Jasper Server MS Active Directory Hang at Login

3

I've been banging my head against this for two solid days. I'm trying to authenticate against Active Directory 2008 R2 using JasperServer 6.1 Community Edition. My External Auth config file is below (Mostly based on the sample provided and some of the notes from the cookbook). Domain structure is here for reference.
COM->DOMAIN->Accounts->Department1->User001
                                                  ->Department2->User004

When I try to log in with built in credentials, I log right in. If I try to log in with bad domain credentials (no password) I get an appropriate error "Invalid credentials supplied. Could not login to JasperReports Server.".

Here is the puzzle, if I login with correct domain credentials, the login process hangs at a blank webpage with the URL: http://server_name:8080/jasperserver/j_spring_security_check. If I load the webpage again, it doesn't log me in, and if I login as jasperadmin, I don't see this user in the users section. If I check my domain controller, I see good logins though, so my domain controller is receiving the request, and sending back a login accepted message.

Please help! Whats going on!?

 

    <bean id="ldapAuthenticationManager" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.JSProviderManager">
        <property name="providers">
            <list>
                <ref local="ldapAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <!--anonymousAuthenticationProvider only needed if filterInvocationInterceptor.alwaysReauthenticate is set to true
                <ref bean="anonymousAuthenticationProvider"/>-->
            </list>
        </property>
    </bean>
 
    <bean id="ldapAuthenticationProvider" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider">
        <constructor-arg>
            <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSBindAuthenticator">
                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
                <property name="userSearch" ref="userSearch"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSDefaultLdapAuthoritiesPopulator">
                <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
                <constructor-arg index="1"><value></value></constructor-arg>
                <property name="groupRoleAttribute" value="CN"/>
                <property name="groupSearchFilter" value="(&amp;(objectClass=group)(member={0}))"/>
                <property name="searchSubtree" value="true"/>
                <!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->
                <property name="defaultRole" value="ROLE_USER"/>
            </bean>
        </constructor-arg>
    </bean>
 
    <bean id="userSearch"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSFilterBasedLdapUserSearch">
        <constructor-arg index="0">
            <value></value>
        </constructor-arg>
        <constructor-arg index="1">
            <value>(&amp;(objectClass=user)(sAMAccountName={0}))</value>
        </constructor-arg>
        <constructor-arg index="2">
            <ref local="ldapContextSource" />
        </constructor-arg>
        <property name="searchSubtree">
            <value>true</value>
        </property>
    </bean>
 
    <bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
        <constructor-arg value="ldap://DOMAIN_CONTROLLER:389/dc=DOMAIN,dc=COM"/>
        <!-- manager user name and password (may not be needed)  -->
        <property name="userDn" value="CN=Administrator,CN=Users,DC=DOMAIN,DC=COM"/>
        <property name="password" value="password"/>
    </bean>
    <!-- ############ LDAP authentication ############ -->
 
    <!-- ############ JRS Synchronizer ############ -->
    <bean id="externalDataSynchronizer"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalDataSynchronizerImpl">
        <property name="externalUserProcessors">
            <list>
                <ref local="externalUserSetupProcessor"/>
                <!-- Example processor for creating user folder-->
                <!--<ref local="externalUserFolderProcessor"/>-->
            </list>
        </property>
    </bean>
 
    <bean id="abstractExternalProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.AbstractExternalUserProcessor" abstract="true">
        <property name="repositoryService" ref="${bean.repositoryService}"/>
        <property name="userAuthorityService" ref="${bean.userAuthorityService}"/>
        <property name="tenantService" ref="${bean.tenantService}"/>
        <property name="profileAttributeService" ref="profileAttributeService"/>
        <property name="objectPermissionService" ref="objectPermissionService"/>
    </bean>
 
    <bean id="externalUserSetupProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserSetupProcessor" parent="abstractExternalProcessor">
        <!--Default permitted role characters; others are removed. Change regular expression to allow other chars.
                    <property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/>-->
 
        <property name="userAuthorityService">
            <ref bean="${bean.internalUserAuthorityService}"/>
        </property>
        <property name="defaultInternalRoles">
            <list>
                <value>ROLE_USER</value>
            </list>
        </property>
 
        <property name="organizationRoleMap">
            <map>
                <!-- Example of mapping customer roles to JRS roles -->
                <entry>
                    <key>
                        <value>ROLE_ADMIN_EXTERNAL_ORGANIZATION</value>
                    </key>
                    <!-- JRS role that the <key> external role is mapped to-->
                    <value>ROLE_ADMINISTRATOR</value>
                </entry>
            </map>
        </property>
    </bean>
 

 

rsanborn_1's picture
Joined: Nov 2 2015 - 11:41am
Last seen: 3 years 5 months ago

Can't help you fix it, but I too have been trying to get AD logins working to no avail.  Exactly the same problem - LDAP bind is successful, search for roles completes, then the session dies.

