Bug 1067610

Summary: [GSS] (6.3.0) Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: SecurityAssignee: Derek Horton <dehort>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.1.1CC: dehort, hmlnarik, smumford, twells
Target Milestone: ER4   
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6 it was found that authentication attempts would fail if the `DatabaseRolesMappingProvider` returned a null value. This was caused by the authentication not being able to provide roles to authenticated users if the value was null. In this release of the product, the security system will honor successful authentications and not attempt to apply roles in instances where the returned value is null.
 Story Points: ---
Clone Of:
: 1067612 (view as bug list) Environment:
Last Closed: 2014-06-28 15:38:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1067584, 1067612    

Description Derek Horton 2014-02-20 17:32:45 UTC 
Description of problem:

If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail. Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.

It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set. This causes an exception which in turn causes the authentication attempt to fail.

Steps to Reproduce:
1.  Configure the security-domain to use the DatabaseRolesMappingProvider
2.  Login as a user that authenticates correctly, but the role query should return an empty set


Actual results:

The authentication request will fail.


Expected results:

The authentication request should succeed, but the DatabaseRolesMappingProvider should not apply any roles
Comment 1 Derek Horton 2014-02-20 17:42:59 UTC 
Fix committed to:
https://svn.jboss.org/repos/picketbox/branches/eap62
https://svn.jboss.org/repos/picketbox/trunk
Comment 2 JBoss JIRA Server 2014-02-20 17:43:05 UTC 
Derek Horton <dhorton> updated the status of jira SECURITY-797 to Resolved
Comment 5 Hynek Mlnarik 2014-05-14 15:57:19 UTC 
Verified in 6.3.0.ER4
Comment 6 Scott Mumford 2014-05-15 04:58:11 UTC 
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release)

Original note included here for use at 6.3.0 GA:

In previous versions of JBoss EAP 6 it was found that authentication attempts would fail if the `DatabaseRolesMappingProvider` returned a null value. This was caused by the authentication not being able to provide roles to authenticated users if the value was null. In this release of the product, the security system will honor successful authentications and not attempt to apply roles in instances where the returned value is null.