LDAP :: RBAC :: group level permissions not working

[tulasinadhvaka]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running master-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

Hi Team,
After integrating with the LDAP, I was trying to provide different permissions for different teams. Where as it is not considering it. It is taking instance level permissions.

Here is the sample configuration I used

` rbac:
roles:
- name: "readonly"
clusters: ""
subjects:
- provider: ldap
type: group
value: ""
permissions:
- resource: clusterconfig
actions: [ "view" ]

    - resource: topic
      value: ".*"
      actions: 
        - VIEW
        - MESSAGES_READ

    - resource: consumer
      value: ".*"
      actions: [ view ]

    - resource: schema
      value: ".*"
      actions: [ view ]

    - resource: connect
      value: ".*"
      actions: [ view ]

    - resource: acl
      actions: [ view ]

#Production admins
- name: "prod-admins"
  clusters:
    - prod-msk-cluster
  subjects:
    - provider: ldap
      type: group
      value: "my_team"
  permissions:
    - resource: applicationconfig
      actions: all
  
    - resource: clusterconfig
      actions: all

    - resource: topic
      value: ".*"
      actions: all

    - resource: consumer
      value: ".*"
      actions: all

    - resource: schema
      value: ".*"
      actions: all

    - resource: connect
      value: ".*"
      actions: all

    - resource: ksql
      actions: all
      
    - resource: acl
      actions: [ view ]

#non-prod admins
- name: "non-prod-admins"
  clusters:
    - non-prod-msk-cluster
  subjects:
    - provider: ldap
      type: group
      value: "dev_team"
  permissions:
    - resource: applicationconfig
      actions: all
  
    - resource: clusterconfig
      actions: all

    - resource: topic
      value: ".*"
      actions: all

    - resource: consumer
      value: ".*"
      actions: all

    - resource: schema
      value: ".*"
      actions: all

    - resource: connect
      value: ".*"
      actions: all

    - resource: ksql
      actions: all
      
    - resource: acl
      actions: [ view ]

`

Expected behavior

Different groups should have different permissions

Your installation details

Installed using the docker-compose

--- version: '2' services: kafka-ui: container_name: kafka-ui image: provectuslabs/kafka-ui:latest ports: - 8080:8080 restart: always environment: ### logging ### LOGGING_LEVEL_ROOT: debug LOGGING_LEVEL_COM_PROVECTUS: debug KAFKA_ADMIN-CLIENT-TIMEOUT: 60000 ####### AUTH_TYPE: LDAP SPRING_LDAP_URLS: ldap://common-ad.my-org.net:389 SPRING_LDAP_BASE: cn=svcvaulttest,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=my-org,dc=net SPRING_LDAP_ADMIN-USER: cn=ldap_admin,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=my-org,dc=net SPRING_LDAP_ADMINP-ASSWORD: password SPRING_LDAP_USER-FILTER-SEARCH-BASE: ou=Users,ou=common-ad-01,dc=common-ad-01,dc=my-org,dc=net SPRING_LDAP_USER-FILTER-SEARCH-FILTER: "(sAMAccountName={0})" SPRING_LDAP_GROUP-FILTER-SEARCH-BASE: ou=Users,ou=common-ad-01,dc=common-ad-01,dc=my-org,dc=net SPRING_CONFIG_ADDITIONAL-LOCATION: /roles.yml

Steps to reproduce

The provided code should with if it can able to connect to any LDAP

Screenshots

No response

Logs

No response

Additional context

No response

[github-actions[bot]]

Hello there tulasinadhvaka! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

[gastoncan]

Maybe this can help?
#3892

[tulasinadhvaka]

@gastoncan That didn't help, as here users are part of different groups.

[Haarolean]

@tulasinadhvaka

Please provide the output of /api/authorization endpoint when you're authenticated.

[tulasinadhvaka]

@Haarolean Here is the output

{
"rbacEnabled": false,
"userInfo": {
"username": "tulasinadh.v",
"permissions": []
}
}

[Haarolean]

@tulasinadhvaka

add these properties:

    org.springframework.security.ldap.userdetails: TRACE
    org.springframework.security.ldap.authentication: TRACE

and look through your logs upon authenticating carefully, see if your LDAP requests are valid and you're being granted authorities (probably not).

