Bug 1196343

Summary: [GSS](6.4.z) Fix LDAP authentication/authorization fails due to making unneeded role lookup requests, except IBM JDK 6 see BZ-1301732
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Phil Festoso <philfest>
Component: SecurityAssignee: Chris Dolphy <cdolphy>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.4.0CC: anmiller, bbaranow, bdawidow, bmaxwell, cdewolf, cdolphy, darran.lofthouse, dhorton, istudens, jawilson, olukas, philfest, pskopek, rsvoboda, vtunka
Target Milestone: CR2   
Target Release: EAP 6.4.6   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/jbossas/jboss-eap/pull/2654
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1301732 (view as bug list) Environment:
Last Closed: 2017-01-17 11:45:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1235746, 1301732    
Attachments:
Description Flags
config for testing change none

Description Phil Festoso 2015-02-25 18:27:10 UTC 
Description of problem:
Customer is seeing performance issues with EAP 6 when attempting to use the management interface and authenticate against their ldap server. They have a flat but very large collection of groups. They would like to see performance similar to what they saw using parseRoleNameFromDN feature in EAP 5. 

Version-Release number of selected component (if applicable):
EAP 6.4Beta

How reproducible:
Not very. Need access to customer's unique ldap provider and structure. 

Steps to Reproduce:
1. Configure <ldap> in management interface to use abovementioned provider
2. Attempt to access management interface

Actual results:
Authentication times out at 5s. (Increasing this value for customers production environment is not acceptable.)

Expected results:
Authentication does not timeout.

Additional info:
Severity set to Urgent at request of customer. There is a planned move to EAP 6 as part of a major upgrade to an ISV-provided application and this is a blocker for them.
Comment 2 Phil Festoso 2015-02-27 23:58:44 UTC 
Forgot to reference support case 00890012. Thank you.
Comment 5 Phil Festoso 2015-03-30 14:52:41 UTC 
Any news? Customer is pushing hard to get this into a CP for 6.4.
Comment 14 Chris Dolphy 2015-10-24 00:18:30 UTC 
Created attachment 1086005 [details]
config for testing change
Comment 43 JBoss JIRA Server 2016-01-15 11:11:49 UTC 
Ondrej Lukas <olukas> updated the status of jira JBEAP-2320 to Reopened
Comment 44 Ondrej Lukas 2016-01-20 12:56:06 UTC 
Verification failed for IBM JDK 1.6. Remaining JDKs from platform certification work correctly.

In case when group name from LDAP contains '/' characters then authentication failed.

Exception in EAP server.log after failed authentication:
TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) Failure supplementing Subject: java.lang.IllegalArgumentException: Cannot convert hex String to UTF8
	at org.apache.harmony.jndi.internal.parser.LdapRdnParser.getUnEscapedValues(LdapRdnParser.java:173) [jndi.jar:]
	at org.apache.harmony.jndi.internal.parser.LdapRdnParser.unescapeValue(LdapRdnParser.java:131) [jndi.jar:]
	at javax.naming.ldap.Rdn.unescapeValue(Rdn.java:65) [jndi.jar:]
	at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.parseRole(LdapGroupSearcherFactory.java:345) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:277) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:215) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroupEntries(LdapSubjectSupplementalService.java:218) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroups(LdapSubjectSupplementalService.java:195) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroups(LdapSubjectSupplementalService.java:188) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.supplementSubject(LdapSubjectSupplementalService.java:163) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.SecurityRealmService$1.createSubjectUserInfo(SecurityRealmService.java:223) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.http.server.security.BasicAuthenticator._authenticate(BasicAuthenticator.java:115) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.http.server.security.BasicAuthenticator.authenticate(BasicAuthenticator.java:80) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78)
	at org.jboss.as.domain.http.server.XFrameHeaderFilter.doFilter(XFrameHeaderFilter.java:45) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.as.domain.http.server.RealmReadinessFilter.doFilter(RealmReadinessFilter.java:48) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.http.server.DmrFailureReadinessFilter.doFilter(DmrFailureReadinessFilter.java:45) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:682)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:908) [rt.jar:1.6.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:931) [rt.jar:1.6.0]
	at java.lang.Thread.run(Thread.java:738) [vm.jar:1.6.0]
	at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
Comment 45 dhorton 2016-01-22 04:17:22 UTC 
I think this is happening due to a bug in the Apache Harmony code that ships with the IBM 1.6 JDK:
https://issues.apache.org/jira/browse/HARMONY-4229

As previously mentioned, this does not happen on IBM 1.7 JDK, Oracle 1.6 or 1.7.

At this point, I think the best approach would be to modify the catch statement in the parseRole to be more broad in what it catches.  That way it would be less likely that odd parsing issues would cause authentication issues.
Comment 46 Ivo Studensky 2016-01-22 08:29:41 UTC 
Derek, thanks for the clarification.
Comment 50 Ondrej Lukas 2016-01-26 12:49:30 UTC 
Verified in EAP 6.4.6.CP.CR2.
Comment 51 JBoss JIRA Server 2016-06-14 11:37:01 UTC 
Jiri Pallich <jpallich> updated the status of jira JBEAP-2320 to Closed
Comment 52 Petr Penicka 2017-01-17 11:45:22 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.