Here's log entries in case anyone has any hints:

DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 1 of 20 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository,http-nio-8080-exec-150:152 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG HttpSessionSecurityContextRepository,http-nio-8080-exec-150:91 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@42409942. A new one will be created.
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 2 of 20 in additional filter chain; firing Filter: 'EncryptionFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 3 of 20 in additional filter chain; firing Filter: 'JSDelegatingFilterProxy'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 4 of 20 in additional filter chain; firing Filter: 'MultipartRequestWrapperFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 5 of 20 in additional filter chain; firing Filter: 'WebAppSecurityFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 6 of 20 in additional filter chain; firing Filter: 'JSCsrfGuardFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 7 of 20 in additional filter chain; firing Filter: 'StandardLoggingFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 8 of 20 in additional filter chain; firing Filter: 'UserPreferencesFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 9 of 20 in additional filter chain; firing Filter: 'JSDelegatingFilterProxy'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /j_spring_security_check at position 10 of 20 in additional filter chain; firing Filter: 'JSDelegatingFilterProxy'
DEBUG EncryptionAuthenticationProcessingFilter,http-nio-8080-exec-150:205 - Request is to process authentication
DEBUG ProviderManager,http-nio-8080-exec-150:152 - Authentication attempt using com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider
DEBUG JSLdapAuthenticationProvider,http-nio-8080-exec-150:65 - Processing authentication request for user: myuser
DEBUG FilterBasedLdapUserSearch,http-nio-8080-exec-150:107 - Searching for user 'myuser', with user search [ searchFilter: '(&(sAMAccountName={0})(memberOf=cn=Jasper_User,cn=users,dc=mydomain,dc=com))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
DEBUG SpringSecurityLdapTemplate,http-nio-8080-exec-150:211 - Searching for entry under DN 'dc=mydomain,dc=com', base = '', filter = '(&(sAMAccountName={0})(memberOf=cn=Jasper_User,cn=users,dc=mydomain,dc=com))'
DEBUG SpringSecurityLdapTemplate,http-nio-8080-exec-150:223 - Found DN: cn=My User,cn=Users
INFO SpringSecurityLdapTemplate,http-nio-8080-exec-150:229 - Ignoring PartialResultException
DEBUG BindAuthenticator,http-nio-8080-exec-150:108 - Attempting to bind as cn=My User,cn=Users,dc=mydomain,dc=com
DEBUG JSLdapContextSource,http-nio-8080-exec-150:76 - Removing pooling flag for user cn=My User,cn=Users,dc=mydomain,dc=com
DEBUG BindAuthenticator,http-nio-8080-exec-150:116 - Retrieving attributes...
DEBUG DefaultLdapAuthoritiesPopulator,http-nio-8080-exec-150:182 - Getting authorities for user cn=My User,cn=Users,dc=mydomain,dc=com
DEBUG DefaultLdapAuthoritiesPopulator,http-nio-8080-exec-150:211 - Searching for roles for user 'myuser', DN = 'cn=My User,cn=Users,dc=mydomain,dc=com', with filter (&(member={0})(objectclass=group)(cn=Jasper_User)) in search base ''
DEBUG SpringSecurityLdapTemplate,http-nio-8080-exec-150:150 - Using filter: (&(member=cn=My User,cn=Users,dc=mydomain,dc=com)(objectclass=group)(cn=Jasper_User))
DEBUG HttpSessionSecurityContextRepository,http-nio-8080-exec-150:304 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG SecurityContextPersistenceFilter,http-nio-8080-exec-150:97 - SecurityContextHolder now cleared, as request processing completed
DEBUG AntPathRequestMatcher,http-nio-8080-exec-150:145 - Checking match of request : '/500.html'; against '/xmla'
DEBUG AntPathRequestMatcher,http-nio-8080-exec-150:145 - Checking match of request : '/500.html'; against '/services/**'
DEBUG AntPathRequestMatcher,http-nio-8080-exec-150:145 - Checking match of request : '/500.html'; against '/rest/login'
DEBUG AntPathRequestMatcher,http-nio-8080-exec-150:145 - Checking match of request : '/500.html'; against '/rest/**'
DEBUG AntPathRequestMatcher,http-nio-8080-exec-150:145 - Checking match of request : '/500.html'; against '/rest_v2/**'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 1 of 20 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository,http-nio-8080-exec-150:152 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG HttpSessionSecurityContextRepository,http-nio-8080-exec-150:91 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@42409942. A new one will be created.
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 2 of 20 in additional filter chain; firing Filter: 'EncryptionFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 3 of 20 in additional filter chain; firing Filter: 'JSDelegatingFilterProxy'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 4 of 20 in additional filter chain; firing Filter: 'MultipartRequestWrapperFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 5 of 20 in additional filter chain; firing Filter: 'WebAppSecurityFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 6 of 20 in additional filter chain; firing Filter: 'JSCsrfGuardFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 7 of 20 in additional filter chain; firing Filter: 'StandardLoggingFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 8 of 20 in additional filter chain; firing Filter: 'UserPreferencesFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 9 of 20 in additional filter chain; firing Filter: 'JSDelegatingFilterProxy'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 10 of 20 in additional filter chain; firing Filter: 'JSDelegatingFilterProxy'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 11 of 20 in additional filter chain; firing Filter: 'UserPreferencesFilter'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 12 of 20 in additional filter chain; firing Filter: 'JSDelegatingFilterProxy'
DEBUG FilterChainProxy,http-nio-8080-exec-150:337 - /500.html at position 13 of 20 in additional filter chain; firing Filter: 'JSDelegatingFilterProxy'
DEBUG ProviderManager,http-nio-8080-exec-150:152 - Authentication attempt using com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider
DEBUG JSLdapAuthenticationProvider,http-nio-8080-exec-150:65 - Processing authentication request for user: myuser
DEBUG FilterBasedLdapUserSearch,http-nio-8080-exec-150:107 - Searching for user 'myuser', with user search [ searchFilter: '(&(sAMAccountName={0})(memberOf=cn=Jasper_User,cn=users,dc=mydomain,dc=com))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
DEBUG SpringSecurityLdapTemplate,http-nio-8080-exec-150:211 - Searching for entry under DN 'dc=mydomain,dc=com', base = '', filter = '(&(sAMAccountName={0})(memberOf=cn=Jasper_User,cn=users,dc=mydomain,dc=com))'
DEBUG SpringSecurityLdapTemplate,http-nio-8080-exec-150:223 - Found DN: cn=My User,cn=Users
INFO SpringSecurityLdapTemplate,http-nio-8080-exec-150:229 - Ignoring PartialResultException
DEBUG BindAuthenticator,http-nio-8080-exec-150:108 - Attempting to bind as cn=My User,cn=Users,dc=mydomain,dc=com
DEBUG JSLdapContextSource,http-nio-8080-exec-150:76 - Removing pooling flag for user cn=My User,cn=Users,dc=mydomain,dc=com
DEBUG BindAuthenticator,http-nio-8080-exec-150:116 - Retrieving attributes...
DEBUG DefaultLdapAuthoritiesPopulator,http-nio-8080-exec-150:182 - Getting authorities for user cn=My User,cn=Users,dc=mydomain,dc=com
DEBUG DefaultLdapAuthoritiesPopulator,http-nio-8080-exec-150:211 - Searching for roles for user 'myuser', DN = 'cn=My User,cn=Users,dc=mydomain,dc=com', with filter (&(member={0})(objectclass=group)(cn=Jasper_User)) in search base ''
DEBUG SpringSecurityLdapTemplate,http-nio-8080-exec-150:150 - Using filter: (&(member=cn=My User,cn=Users,dc=mydomain,dc=com)(objectclass=group)(cn=Jasper_User))
DEBUG HttpSessionSecurityContextRepository,http-nio-8080-exec-150:304 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG SecurityContextPersistenceFilter,http-nio-8080-exec-150:97 - SecurityContextHolder now cleared, as request processing completed
bgrimal - 2 years 11 months ago