[Haarolean]

https://env.simplestep.ca/

[tulasinadhvaka]

@Haarolean Here are the logs
2023-06-16 07:37:32,577 TRACE [boundedElastic-1] o.s.s.l.a.BindAuthenticator: Attempting to bind as cn=ldapuser,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net 2023-06-16 07:37:32,650 TRACE [boundedElastic-1] o.s.s.l.a.BindAuthenticator: Failed to bind as cn=ldapuser,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563] at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:191) at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:363) at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:147) at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:138) at org.springframework.security.ldap.authentication.BindAuthenticator.bindWithDn(BindAuthenticator.java:111) at org.springframework.security.ldap.authentication.BindAuthenticator.bindWithDn(BindAuthenticator.java:100) at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:74) at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:174) at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:79) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) at org.springframework.security.authentication.ReactiveAuthenticationManagerAdapter.doAuthenticate(ReactiveAuthenticationManagerAdapter.java:60) at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:132) at reactor.core.publisher.FluxSubscribeOnValue$ScheduledScalar.run(FluxSubscribeOnValue.java:180) at reactor.core.scheduler.SchedulerTask.call(SchedulerTask.java:68) at reactor.core.scheduler.SchedulerTask.call(SchedulerTask.java:28) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:833) Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563] at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3260) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2992) at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2906) at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:732) at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at java.naming/javax.naming.InitialContext.init(InitialContext.java:236) at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42) at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:351) ... 18 common frames omitted 2023-06-16 07:37:32,662 DEBUG [boundedElastic-1] o.s.s.l.a.BindAuthenticator: Failed to bind with any user DNs [cn=ldapuser,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net] 2023-06-16 07:37:32,663 TRACE [boundedElastic-1] o.s.s.l.a.BindAuthenticator: Searching for user using FilterBasedLdapUserSearch [searchFilter=(sAMAccountName={0}); searchBase=ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net; scope=subtree; searchTimeLimit=0; derefLinkFlag=false ] 2023-06-16 07:37:32,676 DEBUG [boundedElastic-1] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://common-ad.myorg.net:389' 2023-06-16 07:37:32,703 DEBUG [boundedElastic-1] o.s.s.l.SpringSecurityLdapTemplate: Found DN: CN=Tulasinadh Vaka,OU=Users,OU=common-ad-01,DC=common-ad-01,DC=myorg,DC=net 2023-06-16 07:37:32,707 DEBUG [boundedElastic-1] o.s.s.l.s.FilterBasedLdapUserSearch: Found user 'tulasinadh.v', with FilterBasedLdapUserSearch [searchFilter=(sAMAccountName={0}); searchBase=ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net; scope=subtree; searchTimeLimit=0; derefLinkFlag=false ] 2023-06-16 07:37:32,709 TRACE [boundedElastic-1] o.s.s.l.a.BindAuthenticator: Attempting to bind as cn=Tulasinadh Vaka,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net 2023-06-16 07:37:32,714 DEBUG [boundedElastic-1] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://common-ad.myorg.net:389' 2023-06-16 07:37:32,717 DEBUG [boundedElastic-1] o.s.s.l.a.BindAuthenticator: Bound cn=Tulasinadh Vaka,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net 2023-06-16 07:37:32,718 DEBUG [boundedElastic-1] o.s.s.l.u.LdapUserDetailsMapper: Mapping user details from context with DN cn=Tulasinadh Vaka,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net 2023-06-16 07:37:32,723 DEBUG [boundedElastic-1] o.s.s.l.a.LdapAuthenticationProvider: Authenticated user 2023-06-16 07:37:32,727 DEBUG [parallel-2] o.s.w.s.s.DefaultWebSessionManager: Created new WebSession. 