Problem
Beim erstmaligen Anmelden mit der SAML-Authentifizierung gerät der Benutzer in eine Login-Schleife. In der Fehlerprotokolldatei error.log stammt der Fehler „Access denied“ aus dem Speicheraufruf in diesem Code com.adobe.granite.auth.saml.SamlAuthenticationHandler.createOrUpdateCRXUser.
Zugehöriger Fehler von der Fehlerprotokolldatei error.log:
23.02.2017 16:04:22.944 *ERROR* [qtp350558097-87175] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not get user manager. javax.jcr.AccessDeniedException: Access denied. at org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager.checkPermissions(AbstractAccessControlManager.java:200) at org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager.getTree(AbstractAccessControlManager.java:167) at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.getApplicablePolicies(AccessControlManagerImpl.java:184) at org.apache.jackrabbit.oak.spi.security.user.action.AccessControlAction.setAC(AccessControlAction.java:170) at org.apache.jackrabbit.oak.spi.security.user.action.AccessControlAction.onCreate(AccessControlAction.java:127) at org.apache.jackrabbit.oak.security.user.UserManagerImpl.onCreate(UserManagerImpl.java:262) at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createUser(UserManagerImpl.java:169) at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createUser(UserManagerImpl.java:150) at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$8.perform(UserManagerDelegator.java:165) at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$8.perform(UserManagerDelegator.java:161) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208) at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator.createUser(UserManagerDelegator.java:161) at com.adobe.granite.auth.saml.SamlAuthenticationHandler.createOrUpdateCRXUser(SamlAuthenticationHandler.java:943) at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:808) at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433) at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75) at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60) at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718) at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466) at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451) at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121) at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421) at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57) at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124) at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61) at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) 23.02.2017 16:04:22.946 *ERROR* [qtp350558097-87175] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496) at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274) at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416) at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:821) at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433) at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75) at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60) at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718) at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466) at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451) at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121) at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421) at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57) at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124) at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61) at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212) at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.childNodeAdded(PermissionValidator.java:150) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:32) at org.apache.jackrabbit.oak.spi.commit.CompositeEditor.childNodeAdded(CompositeEditor.java:108) at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeAdded(EditorDiff.java:116) at org.apache.jackrabbit.oak.plugins.segment.MapRecord$3.childNodeAdded(MapRecord.java:435) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:493) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:432) at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583) at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148) at org.apache.jackrabbit.oak.plugins.segment.MapRecord$3.childNodeChanged(MapRecord.java:440) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:483) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compareBranch(MapRecord.java:561) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:466) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:432) at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583) at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:414) at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583) at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148) at org.apache.jackrabbit.oak.plugins.segment.MapRecord$2.childNodeChanged(MapRecord.java:399) at org.apache.jackrabbit.oak.plugins.segment.MapRecord$3.childNodeChanged(MapRecord.java:440) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:483) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:432) at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:390) at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583) at org.apache.jackrabbit.oak.spi.commit.EditorDiff.process(EditorDiff.java:52) at org.apache.jackrabbit.oak.spi.commit.EditorHook.processCommit(EditorHook.java:54) at org.apache.jackrabbit.oak.spi.commit.CompositeHook.processCommit(CompositeHook.java:61) at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore$Commit.prepare(SegmentNodeStore.java:488) at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore$Commit.optimisticMerge(SegmentNodeStore.java:519) at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore$Commit.execute(SegmentNodeStore.java:575) at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore.merge(SegmentNodeStore.java:238) at org.apache.jackrabbit.oak.spi.state.ProxyNodeStore.merge(ProxyNodeStore.java:43) at org.apache.jackrabbit.oak.core.MutableRoot.commit(MutableRoot.java:247) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:347) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:494) ... 33 common frames omitted
Umgebung
AEM 6.2
Ursache
Die Berechtigungen für den Benutzer des Authentifizierungsdienstes sind während eines AEM-Upgrades verloren gegangen oder wurden entfernt.
Lösung
Der Benutzer „Authentifizierungsdienst“ hat keine Berechtigungen für den Ordner „/home“. Um das Problem zu beheben, fügen Sie die Berechtigungen erneut hinzu.
In AEM 6.2 beheben Sie das Problem, indem Sie den Benutzer des „Authentifizierungsdienst“ zu den Gruppen „Benutzer-Administratoren“ und „Mitwirkende“ hinzufügen.
Schritte zum Hinzufügen des Benutzers als Mitglied der Gruppen:
- Gehen Sie zu http://aem-host:port/useradmin und melden Sie sich als Administrator an.
- Suchen Sie nach Authentifizierungsdienst.
- Doppelklicken Sie auf den Benutzer.
- Wählen Sie die Registerkarte Gruppen.
- Suchen Sie im linken Suchbereich nach Benutzer-Administratoren.
- Ziehen Sie die Gruppe Benutzer-Administratoren per Drag-and-drop auf die Registerkarte Gruppen auf der rechten Seite.
- Klicken Sie auf Speichern.
- Wiederholen Sie die Schritte 5-7 für die Gruppe Mitwirkende.
In AEM 6.3 ist der Authentifizierungsdienst nicht mehr Mitglied von Gruppen. Folgen Sie den Schritten ähnlichen wie in 6.3, aber geben Sie stattdessen dem Benutzer Authentifizierungsdienst volle jcr : all Berechtigungen für den Ordner /home.