Hi,
I have replicated your Docker-based setup, with two domains and
2.1.1-SNAPSHOT, found the same issue.
...that could be easily replicated by attempting to log in on the public
demo:
http://syncope-vm.apache.org:9080/syncope-console
on the Two domain, with credentials admin / password2 - working via REST.
Please raise an issue on JIRA: it seems that the Admin Console's login
form does not take into account the value selected in the 'Domain' combo.
I have verified that the problem only affects 2.1.0, as 2.0.9 works as
expected - this means that there was something missing in the migration
to Wicket 8.
Regards.
On 22/07/2018 17:35, Wyllys Ingersoll wrote:
I created a role in the 2nd domain and granted it all of the
entitlements using the REST api, then assigned that role to a user
("admin2") in the 2nd domain. Now when I attempt to login to the 2nd
domain on the console UI, I get the following errors in the core.log
file:
Its basically complaining about the connector not having privileges to
authenticate anyone. Not sure how to fix this since I cant manage the
domain with the UI yet (chicken and egg problem?).
11:21:39.265 INFO
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy -
Authenticate was attempted, although the connector only has these
capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action.
I can get a token for this user with the REST api and validate the
token and see that it does indeed have all of the required
entitlements, the problem seems to be with the console UI and how it
authenticates/authorizes users since going directly to the core for
authentication via REST works as expected.
Full stack trace:
java.util.concurrent.ExecutionException:
org.identityconnectors.framework.common.exceptions.InvalidCredentialException:
Authentication failed for "admin2"
at java.util.concurrent.FutureTask.report(FutureTask.java:122) ~[?:1.8.0_171]
at java.util.concurrent.FutureTask.get(FutureTask.java:206) ~[?:1.8.0_171]
at
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141)
~[syncope-core-provisioning-java-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:218)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthDataAccessor$$FastClassBySpringCGLIB$$b4b63ada.invoke(<generated>)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294)
~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60)
~[syncope-core-persistence-jpa-2.1.0.jar:2.1.0]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.syncope.core.spring.security.AuthDataAccessor$$EnhancerBySpringCGLIB$$fea6d20d.authenticate(<generated>)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.lambda$authenticate$1(UsernamePasswordAuthenticationProvider.java:123)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:126)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:123)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.apache.syncope.core.spring.security.JWTAuthenticationFilter.doFilterInternal(JWTAuthenticationFilter.java:90)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
~[?:1.8.0_171]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
~[?:1.8.0_171]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
~[tomcat8-util-8.5.14.jar:8.5.14]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
Caused by:
org.identityconnectors.framework.common.exceptions.InvalidCredentialException:
Authentication failed for "admin2"
at
net.tirasa.connid.bundles.ad.authentication.ADAuthenticate.authenticate(ADAuthenticate.java:74)
~[?:?]
at net.tirasa.connid.bundles.ad.ADConnector.authenticate(ADConnector.java:243)
~[?:?]
at
org.identityconnectors.framework.impl.api.local.operations.AuthenticationImpl.authenticate(AuthenticationImpl.java:85)
~[connector-framework-internal-1.4.4.0.jar:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source) ~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at
org.identityconnectors.framework.impl.api.AbstractConnectorFacade.authenticate(AbstractConnectorFacade.java:235)
~[connector-framework-internal-1.4.4.0.jar:?]
at
org.apache.syncope.core.provisioning.java.AsyncConnectorFacade.authenticate(AsyncConnectorFacade.java:56)
~[syncope-core-provisioning-java-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.provisioning.java.AsyncConnectorFacade$$FastClassBySpringCGLIB$$886ae36a.invoke(<generated>)
~[syncope-core-provisioning-java-2.1.0.jar:2.1.0]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:115)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_171]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
~[?:1.8.0_171]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
~[?:1.8.0_171]
... 1 more
11:21:39.265 INFO
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy -
Authenticate was attempted, although the connector only has these
capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
