Terry Luedtke added a comment - 15/Apr/2013 7:43 PM Ah, found the solution at CONF-28576

Terry Luedtke added a comment - 15/Apr/2013 7:40 PM I'm trying to set up a new Confluence 5 server. Using the same settings and Java authentication class as I have on our existing Confluence 4.2 server, I get the following error when logging in for the first time. If I reload, I get in OK (with an existing session?). javax.servlet.ServletException: Filter execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:259) caused by: java.lang.IllegalAccessError: tried to access method com.atlassian.confluence.event.events.security.SecurityEvent.<init> (Ljava/lang/ Object ;Ljava/lang/ String ;Ljava/lang/ String ;Ljava/lang/ String ;Ljava/lang/ String ;)V from class gov.nih.nlm.occs.confluence.SSOAuthenticator at gov.nih.nlm.occs.confluence.SSOAuthenticator.getUser(SSOAuthenticator.java:180)

Joe Clark added a comment - 11/Jan/2012 3:57 AM I have updated the authenticator to fix both the Hibernate exception reported by Terry, and the LOGININFO problem reported by Gary/Erkki. I've moved further development of the authenticator to bitbucket, so you can head over to this repo to get the latest changes: https://bitbucket.org/jaysee00/example-confluence-sso-authenticator I'd also like to move all this plumbing code into Confluence itself so that every single SSO authenticator doesn't have to write the same code over and over again. I've created a CONF issue to track this, in case you'd like to watch it for updated and/or cast your vote: https://jira.atlassian.com/browse/CONF-24358

Joe Clark added a comment - 10/Jan/2012 6:40 AM gswduke - I had (perhaps incorrectly) assumed that the login info would happen as long as the authenticator was the LoginSuccessful event. I'll need to dig in to the call-chain and work out the order of events that happens for the default authenticator and try to emulate it in the custom authenticator. If Erkki is correct, then putting the call to onSuccessfulLoginAttempt right before the call to putPrincipalInSessionContext is probably the right approach. Yeah, it sounds like you could just override getUser now if you're no longer using a custom login filter. Either approach will probably work OK, but by overriding getUser, you are overriding "less" of the login process, so I think it is probably a better choice in terms of long-term stability. I'll see if I can dig to the bottom of this tomorrow, too.

Joe Clark added a comment - 10/Jan/2012 6:36 AM tluedtke - I think I have identified the problem. It looks like the "findByName" method is not read-only like I thought it was, and has a hack in it that tries to initialise a new hibernate session. I should be able to work around this tomorrow.

Joe Clark added a comment - 10/Jan/2012 6:19 AM Re-opening to investigate reported issues.

Gary Weaver added a comment - 05/Jan/2012 3:49 PM Joe, Erkki Aalto in https://answers.atlassian.com/questions/21460/how-to-update-logininfo-table-in-confluence-4-0-in-custom-confluence-authenticator is telling me that the LOGININFO table entry is not created unless the following is called: LoginManager loginManager = (LoginManager) ContainerManager.getComponent( "loginManager" ); loginManager.onSuccessfulLoginAttempt(username, request); And that it in turn basically does (I removed null check and logging for clarity): User user = userAccessor.getUser(username); UserLoginInfo userLoginInfo = loginInfoDao.findOrCreateUserLoginInfoForUser(user); userLoginInfo.successfulLogin(clock.getCurrentDate()); loginInfoDao.saveOrUpdate(userLoginInfo); Is that does elsewhere? I was going to put that: getLoginManager().onSuccessfulLoginAttempt(userid, request); line right before: putPrincipalInSessionContext(request, user); and in addition, for some reason we're overriding: public boolean login(HttpServletRequest request, HttpServletResponse response, String username, String password, boolean cookie) throws AuthenticatorException instead of the following that you are using and that we used to use a while back: public Principal getUser(HttpServletRequest request, HttpServletResponse response) These are the comments we have as to why we are doing that, but we are no longer using a custom filter, so not sure if still needed: // Converting reliance on getUser(request,response) to use login(...) instead. The logic flow is: // 1) Seraph Login filter, which is based on username/password kicks in (declared at web.xml) // 2) It bails out altogether and identified user as invalid (without calling any of login(request,response) // declared here. // 3) Seraph Security filter kicks in (declared at web.xml) // 4) It calls getUser(request,response) and assign roles to known user. // Hence, getUser(request,response) will only be called from Seraph SecurityFilter. This authenticator can use // ShibLoginFilter to make sure login is performed in some versions of Confluence, but it works without it, so // that is off by default . Anyway, thanks so much for writing and posting ExampleSSOAuthenticator.java. Even though we have separate issues and still haven't overcome them, but with some of its code, we're much closer now. Gary

