[AAA-184] Exception is thrown when ODLJndiLdapRealm is used

Tue, 5 Feb 2019 14:33:23 +0000

When trying to get authorization info using ODLJndiLdapRealm, following exception is thrown and logged at ERROR level:

2019-02-05 14:08:05,374 | ERROR | qtp673798733-110 | TokenAuthRealm                   | 199 - org.opendaylight.aaa.shiro - 0.8.1 | Couldn't decode authorization request
java.lang.ClassCastException: java.lang.String cannot be cast to org.opendaylight.aaa.api.shiro.principal.ODLPrincipal
   at org.opendaylight.aaa.shiro.realm.TokenAuthRealm.doGetAuthorizationInfo(TokenAuthRealm.java:100) [199:org.opendaylight.aaa.shiro:0.8.1]
   at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341) [138:org.apache.shiro.core:1.3.2]
   at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:573) [138:org.apache.shiro.core:1.3.2]
   at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374) [138:org.apache.shiro.core:1.3.2]
   at org.apache.shiro.authz.ModularRealmAuthorizer.hasAllRoles(ModularRealmAuthorizer.java:407) [138:org.apache.shiro.core:1.3.2]
   at org.apache.shiro.mgt.AuthorizingSecurityManager.hasAllRoles(AuthorizingSecurityManager.java:161) [138:org.apache.shiro.core:1.3.2]
   at org.apache.shiro.subject.support.DelegatingSubject.hasAllRoles(DelegatingSubject.java:236) [138:org.apache.shiro.core:1.3.2]
   at org.apache.shiro.web.filter.authz.RolesAuthorizationFilter.isAccessAllowed(RolesAuthorizationFilter.java:52) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) [138:org.apache.shiro.core:1.3.2]
   at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) [138:org.apache.shiro.core:1.3.2]
   at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) [138:org.apache.shiro.core:1.3.2]
   at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) [139:org.apache.shiro.web:1.3.2]
   at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [139:org.apache.shiro.web:1.3.2]
   at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [159:org.eclipse.jetty.servlet:9.3.24.v20180605]
   at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:51) [160:org.eclipse.jetty.servlets:9.3.24.v20180605]
   at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [159:org.eclipse.jetty.servlet:9.3.24.v20180605]
   at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:205) [169:org.eclipse.jetty.websocket.server:9.3.24.v20180605]
   at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [159:org.eclipse.jetty.servlet:9.3.24.v20180605]
   at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:86) [196:org.opendaylight.aaa.filterchain:0.8.1]
   at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) [159:org.eclipse.jetty.servlet:9.3.24.v20180605]
   at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [159:org.eclipse.jetty.servlet:9.3.24.v20180605]
   at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:71) [449:org.ops4j.pax.web.pax-web-jetty:6.0.11]
   at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [156:org.eclipse.jetty.security:9.3.24.v20180605]
   at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:296) [449:org.ops4j.pax.web.pax-web-jetty:6.0.11]
   at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [159:org.eclipse.jetty.servlet:9.3.24.v20180605]
   at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80) [449:org.ops4j.pax.web.pax-web-jetty:6.0.11]
   at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.eclipse.jetty.server.Server.handle(Server.java:539) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:333) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) [158:org.eclipse.jetty.server:9.3.24.v20180605]
   at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) [150:org.eclipse.jetty.io:9.3.24.v20180605]
   at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) [150:org.eclipse.jetty.io:9.3.24.v20180605]
   at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [150:org.eclipse.jetty.io:9.3.24.v20180605]
   at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [161:org.eclipse.jetty.util:9.3.24.v20180605]
   at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [161:org.eclipse.jetty.util:9.3.24.v20180605]
   at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [161:org.eclipse.jetty.util:9.3.24.v20180605]
   at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [161:org.eclipse.jetty.util:9.3.24.v20180605]
   at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)

I believe this is cosmetic problem only, as authorization process continues to query LDAP server for group membership.

Can we change log severity to WARN as exactly same is used when trying to authenticate LDAP user against idmlight?

2019-02-05 14:08:05,355 | WARN | qtp673798733-110 | ModularRealmAuthenticator | 138 - org.apache.shiro.core - 1.3.2 | Realm [org.opendaylight.aaa.shiro.realm.TokenAuthRealm@4cb2a5ed] threw an exception during a multi-realm authentication attempt:
org.opendaylight.aaa.api.AuthenticationException: User :user2 does not exist in domain sdn

OpenDaylight JIRA

[AAA-184] Exception is thrown when ODLJndiLdapRealm is used