.

In order to workaround the issue, <ref bean="${bean.daoAuthenticationProvider}"/> bean should be placed first in the list:

    <bean id="ldapAuthenticationManager" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.JSProviderManager">        <property name="providers">            <list>                <ref bean="${bean.daoAuthenticationProvider}"/>                <ref local="ldapAuthenticationProvider"/>            </list>        </property>    </bean>[/code]

Server restart required.

Solution tested with TIBCO JasperReports® Server v.7.1.0

AS-20190322