Bug 1067610 - [GSS] (6.3.0) Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set
Summary: [GSS] (6.3.0) Authentication attempts will fail if the DatabaseRolesMappingPr...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.1.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ER4
: EAP 6.3.0
Assignee: Derek Horton
QA Contact: Josef Cacek
Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks: 1067584 1067612
TreeView+ depends on / blocked
 
Reported: 2014-02-20 17:32 UTC by Derek Horton
Modified: 2018-12-04 17:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6 it was found that authentication attempts would fail if the `DatabaseRolesMappingProvider` returned a null value. This was caused by the authentication not being able to provide roles to authenticated users if the value was null. In this release of the product, the security system will honor successful authentications and not attempt to apply roles in instances where the returned value is null.
Clone Of:
: 1067612 (view as bug list)
Environment:
Last Closed: 2014-06-28 15:38:56 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SECURITY-797 0 Major Resolved Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set 2014-07-24 07:27:01 UTC

Description Derek Horton 2014-02-20 17:32:45 UTC
Description of problem:

If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail. Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.

It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set. This causes an exception which in turn causes the authentication attempt to fail.

Steps to Reproduce:
1.  Configure the security-domain to use the DatabaseRolesMappingProvider
2.  Login as a user that authenticates correctly, but the role query should return an empty set


Actual results:

The authentication request will fail.


Expected results:

The authentication request should succeed, but the DatabaseRolesMappingProvider should not apply any roles

Comment 2 JBoss JIRA Server 2014-02-20 17:43:05 UTC
Derek Horton <dhorton> updated the status of jira SECURITY-797 to Resolved

Comment 5 Hynek Mlnarik 2014-05-14 15:57:19 UTC
Verified in 6.3.0.ER4

Comment 6 Scott Mumford 2014-05-15 04:58:11 UTC
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release)

Original note included here for use at 6.3.0 GA:

In previous versions of JBoss EAP 6 it was found that authentication attempts would fail if the `DatabaseRolesMappingProvider` returned a null value. This was caused by the authentication not being able to provide roles to authenticated users if the value was null. In this release of the product, the security system will honor successful authentications and not attempt to apply roles in instances where the returned value is null.


Note You need to log in before you can comment on or make changes to this bug.