Bug 1036496

Summary: Failed to login admin console with LDAP auth in EAP 6.2.0 Beta
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Hisanobu Okuda <hokuda>
Component: Domain ManagementAssignee: Brian Stansberry <brian.stansberry>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.2.0CC: emuckenh, hokuda, jcacek, pkremens
Target Milestone: CR3   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:48:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Hisanobu Okuda 2013-12-02 07:02:29 UTC 
Description of problem:
Configuring <ldap/> for security realm, failed to login admin console.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. Change standalone.xml

    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <local default-user="$local"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization map-groups-to-roles="false">
                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
            <security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
            <security-realm name="ldap_security_realm">
                <authentication>
                    <ldap base-dn="dc=redhat,dc=com" connection="ldap_connection" recursive="true">
                      <username-filter attribute="uid"/>
                    </ldap>
                </authentication>
            </security-realm>
        </security-realms>
        <outbound-connections>
            <ldap name="ldap_connection" search-credential="password" search-dn="cn=Directory Manager" url="ldap://host02:389"/>
        </outbound-connections>
        <audit-log>
            <formatters>
                <json-formatter name="json-formatter"/>
            </formatters>
            <handlers>
                <file-handler name="file" formatter="json-formatter" relative-to="jboss.server.data.dir" path="audit-log.log"/>
            </handlers>
            <logger log-boot="true" log-read-only="false" enabled="false">
                <handlers>
                    <handler name="file"/>
                </handlers>
            </logger>
        </audit-log>
        <management-interfaces>
<!--
            <native-interface security-realm="ManagementRealm">
-->
            <native-interface security-realm="ldap_security_realm">
                <socket-binding native="management-native"/>
            </native-interface>
<!--
            <http-interface security-realm="ManagementRealm">
-->
            <http-interface security-realm="ldap_security_realm">
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>

2. access http://localhost:9990/console/App.html
3. login with a valid user account/password
4. There is no log message, but ClassCastException is thrown internally at BasicAuthenticator.java:110.

Actual results:


Expected results:


Additional info:
Comment 1 Hisanobu Okuda 2013-12-02 07:03:06 UTC 
Attaching debugger, I confirmed EAP6 is attempting to cast org.jboss.com.sun.net.httpserver.HttpPrincipal to SubjectHttpPrincipal. Since it throws the exception, subsequent authentication process is not performed, and the authentication failed.

jdb output:-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HttpManagementService-threads - 3[1] next
> 
Step completed: "thread=HttpManagementService-threads - 3", org.jboss.as.domain.http.server.security.BasicAuthenticator._authenticate(), line=110 bci=107

HttpManagementService-threads - 3[1] print response.getPrincipal().getClass()
 response.getPrincipal().getClass() = "class org.jboss.com.sun.net.httpserver.HttpPrincipal"
HttpManagementService-threads - 3[1]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

org.jboss.as.domain.http.server.security.BasicAuthenticator:-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            SubjectHttpPrincipal principal = (SubjectHttpPrincipal) ((Success) response).getPrincipal();
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Comment 2 Hisanobu Okuda 2013-12-02 07:05:09 UTC 
Please add this to blocker list of EAP 6.2.0.GA, because this is a fundamental feature which many customers are using now on EAP 6.1.x and 6.0.x.
Comment 4 Hisanobu Okuda 2013-12-02 08:28:12 UTC 
Hi Josef, it works fine on 6.2.0.CR3 bits! Thanks!