Same issue here.  Cant figure out what is not working.

I have everything configured pretty much the same.  It seems to bind to LDAP, but then gets SecurityContext is empty... then blank page.

 

jah.junk - 2 years 9 months ago

4 Answers:

0

I have been facing the same issue for a while.

Finally found the solution: add below property below the password tag for the LDAP authentication

<property name="userDn" value="CN=Administrator,CN=Users,DC=DOMAIN,DC=COM"/>
<property name="password" value="password"/>
<property name="referral" value="follow" /> 
kkpan47's picture
Joined: Nov 26 2015 - 11:36pm
Last seen: 1 year 2 months ago
0

Hi,

I too have the same problem, and <property name="referral" value="follow" /> did not help, unfortunately.

It's very frustrating, I tried with Jasper 6.1.1, 6.2.0, and now 6.3, and on different machines, and still got the same result: the LDAP is user is found, all seems ok, but we're stuck at this j_spring_security_check page.

If someone has the solution to this, please reply.

Thanks.

 

 

 

olivedev's picture
Joined: Sep 6 2011 - 7:28am
Last seen: 1 month 2 weeks ago
2

Hi,

I have it fixed now. 

Here is my applicationContext-externalAuth-LDAP.xml file for Jasperserver Community 6.3:

http://pastebin.com/7f7p0bGz

I created JASPER_MANAGEMENT and JASPER_USER groups on my AD and added some users, it works fine.

Users are "WorkstationUsers" in "AccessGroups" on my domain and I used a "ServiceAccounts" for the domain connection.

 

 

olivedev's picture
Joined: Sep 6 2011 - 7:28am
Last seen: 1 month 2 weeks ago
0

Looking at the original applicationContext-externalAuth-LDAP-mt.xml, there is no value in: <constructor-arg index="1"><value></value></constructor-arg> in the bean ldapAuthenticationProvider.

I fixed the same error by setting correct OU of goups I defined in AD.

pav's picture
pav
2
Joined: Jan 29 2018 - 2:44pm
Last seen: 7 months 1 week ago
Feedback
randomness