L'authentification SAML se met en boucle et échoue avec "Accès refusé." | AEM

Problème

Lors de la première connexion à l'aide de l'authentification SAML, l'utilisateur entre dans une boucle de connexion. Dans le fichier error.log, une erreur "Accès refusé" provient de l'appel de sauvegarde dans ce code com.adobe.granite.auth.saml.SamlAuthenticationHandler.createOrUpdateCRXUser.

Erreur liée à l'erreur.log :

23.02.2017 16:04:22.944 *ERROR* [qtp350558097-87175] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not get user manager.
javax.jcr.AccessDeniedException: Access denied.
        at org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager.checkPermissions(AbstractAccessControlManager.java:200)
        at org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager.getTree(AbstractAccessControlManager.java:167)
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.getApplicablePolicies(AccessControlManagerImpl.java:184)
        at org.apache.jackrabbit.oak.spi.security.user.action.AccessControlAction.setAC(AccessControlAction.java:170)
        at org.apache.jackrabbit.oak.spi.security.user.action.AccessControlAction.onCreate(AccessControlAction.java:127)
        at org.apache.jackrabbit.oak.security.user.UserManagerImpl.onCreate(UserManagerImpl.java:262)
        at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createUser(UserManagerImpl.java:169)
        at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createUser(UserManagerImpl.java:150)
        at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$8.perform(UserManagerDelegator.java:165)
        at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$8.perform(UserManagerDelegator.java:161)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208)
        at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator.createUser(UserManagerDelegator.java:161)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.createOrUpdateCRXUser(SamlAuthenticationHandler.java:943)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:808)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433)
        at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
        at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)
        at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
        at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
        at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
        at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)
        at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)
23.02.2017 16:04:22.946 *ERROR* [qtp350558097-87175] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
        at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
        at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)
        at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)
        at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:821)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433)
        at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
        at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)
        at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
        at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
        at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
        at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)
        at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied
        at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212)
        at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.childNodeAdded(PermissionValidator.java:150)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:32)
        at org.apache.jackrabbit.oak.spi.commit.CompositeEditor.childNodeAdded(CompositeEditor.java:108)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeAdded(EditorDiff.java:116)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord$3.childNodeAdded(MapRecord.java:435)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:493)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:432)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord$3.childNodeChanged(MapRecord.java:440)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:483)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compareBranch(MapRecord.java:561)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:466)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:432)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:414)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord$2.childNodeChanged(MapRecord.java:399)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord$3.childNodeChanged(MapRecord.java:440)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:483)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:432)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:390)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.process(EditorDiff.java:52)
        at org.apache.jackrabbit.oak.spi.commit.EditorHook.processCommit(EditorHook.java:54)
        at org.apache.jackrabbit.oak.spi.commit.CompositeHook.processCommit(CompositeHook.java:61)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore$Commit.prepare(SegmentNodeStore.java:488)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore$Commit.optimisticMerge(SegmentNodeStore.java:519)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore$Commit.execute(SegmentNodeStore.java:575)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore.merge(SegmentNodeStore.java:238)
        at org.apache.jackrabbit.oak.spi.state.ProxyNodeStore.merge(ProxyNodeStore.java:43)
        at org.apache.jackrabbit.oak.core.MutableRoot.commit(MutableRoot.java:247)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:347)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:494)
        ... 33 common frames omitted

Environnement

AEM 6.2

Cause

Les autorisations pour l'utilisateur du service d'authentification ont été perdues ou supprimées lors de la mise à niveau d'AEM.

Résolution

L'utilisateur du service d'authentification n'a pas ses autorisations pour le dossier /home. Pour résoudre ce problème, intégrez de nouveau les autorisations.

Dans AEM 6.2, corrigez le problème en ajoutant l'utilisateur "authentication-service" aux groupes "user-administrateurs" et "contributors".

Étapes permettant d’ajouter l’utilisateur en tant que membre des groupes :

  1. Accédez à http://aem-host:port/useradmin et connectez en tant qu’administrateur.
  2. Recherchez authentication-service.
  3. Cliquez deux fois sur l’utilisateur.
  4. Sélectionnez l'onglet Groups.
  5. Dans le panneau de recherche à gauche, recherchez user-administrateurs.
  6. Glissez-déposez le groupe user-administrateurs dans le panneau à onglet Groups situé à droite.
  7. Cliquez sur Enregistrer.
  8. Répétez les étapes 5-7 pour le groupe des contributeurs.

Dans AEM 6.3, le service d'authentification n'est plus membre de groupes. Suivez les étapes similaires dans 6.3, mais donnez plutôt le service d'authentification complet à l'utilisateur jcr : toutes les autorisations sur le dossier /home.

 Adobe

Recevez de l’aide plus rapidement et plus facilement

Nouvel utilisateur ?