問題点

初めて SAML 認証を使用してログインしている間に、ユーザーはログインループに移行します。error.log では、コード com.adobe.granite.auth.saml.SamlAuthenticationHandler.createOrUpdateCRXUser の保存呼び出しから「アクセスが拒否されました」のエラーが発生します。

error.log からの関連エラー:

23.02.2017 16:04:22.944 *ERROR* [qtp350558097-87175] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not get user manager.
javax.jcr.AccessDeniedException: Access denied.
        at org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager.checkPermissions(AbstractAccessControlManager.java:200)
        at org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager.getTree(AbstractAccessControlManager.java:167)
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.getApplicablePolicies(AccessControlManagerImpl.java:184)
        at org.apache.jackrabbit.oak.spi.security.user.action.AccessControlAction.setAC(AccessControlAction.java:170)
        at org.apache.jackrabbit.oak.spi.security.user.action.AccessControlAction.onCreate(AccessControlAction.java:127)
        at org.apache.jackrabbit.oak.security.user.UserManagerImpl.onCreate(UserManagerImpl.java:262)
        at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createUser(UserManagerImpl.java:169)
        at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createUser(UserManagerImpl.java:150)
        at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$8.perform(UserManagerDelegator.java:165)
        at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$8.perform(UserManagerDelegator.java:161)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208)
        at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator.createUser(UserManagerDelegator.java:161)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.createOrUpdateCRXUser(SamlAuthenticationHandler.java:943)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:808)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433)
        at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
        at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)
        at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
        at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
        at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
        at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)
        at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)
23.02.2017 16:04:22.946 *ERROR* [qtp350558097-87175] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
        at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
        at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)
        at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)
        at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:821)
        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433)
        at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
        at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)
        at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
        at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
        at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
        at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)
        at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied
        at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212)
        at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.childNodeAdded(PermissionValidator.java:150)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:32)
        at org.apache.jackrabbit.oak.spi.commit.CompositeEditor.childNodeAdded(CompositeEditor.java:108)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeAdded(EditorDiff.java:116)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord$3.childNodeAdded(MapRecord.java:435)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:493)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:432)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord$3.childNodeChanged(MapRecord.java:440)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:483)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compareBranch(MapRecord.java:561)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:466)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:432)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:414)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord$2.childNodeChanged(MapRecord.java:399)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord$3.childNodeChanged(MapRecord.java:440)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:483)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:432)
        at org.apache.jackrabbit.oak.plugins.segment.MapRecord.compare(MapRecord.java:390)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:583)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.process(EditorDiff.java:52)
        at org.apache.jackrabbit.oak.spi.commit.EditorHook.processCommit(EditorHook.java:54)
        at org.apache.jackrabbit.oak.spi.commit.CompositeHook.processCommit(CompositeHook.java:61)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore$Commit.prepare(SegmentNodeStore.java:488)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore$Commit.optimisticMerge(SegmentNodeStore.java:519)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore$Commit.execute(SegmentNodeStore.java:575)
        at org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStore.merge(SegmentNodeStore.java:238)
        at org.apache.jackrabbit.oak.spi.state.ProxyNodeStore.merge(ProxyNodeStore.java:43)
        at org.apache.jackrabbit.oak.core.MutableRoot.commit(MutableRoot.java:247)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:347)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:494)
        ... 33 common frames omitted

環境

AEM 6.2

原因

AEM のアップグレード中に認証サービスユーザへの権限が失われるか削除されました。

解決策

認証サービスユーザーに /home フォルダーに対する権限がありません。この問題を修正するには、権限を再度追加します。

AEM 6.2 では、「認証サービス」ユーザーを「ユーザー管理者」と「コントリビューター」グループに追加して、問題を修復します。

ユーザーをグループのメンバーとして追加する手順:

  1. http://aem-host:port/useradmin に移動し、管理者としてログインしてください。
  2. 認証サービスの検索をします。
  3. ユーザーをダブルクリックします。
  4. 「グループ」タブを選択します。
  5. 左検索パネルでユーザー管理者を検索します。.
  6. 右パネルの「グループ」タブにユーザー管理者グループをドラッグ&ドロップします。
  7. 保存」をクリックします。
  8. コントリビューターのグループに対して手順 5~7 を繰り返します。

AEM 6.3 では、認証サービスはグループのメンバーではなくなりました。6.3 と同様の手順に従ってください。ただし代わりに認証サービスユーザーに完全な jcr 許可を /home フォルダーに対して与えてください。

本作品は Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License によってライセンス許可を受けています。  Twitter™ および Facebook の投稿には、Creative Commons の規約内容は適用されません。

法律上の注意   |   プライバシーポリシー