Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1067610 - [GSS] (6.3.0) Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set
[GSS] (6.3.0) Authentication attempts will fail if the DatabaseRolesMappingPr...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.1.1
Unspecified Unspecified
unspecified Severity unspecified
: ER4
: EAP 6.3.0
Assigned To: Derek Horton
Josef Cacek
Russell Dickenson
:
Depends On:
Blocks: 1067584 1067612
  Show dependency treegraph
 
Reported: 2014-02-20 12:32 EST by Derek Horton
Modified: 2014-06-28 11:38 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6 it was found that authentication attempts would fail if the `DatabaseRolesMappingProvider` returned a null value. This was caused by the authentication not being able to provide roles to authenticated users if the value was null. In this release of the product, the security system will honor successful authentications and not attempt to apply roles in instances where the returned value is null.
Story Points: ---
Clone Of:
: 1067612 (view as bug list)
Environment:
Last Closed: 2014-06-28 11:38:56 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker SECURITY-797 Major Resolved Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set 2014-07-24 03:27:01 EDT

  None (edit)
Description Derek Horton 2014-02-20 12:32:45 EST 
Description of problem:

If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail. Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.

It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set. This causes an exception which in turn causes the authentication attempt to fail.

Steps to Reproduce:
1.  Configure the security-domain to use the DatabaseRolesMappingProvider
2.  Login as a user that authenticates correctly, but the role query should return an empty set


Actual results:

The authentication request will fail.


Expected results:

The authentication request should succeed, but the DatabaseRolesMappingProvider should not apply any roles
Comment 2 JBoss JIRA Server 2014-02-20 12:43:05 EST 
Derek Horton <dhorton@redhat.com> updated the status of jira SECURITY-797 to Resolved
Comment 5 Hynek Mlnarik 2014-05-14 11:57:19 EDT 
Verified in 6.3.0.ER4
Comment 6 Scott Mumford 2014-05-15 00:58:11 EDT 
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release)

Original note included here for use at 6.3.0 GA:

In previous versions of JBoss EAP 6 it was found that authentication attempts would fail if the `DatabaseRolesMappingProvider` returned a null value. This was caused by the authentication not being able to provide roles to authenticated users if the value was null. In this release of the product, the security system will honor successful authentications and not attempt to apply roles in instances where the returned value is null.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.