search

Adobe-Consulting-Services / acs-aem-commons

http://adobe-consulting-services.github.io/acs-aem-commons/
Apache License 2.0
453 stars 600 forks source link

ACL Packager - Unable to login with any user after ACL package import #942

Closed diogopedreira closed 7 years ago

diogopedreira commented 7 years ago

Hi all,

I've created a package to export my ACL's using ACL Packager. I've followed the instructions specified in here but after installing the package and after restarting the instance I'm not able to login with any user.

The package was properly created and installed, and if I don't restart the instance I'm able to login and to go to /userdmin and check that all my permissions were properly imported along with my groups.

If I restart the instance and try to login, I get this error and I'm not able to do anything.


`27.03.2017 18:50:58.896 *WARN* [qtp935074215-102] com.adobe.granite.auth.cert.impl.ClientCertAuthHandler Unable to create token credentials, setting cert for uid null
java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data
        at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:609)
        at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetTrustStore(KeyStoreServiceImpl.java:462)
        at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getTrustStore(KeyStoreServiceImpl.java:154)
        at com.adobe.granite.auth.cert.impl.ClientCertAuthHandler.findMappedUsers(ClientCertAuthHandler.java:135)
        at com.adobe.granite.auth.cert.impl.ClientCertAuthHandler.extractCredentials(ClientCertAuthHandler.java:108)
        at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
        at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)
        at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
        at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
        at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
        at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)
        at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)        
        at java.lang.Thread.run(Thread.java:745)
Caused by: com.adobe.granite.crypto.CryptoException: Cannot convert byte data
        at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:160)
        at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:601)
        ... 32 common frames omitted
Caused by: com.adobe.granite.crypto.CryptoException: Failed decrypting cipher text
        at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:96)
        at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:157)
        ... 33 common frames omitted
Caused by: com.rsa.jsafe.JSAFE_PaddingException: Invalid padding.
        at com.rsa.jsafe.JSAFE_SymmetricCipher.decryptFinal(Unknown Source)
        at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:325)
        at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:307)
        at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:94)
        ... 34 common frames omitted`

I'm running:

Any help?

Thanks!

Cheers, Diogo

justinedelson commented 7 years ago

Since the packager is simply creating a package of ACLs and this package happens upon installation of that package, I don't think this is an issue with ACS AEM Commons. Presumably this would also happen if you installed that package on an instance of AEM without ACS AEM Commons installed.

I would suggest looking at the contents of that package and see what ACLs it is changing that is at the root of this problem.

diogopedreira commented 7 years ago

@justinedelson Thanks for your quick answer! I've already done that, along with several other actions, and that's the reason why I'm calling for some help in here.

I've used principals option to export only the ACLs related with some Groups that exist in my instance and as expected, the package contains only the rep:policy files of the ACL's that contain ACEs that match the given principals.

If this Packager is supposed to export only rep:policy files, why I'm getting a Crypto related exception when trying to login? Does this packager performs any other action that gathering all ACLs?

I can provide the resultant package if you want to.

Thanks for your help.

Diogo

justinedelson commented 7 years ago

Again, the problem you are reporting is on the instance receiving the package, not the instance where the package is being created, so even if the packager performed additional actions (which it does not), those would not be relevant to your question.