Bug 1067612

Summary: [GSS] (6.2.x) Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: SecurityAssignee: Derek Horton <dehort>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.1.1CC: dehort, olukas, smumford, vtunka
Target Milestone: CR2   
Target Release: EAP 6.2.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6, the DatabaseRolesMappingProvider could attempt to get information from an empty SQL set in certain circumstances. When this occurred, an exception was thrown which caused the authentication request to fail. In this release of the product, the DatabaseRolesMappingProvider has been modified to avoid using an empty SQL set. Authentication requests that result in the DatabaseRolesMappingProvider rolesQuery returning an empty set are now handled correctly and do not fail.
 Story Points: ---
Clone Of: 1067610 Environment:
Last Closed: 2014-06-02 12:50:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1067610    
Bug Blocks: 1049365, 1067580    

Description Derek Horton 2014-02-20 17:39:10 UTC 
+++ This bug was initially created as a clone of Bug #1067610 +++

Description of problem:

If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail. Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.

It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set. This causes an exception which in turn causes the authentication attempt to fail.

Steps to Reproduce:
1.  Configure the security-domain to use the DatabaseRolesMappingProvider
2.  Login as a user that authenticates correctly, but the role query should return an empty set


Actual results:

The authentication request will fail.


Expected results:

The authentication request should succeed, but the DatabaseRolesMappingProvider should not apply any roles
Comment 1 Derek Horton 2014-02-20 17:41:02 UTC 
Fix committed to:
https://svn.jboss.org/repos/picketbox/branches/eap62
https://svn.jboss.org/repos/picketbox/trunk
Comment 2 JBoss JIRA Server 2014-02-20 17:43:05 UTC 
Derek Horton <dhorton> updated the status of jira SECURITY-797 to Resolved
Comment 3 Ondrej Lukas 2014-03-04 14:26:59 UTC 
Verified on EAP 6.2.2.CR2.
Comment 4 Russell Dickenson 2014-03-06 13:41:29 UTC 
Derek,

Please provide draft Release Notes text for this ticket.

Thank you