Terry Luedtke added a comment - 05/Jan/2012 1:39 PM - edited Not sure if I should create a new ticket. When I try to use this authenticator, I get a hibernate exception. By the way, when I remove SSO authentication, I can log in and view content, so the database connection is configured OK. 2012-01-05 08:03:18,876 [TP-Processor3] DEBUG gov.nih.nlm.occs.confluence.SSOAuthenticator - Entered getUser() 2012-01-05 08:03:18,926 [TP-Processor3] DEBUG gov.nih.nlm.occs.confluence.SSOAuthenticator - Username = luedtket. 2012-01-05 08:03:18,927 [TP-Processor3] DEBUG gov.nih.nlm.occs.confluence.SSOAuthenticator - User DN = CN=luedtket,OU=Users,OU=AB,OU=OCCS,OU=NLM,OU=NLM,OU=NIH,OU=AD,DC=nih,DC=gov. 2012-01-05 08:03:18,928 [TP-Processor3] DEBUG gov.nih.nlm.occs.confluence.SSOAuthenticator - before getUser().validateLdapUser 2012-01-05 08:03:19,141 [TP-Processor3] ERROR org.apache.catalina.core.ContainerBase.[Apache].[wikiqa.nlm.nih.gov].[/confluence].[jsp] - Servlet.service() for servlet jsp threw exception org.springframework.orm.hibernate.HibernateSystemException: Could not initialize proxy - the owning Session was closed; nested exception is net.sf.hibernate.HibernateException: Could not initialize proxy - the owning Session was closed Caused by: net.sf.hibernate.HibernateException: Could not initialize proxy - the owning Session was closed at net.sf.hibernate.proxy.LazyInitializer.initialize(LazyInitializer.java:47) at net.sf.hibernate.Hibernate.initialize(Hibernate.java:252) at com.atlassian.confluence.user.crowd.DefaultApplicationCache.toCacheValue(DefaultApplicationCache.java:70) at com.atlassian.confluence.user.crowd.DefaultApplicationCache.putApplication(DefaultApplicationCache.java:55) at com.atlassian.confluence.user.crowd.CachedCrowdApplicationDao.findByName(CachedCrowdApplicationDao.java:48) at gov.nih.nlm.occs.confluence.SSOAuthenticator.validateLdapUser(SSOAuthenticator.java:250) at gov.nih.nlm.occs.confluence.SSOAuthenticator.getUser(SSOAuthenticator.java:166) at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:125) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98) at com.atlassian.confluence.util.AbstractBootstrapHotSwappingFilter.doFilter(AbstractBootstrapHotSwappingFilter.java:30) at com.atlassian.confluence.util.AbstractBootstrapHotSwappingFilter$SwapOnBootstrapFilter.doFilter(AbstractBootstrapHotSwappingFilter.java:55) at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) at com.atlassian.confluence.util.AbstractBootstrapHotSwappingFilter.doFilter(AbstractBootstrapHotSwappingFilter.java:30) at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:150) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:71) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:34) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:72) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:80) at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.core.filters.cache.AbstractCachingFilter.doFilter(AbstractCachingFilter.java:33) at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) at com.atlassian.confluence.extra.webdav.servlet.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:43) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter.doFilter(RequestParamValidationFilter.java:58) at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.plugin.servlet.filter.ActionContextCleanUp.doFilter(ActionContextCleanUp.java:71) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.web.filter.LanguageExtractionFilter.doFilter(LanguageExtractionFilter.java:52) at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:25) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.servlet.FourOhFourErrorLoggingFilter.doFilter(FourOhFourErrorLoggingFilter.java:65) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:662)

Joe Clark added a comment - 03/Jan/2012 10:04 PM Good to hear it's working (phew!) By default, issues in the CONF project are accessible to everyone (as is this issue). Gary should have no problem getting access. You could probably google search the issue summary and it would come up in the results

Craig Solinski added a comment - 03/Jan/2012 8:39 PM Nice work Joe, Code seems to work as advertised I'm working with Gary Weaver to get it into the Shibboleth Authenticator as well as our SoulWing CAS Authenticator version, and I'm wondering if this Jira issue is accessible for him to get the code? Thank you very much for your time and expertise, Craig