Description of problem:
If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail. Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.
It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set. This causes an exception which in turn causes the authentication attempt to fail.
Steps to Reproduce:
1. Configure the security-domain to use the DatabaseRolesMappingProvider
2. Login as a user that authenticates correctly, but the role query should return an empty set
The authentication request will fail.
The authentication request should succeed, but the DatabaseRolesMappingProvider should not apply any roles
Fix committed to:
Derek Horton <email@example.com> updated the status of jira SECURITY-797 to Resolved
Verified in 6.3.0.ER4
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release)
Original note included here for use at 6.3.0 GA:
In previous versions of JBoss EAP 6 it was found that authentication attempts would fail if the `DatabaseRolesMappingProvider` returned a null value. This was caused by the authentication not being able to provide roles to authenticated users if the value was null. In this release of the product, the security system will honor successful authentications and not attempt to apply roles in instances where the returned value is null.