Bug 1067612 - [GSS] (6.2.x) Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set
Summary: [GSS] (6.2.x) Authentication attempts will fail if the DatabaseRolesMappingPr...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.1.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR2
: EAP 6.2.2
Assignee: Derek Horton
QA Contact: Josef Cacek
Russell Dickenson
URL:
Whiteboard:
Depends On: 1067610
Blocks: eap62-cp02-blockers 1067580
TreeView+ depends on / blocked
 
Reported: 2014-02-20 17:39 UTC by Derek Horton
Modified: 2018-12-04 17:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6, the DatabaseRolesMappingProvider could attempt to get information from an empty SQL set in certain circumstances. When this occurred, an exception was thrown which caused the authentication request to fail. In this release of the product, the DatabaseRolesMappingProvider has been modified to avoid using an empty SQL set. Authentication requests that result in the DatabaseRolesMappingProvider rolesQuery returning an empty set are now handled correctly and do not fail.
Clone Of: 1067610
Environment:
Last Closed: 2014-06-02 12:50:10 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SECURITY-797 0 Major Resolved Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set 2014-04-09 13:41:25 UTC

Description Derek Horton 2014-02-20 17:39:10 UTC
+++ This bug was initially created as a clone of Bug #1067610 +++

Description of problem:

If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail. Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.

It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set. This causes an exception which in turn causes the authentication attempt to fail.

Steps to Reproduce:
1.  Configure the security-domain to use the DatabaseRolesMappingProvider
2.  Login as a user that authenticates correctly, but the role query should return an empty set


Actual results:

The authentication request will fail.


Expected results:

The authentication request should succeed, but the DatabaseRolesMappingProvider should not apply any roles

Comment 2 JBoss JIRA Server 2014-02-20 17:43:05 UTC
Derek Horton <dhorton> updated the status of jira SECURITY-797 to Resolved

Comment 3 Ondrej Lukas 2014-03-04 14:26:59 UTC
Verified on EAP 6.2.2.CR2.

Comment 4 Russell Dickenson 2014-03-06 13:41:29 UTC
Derek,

Please provide draft Release Notes text for this ticket.

Thank you


Note You need to log in before you can comment on or make changes to this bug.