ClassCircularityError when using LdapLoginModule (updated)

[Rory Douglas]

Apologies if this is a repeat, my first post didn't seem to make it:
I disabled the SimpleLoginModule in repository.xml and configured a 
login.conf file with the com.sun.security.auth.module.
LdapLoginModule (from JDK 6).  After creating LDAP users for the admin & 
anonymous identities, Sling starts up fine.

However, when requesting a node with a JSP rendering script, the 
JspScriptEngineFactory throws an ClassCircularityError on activate - it 
seems to be looping in the RepositoryClassLoader as it tries to login to 
the repository (stack trace is below).  I debugged through this and find 
that RepositoryClassLoaderProviderImpl has this code in 
getSession(String owner):

if (admin.getUserID().equals(owner)) {
 return admin;
}

otherwise it tries to impersonate the "owner".  I've verified that by 
commenting out the owner check & always returning the admin session, the 
ClassCircularityError doesn't occur.

When using LdapLoginModule, the userID returned from Session is the full 
LDAP distinguished name (uid=admin,ou=People,ou=test1,o=test.com 
<http://test.com>),while owner is just "admin".  This occurs because the 
Jackrabbit SessionImpl class just grabs the first Principal from the 
Subject when it is initialized, and that principal is LdapPrincipal in 
the case of the LdapLoginModule.  The LoginModule actually adds another 
(UserPrincipal), whose name is just "admin", but this is not used or 
checked.

I'm not sure what the right approach to fix this is.  It would be good 
if RepositoryClassLoaderProviderImpl checked the owner string against 
all Principal names in the Session's Subject.  However, Session doesn't 
expose it's Subject, so you can't do this.  And there doesn't seem to be 
a way to tell Jackrabbit which Principal to choose (like specify it 
should use first instance of UserPrincipal, or first Principal whose 
name matches some regex).  The last option appears to be rewriting the 
LoginModule to store the UserPrincipal first, which isn't desirable (and 
may not be possible for other LoginModules).



15.08.2008 12:25:24.171 **ERROR** [SCR Component Actor] 
org.apache.sling.scripting.jsp 
[org.apache.sling.scripting.jsp.JspScriptEngineFactory] The activate 
method has thrown an exception (java.lang.ClassCircularityError: 
com/sun/security/auth/module/LdapLoginModule) 
java.lang.ClassCircularityError: 
com/sun/security/auth/module/LdapLoginModule
  at java.lang.Class.forName0(Native Method)
  at java.lang.Class.forName(Class.java:247)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:731)
  at 
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  at java.security.AccessController.doPrivileged(Native Method)
  at 
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  at 
org.apache.jackrabbit.core.security.AuthContext$JAAS.login(AuthContext.java:88) 

  at 
org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1245)
  at 
org.apache.sling.jcr.base.internal.SessionPool.acquireSession(SessionPool.java:268) 

  at 
org.apache.sling.jcr.base.internal.SessionPoolManager.login(SessionPoolManager.java:99) 

  at 
org.apache.sling.jcr.base.AbstractSlingRepository.login(AbstractSlingRepository.java:240) 

  at 
org.apache.sling.jcr.base.AbstractSlingRepository.loginAdministrative(AbstractSlingRepository.java:206) 

  at 
org.apache.sling.jcr.classloader.internal.RepositoryClassLoaderProviderImpl.getSession(RepositoryClassLoaderProviderImpl.java:103) 

  at 
org.apache.sling.jcr.classloader.internal.RepositoryClassLoaderFacade.getSession(RepositoryClassLoaderFacade.java:185) 

  at 
org.apache.sling.jcr.classloader.internal.RepositoryClassLoaderFacade.getDelegateClassLoader(RepositoryClassLoaderFacade.java:195) 

  at 
org.apache.sling.jcr.classloader.internal.RepositoryClassLoaderFacade.loadClass(RepositoryClassLoaderFacade.java:105) 

  at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
  at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
  at java.lang.Class.forName0(Native Method)
  at java.lang.Class.forName(Class.java:247)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:731)
  at 
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  at java.security.AccessController.doPrivileged(Native Method)
  at 
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  at 
org.apache.jackrabbit.core.security.AuthContext$JAAS.login(AuthContext.java:88) 

  at 
org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1245)
  at 
org.apache.jackrabbit.core.SessionImpl.impersonate(SessionImpl.java:810)
  at 
org.apache.sling.jcr.base.internal.SessionPool.acquireSession(SessionPool.java:330) 

  at 
org.apache.sling.jcr.base.internal.SessionPoolManager.impersonate(SessionPoolManager.java:127) 

  at 
org.apache.sling.jcr.base.internal.PooledSession.impersonate(PooledSession.java:220) 

  at 
org.apache.sling.jcr.classloader.internal.RepositoryClassLoaderProviderImpl.getSession(RepositoryClassLoaderProviderImpl.java:112) 

