3

Setting LdapIdentityStoreDefinition attributes as follows :

@LdapIdentityStoreDefinition(
        url = "",
        bindDnPassword = "${ALIAS=somepassword}", // this is not working . 
        callerSearchBase = "",
        callerSearchFilter = "",
        groupSearchFilter = ""
)

Created alias somepasword in Payara server as follows : 

create-password-alias somepassword
Enter the alias password>
Enter the alias password again>
Command create-password-alias executed successfully.

On running application getting exception as : 

 [2019-11-26T14:46:42.101-0500] [Payara 5.191] [WARNING] [] [javax.enterprise.system.container.web.com.sun.web.security] [tid: _ThreadID=29 _ThreadName=http-thread-pool::http-listener-1(2)] [timeMillis: 1574797602101] [levelValue: 900] [[
      JASPIC: http msg authentication fail
    javax.el.PropertyNotFoundException: ELResolver cannot handle a null base Object with identifier 'somepassword'
 at com.sun.el.lang.ELSupport.throwUnhandled(ELSupport.java:68)
        at com.sun.el.parser.AstIdentifier.getValue(AstIdentifier.java:126)
        at com.sun.el.parser.AstAssign.getValue(AstAssign.java:57)
        at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:226)
        at javax.el.ELProcessor.getValue(ELProcessor.java:129)
Christoph John
  • 3,003
  • 2
  • 13
  • 23
checkmate
  • 49
  • 3

2 Answers2

1

As far as I am aware you cannot use environment properties directly in @LdapIdentityStoreDefinition. But there is a workaround via the Microprofile Config API.

See this forum thread for reference: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/payara-forum/qvoDhtrbxJc/qxs0vTAxAgAJ

Christoph John
  • 3,003
  • 2
  • 13
  • 23
  • 1
    This is correct. This annotation interprets values as EL expressions, according to the spec doc: https://javaee.github.io/security-spec/spec/jsr375-spec.html#_expression_language_support. Payara syntax collides with EL syntax and the value you specified is interpreted as EL expression and not as Payara expression. – OndroMih Nov 27 '19 at 17:08
1

The @LdapIdentityStoreDefinition annotation tries to interpret the value of bindDnPassword as an EL expression. This conflicts with the Payara expression for alias and gives you an exception.

A workaround is to define a system property that references the alias and then retrieve this system property from an EL expression.

E.g. you can specify a system property passwordproperty in Payara Server configuration that references the alias with the following asadmin command:

create-system-properties --target=server-config passwordproperty=${ALIAS\=somepassword}

Remember that you have to target a config, e.g. server-config. If you target instance (e.g. server), the alias is not evaluated.

In the Admin Console, you would define the property in server-config -> System properties. Not in server (Admin Server) -> Properties -> System properties, there the alias wouldn't be evaluated.

Then you can define bindDnPassword = "${System.getProperty('passwordproperty')}" and it would be evaluated to the value of the system property which is evaluated to the value of the alias.

I wish there is a direct way to evaluate an alias from an EL expression but there isn't. You may raise an enhancement request on Payara github, it seem like evaluating Payara expressions from an EL expression would be a useful feature.

OndroMih
  • 7,280
  • 1
  • 26
  • 44
  • Thanks , adding property in server-config - > System properties as key / value pair worked. In java i am reading this propery as mentioned by you - bindDnPassword = "${System.getProperty('passwordproperty')}" – checkmate Dec 03 '19 at 17:41