2023-06-16 07:37:32,728 DEBUG [parallel-2] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Saved SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=LdapUserDetailsImpl [Dn=cn=Tulasinadh Vaka,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net; Username=tulasinadh.v; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[]], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@6dadbbcf' 2023-06-16 07:37:32,733 DEBUG [parallel-1] o.s.s.w.s.DefaultServerRedirectStrategy: Redirecting to '/' 2023-06-16 07:37:32,734 DEBUG [parallel-1] o.s.w.s.a.HttpWebHandlerAdapter: [34dfa7a1-51] Completed 302 FOUND 2023-06-16 07:37:32,736 DEBUG [parallel-1] r.n.h.s.HttpServerOperations: [34dfa7a1-3, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Last HTTP response frame 2023-06-16 07:37:32,736 DEBUG [parallel-1] r.n.h.s.HttpServerOperations: [34dfa7a1-3, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] No sendHeaders() called before complete, sending zero-length header 2023-06-16 07:37:32,739 DEBUG [reactor-http-epoll-2] r.n.h.s.HttpServerOperations: [34dfa7a1-3, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Decreasing pending responses, now 0 2023-06-16 07:37:32,739 DEBUG [reactor-http-epoll-2] r.n.c.ChannelOperations: [34dfa7a1-3, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] [HttpServer] Channel inbound receiver cancelled (subscription disposed). 2023-06-16 07:37:32,739 DEBUG [reactor-http-epoll-2] r.n.h.s.HttpServerOperations: [34dfa7a1-3, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Last HTTP packet was sent, terminating the channel 2023-06-16 07:37:33,061 DEBUG [reactor-http-epoll-2] r.n.h.s.HttpServerOperations: [34dfa7a1, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Increasing pending responses, now 1 2023-06-16 07:37:33,061 DEBUG [reactor-http-epoll-2] r.n.h.s.HttpServer: [34dfa7a1-4, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Handler is being applied: org.springframework.http.server.reactive.ReactorHttpHandlerAdapter@5028f7b7 2023-06-16 07:37:33,061 DEBUG [reactor-http-epoll-2] o.s.w.s.a.HttpWebHandlerAdapter: [34dfa7a1-52] HTTP GET "/" 2023-06-16 07:37:33,062 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST} 2023-06-16 07:37:33,063 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'POST /login' 2023-06-16 07:37:33,064 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found 2023-06-16 07:37:33,064 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=GET} 2023-06-16 07:37:33,064 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'GET /login' 2023-06-16 07:37:33,064 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found 2023-06-16 07:37:33,064 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=GET} 2023-06-16 07:37:33,064 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'GET /logout' 2023-06-16 07:37:33,064 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found 2023-06-16 07:37:33,068 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=POST} 2023-06-16 07:37:33,068 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'POST /logout' 2023-06-16 07:37:33,068 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found 2023-06-16 07:37:33,068 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/css/**', method=null} 2023-06-16 07:37:33,068 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /css/**' 2023-06-16 07:37:33,068 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/js/**', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /js/**' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/media/**', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /media/**' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/resources/**', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /resources/**' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/actuator/health/**', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /actuator/health/**' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/actuator/info', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /actuator/info' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/auth', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /auth' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /login' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /logout' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/oauth2/**', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /oauth2/**' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/static/**', method=null} 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /' doesn't match 'null /static/**' 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.a.DelegatingReactiveAuthorizationManager: Checking authorization on '/' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@4192621c 2023-06-16 07:37:33,069 DEBUG [reactor-http-epoll-2] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=LdapUserDetailsImpl [Dn=cn=Tulasinadh Vaka,ou=Users,ou=common-ad-01,dc=common-ad-01,dc=myorg,dc=net; Username=tulasinadh.v; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[]], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@6dadbbcf' 2023-06-16 07:37:33,070 DEBUG [reactor-http-epoll-2] o.s.s.w.s.a.AuthorizationWebFilter: Authorization successful 2023-06-16 07:37:33,097 DEBUG [reactor-http-epoll-2] o.s.w.r.r.m.a.RequestMappingHandlerMapping: [34dfa7a1-52] Mapped to com.provectus.kafka.ui.controller.StaticController#getIndex(ServerWebExchange) 2023-06-16 07:37:33,149 DEBUG [reactor-http-epoll-2] o.s.w.r.r.m.a.ResponseEntityResultHandler: [34dfa7a1-52] Using 'text/html' given [text/html, application/xhtml+xml, image/avif, image/webp, image/apng, application/xml;q=0.9, */*;q=0.8, application/signed-exchange;v=b3;q=0.7] and supported [text/html] 2023-06-16 07:37:33,150 DEBUG [reactor-http-epoll-2] o.s.w.r.r.m.a.ResponseEntityResultHandler: [34dfa7a1-52] 0..1 [java.lang.String] 2023-06-16 07:37:33,159 DEBUG [reactor-http-epoll-2] o.s.c.c.CharSequenceEncoder: [34dfa7a1-52] Writing "<!DOCTYPE html><EOL><html lang="en"><EOL> <head><EOL> <meta charset="utf-8" /><EOL> <meta name="viewport" con (truncated)..." 2023-06-16 07:37:33,170 DEBUG [reactor-http-epoll-2] r.n.h.s.HttpServerOperations: [34dfa7a1-4, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Decreasing pending responses, now 0 2023-06-16 07:37:33,171 DEBUG [reactor-http-epoll-2] r.n.h.s.HttpServerOperations: [34dfa7a1-4, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Last HTTP packet was sent, terminating the channel 2023-06-16 07:37:33,171 DEBUG [reactor-http-epoll-2] r.n.c.ChannelOperations: [34dfa7a1-4, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] [HttpServer] Channel inbound receiver cancelled (operation cancelled). 2023-06-16 07:37:33,176 DEBUG [reactor-http-epoll-2] o.s.w.s.a.HttpWebHandlerAdapter: [34dfa7a1-52] Completed 200 OK 2023-06-16 07:37:33,176 DEBUG [reactor-http-epoll-2] r.n.h.s.HttpServerOperations: [34dfa7a1-4, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Last HTTP response frame 2023-06-16 07:37:33,497 DEBUG [reactor-http-epoll-2] r.n.h.s.HttpServerOperations: [34dfa7a1, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Increasing pending responses, now 1 2023-06-16 07:37:33,498 DEBUG [reactor-http-epoll-1] r.n.h.s.HttpServerOperations: [af737676, L:/172.20.0.2:8080 - R:/10.0.60.82:46268] Increasing pending responses, now 1 2023-06-16 07:37:33,498 DEBUG [reactor-http-epoll-1] r.n.h.s.HttpServer: [af737676-2, L:/172.20.0.2:8080 - R:/10.0.60.82:46268] Handler is being applied: org.springframework.http.server.reactive.ReactorHttpHandlerAdapter@5028f7b7 2023-06-16 07:37:33,498 DEBUG [reactor-http-epoll-1] o.s.w.s.a.HttpWebHandlerAdapter: [af737676-53] HTTP GET "/assets/ace-042f3d64.js" 2023-06-16 07:37:33,498 DEBUG [reactor-http-epoll-2] r.n.h.s.HttpServer: [34dfa7a1-5, L:/172.20.0.2:8080 - R:/10.0.60.82:46256] Handler is being applied: org.springframework.http.server.reactive.ReactorHttpHandlerAdapter@5028f7b7 2023-06-16 07:37:33,499 DEBUG [reactor-http-epoll-2] o.s.w.s.a.HttpWebHandlerAdapter: [34dfa7a1-54] HTTP GET "/assets/index-ca59113e.js" 2023-06-16 07:37:33,500 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST} 2023-06-16 07:37:33,501 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /assets/ace-042f3d64.js' doesn't match 'POST /login' 2023-06-16 07:37:33,501 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found 2023-06-16 07:37:33,501 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=GET} 2023-06-16 07:37:33,501 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /assets/ace-042f3d64.js' doesn't match 'GET /login' 2023-06-16 07:37:33,501 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found 2023-06-16 07:37:33,501 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=GET} 2023-06-16 07:37:33,501 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /assets/ace-042f3d64.js' doesn't match 'GET /logout'

[Haarolean]

@tulasinadhvaka That's better, but still, there are no logs for DefaultLdapAuthoritiesPopulator. There must be one, unless you haven't configured logging properly in that part.

[tulasinadhvaka]

@Haarolean Below are the extra properties I have added
LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_LDAP_USERDETAILS: TRACE LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_LDAP_AUTHENTICATION: TRACE
When I grep the logs for DefaultLdapAuthoritiesPopulator didn't find any. If it is okay we can connect over the call & check

[Haarolean]

@tulasinadhvaka feel free to ping me on discord, the invite link is available in readme

[Haarolean]

RBAC is off (source), that's why no authorities have been mapped.

As to why RBAC is off, it works based on the roles list, if there are no roles defined -- it's off.
Considering the first message, it seems like the config indentation is off.