  at 
org.apache.sling.jcr.classloader.internal.RepositoryClassLoaderFacade.getSession(RepositoryClassLoaderFacade.java:185) 

  at 
org.apache.sling.jcr.classloader.internal.RepositoryClassLoaderFacade.getDelegateClassLoader(RepositoryClassLoaderFacade.java:195) 

  at 
org.apache.sling.jcr.classloader.internal.RepositoryClassLoaderFacade.getResource(RepositoryClassLoaderFacade.java:114) 

  at java.lang.ClassLoader.getResourceAsStream(ClassLoader.java:1168)
  at javax.xml.parsers.SecuritySupport$4.run(SecuritySupport.java:96)
  at java.security.AccessController.doPrivileged(Native Method)
  at 
javax.xml.parsers.SecuritySupport.getResourceAsStream(SecuritySupport.java:89) 

  at 
javax.xml.parsers.FactoryFinder.findJarServiceProvider(FactoryFinder.java:250) 

  at javax.xml.parsers.FactoryFinder.find(FactoryFinder.java:223)
  at 
javax.xml.parsers.DocumentBuilderFactory.newInstance(DocumentBuilderFactory.java:123) 

  at 
org.apache.sling.scripting.jsp.jasper.xmlparser.ParserUtils.parseXMLDocument(ParserUtils.java:89) 

  at 
org.apache.sling.scripting.jsp.jasper.xmlparser.ParserUtils.parseXMLDocument(ParserUtils.java:133) 

  at 
org.apache.sling.scripting.jsp.SlingTldLocationsCache.getUriFromTld(SlingTldLocationsCache.java:159) 

  at 
org.apache.sling.scripting.jsp.SlingTldLocationsCache.addBundle(SlingTldLocationsCache.java:125) 

  at 
org.apache.sling.scripting.jsp.SlingTldLocationsCache.<init>(SlingTldLocationsCache.java:56) 

  at 
org.apache.sling.scripting.jsp.JspScriptEngineFactory.activate(JspScriptEngineFactory.java:188) 

  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

  at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 

  at java.lang.reflect.Method.invoke(Method.java:597)
  at 
org.apache.felix.scr.impl.ImmediateComponentManager.createImplementationObject(ImmediateComponentManager.java:226) 

  at 
org.apache.felix.scr.impl.ImmediateComponentManager.createComponent(ImmediateComponentManager.java:133) 

  at 
org.apache.felix.scr.impl.DelayedComponentManager.getService(DelayedComponentManager.java:83) 

  at 
org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:256) 

  at 
org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:190) 

  at 
org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:291) 

  at org.apache.felix.framework.Felix.getService(Felix.java:2842)
  at 
org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.java:417) 

  at 
org.apache.felix.scr.impl.DependencyManager.getService(DependencyManager.java:560) 

  at 
org.apache.felix.scr.impl.DependencyManager.invokeBindMethod(DependencyManager.java:858) 

  at 
org.apache.felix.scr.impl.DependencyManager.serviceAdded(DependencyManager.java:190) 

  at 
org.apache.felix.scr.impl.DependencyManager.serviceChanged(DependencyManager.java:115) 

  at 
org.apache.felix.framework.util.EventDispatcher.invokeServiceListenerCallback(EventDispatcher.java:765) 

  at 
org.apache.felix.framework.util.EventDispatcher.fireEventImmediately(EventDispatcher.java:623) 

  at 
org.apache.felix.framework.util.EventDispatcher.fireServiceEvent(EventDispatcher.java:554) 

  at org.apache.felix.framework.Felix.fireServiceEvent(Felix.java:3612)
  at org.apache.felix.framework.Felix.access$000(Felix.java:36)
  at org.apache.felix.framework.Felix$1.serviceChanged(Felix.java:626)
  at 
org.apache.felix.framework.ServiceRegistry.fireServiceChanged(ServiceRegistry.java:559) 

  at 
org.apache.felix.framework.ServiceRegistry.registerService(ServiceRegistry.java:75) 

  at org.apache.felix.framework.Felix.registerService(Felix.java:2702)
  at 
org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:254) 

  at 
org.apache.felix.scr.impl.AbstractComponentManager.registerComponentService(AbstractComponentManager.java:698) 

  at 
org.apache.felix.scr.impl.AbstractComponentManager.activateInternal(AbstractComponentManager.java:506) 

  at 
org.apache.felix.scr.impl.AbstractComponentManager.enableInternal(AbstractComponentManager.java:398) 

  at 
org.apache.felix.scr.impl.AbstractComponentManager.access$000(AbstractComponentManager.java:36) 

  at 
org.apache.felix.scr.impl.AbstractComponentManager$1.run(AbstractComponentManager.java:99) 

  at 
org.apache.felix.scr.impl.ComponentActorThread.run(ComponentActorThread.java:85)