[Building Sakai] question about AuthenticationCache -- null authentication record
Sanghyun Jeon
euksa99 at gmail.com
Mon Sep 15 10:01:14 PDT 2014
Hello
Can anybody explain me why we get the error message, getAuthentication:
replaying authentication failure for authenticationId=XXXXX, when user
enters the right pwd and user id? At the same time, when user enters the
right user id and wrong pwd, the error
threw org.sakaiproject.user.impl.AuthenticationCache:94 -
getAuthentication: record for authenticationId=XXXXX failed password check.
It appears to negotiate the SSL tunnel properly (there is no
certifact_unknown error on the log with ssl debug mode), but it still does
not complete the LDAP authentication transaction. So we are unsure as to
how to proceed. Please help.
S
On Wed, Sep 10, 2014 at 12:13 PM, Sanghyun Jeon <euksa99 at gmail.com> wrote:
> Unfortunately, I have not heard back yet
>
> Here's some more update:
> If user entered the wrong pwd, then the tomcat threw [DEBUG]
> org.sakaiproject.user.impl.AuthenticationCache:94 - getAuthentication:
> record for authenticationId=XXXX failed password check
>
>
>
> I think null record causes the issue, so that user authentication is
> failed. Can anybody explain when the record can be null?
>
> Thank you in advance.
>
>
> S
>
> On Tue, Sep 9, 2014 at 10:33 AM, Sanghyun Jeon <euksa99 at gmail.com> wrote:
>
>> Hello All,
>>
>>
>>
>> One of our LDAP servers’ users is having a difficulty to use WebDAV.
>>
>> Whenever these users enter the user name and pwd into WebDAV windows, the
>> tomcat throws
>>
>> getAuthentication: replaying authentication failure for
>> authenticationId=XXX.
>>
>>
>>
>> I look through the code
>> in kernel/kernel-impl/src/main/java/org/sakaiproject/user/impl/ AuthenticationCache.java,
>> this can happen only when user provided pwd and LDAP pwd are matched but
>> authentication record is null.
>>
>> I am wondering when/how the authentication record can be null. User
>> provides the right user id/pwd and LDAP has the right information, though.
>>
>>
>>
>>
>>
>> public Authentication getAuthentication(String authenticationId,
>> String password)
>>
>> throws AuthenticationException {
>>
>> Authentication auth = null;
>>
>> Element element = authCache.get(authenticationId);
>>
>> if (element != null) {
>>
>> AuthenticationRecord record =
>> (AuthenticationRecord)element.getObjectValue();
>>
>> byte[] salt = new byte[saltLength];
>>
>> System.arraycopy(record.encodedPassword, 0, salt,
>> 0, salt.length);
>>
>> byte[] encodedPassword = getEncrypted(password,
>> salt);
>>
>> if
>> (MessageDigest.isEqual(record.encodedPassword, encodedPassword)) {
>>
>> if (record.authentication == null) {
>>
>> if (log.isDebugEnabled())
>> log.debug("getAuthentication: replaying authentication failure for
>> authenticationId=" + authenticationId);
>>
>> throw new
>> AuthenticationException("repeated invalid login");
>>
>> } else {
>>
>> if (log.isDebugEnabled())
>> log.debug("getAuthentication: returning record for authenticationId=" +
>> authenticationId);
>>
>> auth = record.authentication;
>>
>> }
>>
>> } else {
>>
>> // Since the passwords didn't match,
>> we're no longer getting repeats,
>>
>> // and so the record should be removed.
>>
>> if (log.isDebugEnabled())
>> log.debug("getAuthentication: record for authenticationId=" +
>> authenticationId + " failed password check");
>>
>> authCache.remove(authenticationId);
>>
>> }
>>
>> }
>>
>> return auth;
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140915/ed34631f/attachment.html
More information about the sakai-dev
mailing list