Bug 1196343 - [GSS](6.4.z) Fix LDAP authentication/authorization fails due to making unneeded role lookup requests, except IBM JDK 6 see BZ-1301732
Summary: [GSS](6.4.z) Fix LDAP authentication/authorization fails due to making unneed...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: CR2
: EAP 6.4.6
Assignee: Chris Dolphy
QA Contact: Josef Cacek
URL: https://github.com/jbossas/jboss-eap/...
Whiteboard:
Depends On:
Blocks: 1235746 1301732
TreeView+ depends on / blocked
 
Reported: 2015-02-25 18:27 UTC by Phil Festoso
Modified: 2019-09-12 08:15 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1301732 (view as bug list)
Environment:
Last Closed: 2017-01-17 11:45:22 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
config for testing change (17.27 KB, application/xml)
2015-10-24 00:18 UTC, Chris Dolphy 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-2320 0 Blocker Closed LDAP authentication/authorization fails due to making unneeded role lookup requests 2018-08-20 23:54:33 UTC
Red Hat Issue Tracker WFCORE-1202 0 Major Resolved LDAP authentication/authorization fails due to making unneeded role lookup requests 2018-08-20 23:54:33 UTC
Red Hat Knowledge Base (Solution) 2138781 0 None None None 2016-01-25 21:09:29 UTC

Description Phil Festoso 2015-02-25 18:27:10 UTC 
Description of problem:
Customer is seeing performance issues with EAP 6 when attempting to use the management interface and authenticate against their ldap server. They have a flat but very large collection of groups. They would like to see performance similar to what they saw using parseRoleNameFromDN feature in EAP 5. 

Version-Release number of selected component (if applicable):
EAP 6.4Beta

How reproducible:
Not very. Need access to customer's unique ldap provider and structure. 

Steps to Reproduce:
1. Configure <ldap> in management interface to use abovementioned provider
2. Attempt to access management interface

Actual results:
Authentication times out at 5s. (Increasing this value for customers production environment is not acceptable.)

Expected results:
Authentication does not timeout.

Additional info:
Severity set to Urgent at request of customer. There is a planned move to EAP 6 as part of a major upgrade to an ISV-provided application and this is a blocker for them.
Comment 2 Phil Festoso 2015-02-27 23:58:44 UTC 
Forgot to reference support case 00890012. Thank you.
Comment 5 Phil Festoso 2015-03-30 14:52:41 UTC 
Any news? Customer is pushing hard to get this into a CP for 6.4.
Comment 14 Chris Dolphy 2015-10-24 00:18:30 UTC 
Created attachment 1086005 [details]
config for testing change
Comment 43 JBoss JIRA Server 2016-01-15 11:11:49 UTC 
Ondrej Lukas <olukas> updated the status of jira JBEAP-2320 to Reopened
Comment 44 Ondrej Lukas 2016-01-20 12:56:06 UTC 
Verification failed for IBM JDK 1.6. Remaining JDKs from platform certification work correctly.

In case when group name from LDAP contains '/' characters then authentication failed.

Exception in EAP server.log after failed authentication:
TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) Failure supplementing Subject: java.lang.IllegalArgumentException: Cannot convert hex String to UTF8
	at org.apache.harmony.jndi.internal.parser.LdapRdnParser.getUnEscapedValues(LdapRdnParser.java:173) [jndi.jar:]
	at org.apache.harmony.jndi.internal.parser.LdapRdnParser.unescapeValue(LdapRdnParser.java:131) [jndi.jar:]
	at javax.naming.ldap.Rdn.unescapeValue(Rdn.java:65) [jndi.jar:]
	at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.parseRole(LdapGroupSearcherFactory.java:345) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:277) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:215) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroupEntries(LdapSubjectSupplementalService.java:218) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroups(LdapSubjectSupplementalService.java:195) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroups(LdapSubjectSupplementalService.java:188) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.supplementSubject(LdapSubjectSupplementalService.java:163) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.management.security.SecurityRealmService$1.createSubjectUserInfo(SecurityRealmService.java:223) [jboss-as-domain-management-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.http.server.security.BasicAuthenticator._authenticate(BasicAuthenticator.java:115) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.http.server.security.BasicAuthenticator.authenticate(BasicAuthenticator.java:80) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78)
	at org.jboss.as.domain.http.server.XFrameHeaderFilter.doFilter(XFrameHeaderFilter.java:45) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.as.domain.http.server.RealmReadinessFilter.doFilter(RealmReadinessFilter.java:48) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.as.domain.http.server.DmrFailureReadinessFilter.doFilter(DmrFailureReadinessFilter.java:45) [jboss-as-domain-http-interface-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:682)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:908) [rt.jar:1.6.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:931) [rt.jar:1.6.0]
	at java.lang.Thread.run(Thread.java:738) [vm.jar:1.6.0]
	at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
Comment 45 dhorton 2016-01-22 04:17:22 UTC 
I think this is happening due to a bug in the Apache Harmony code that ships with the IBM 1.6 JDK:
https://issues.apache.org/jira/browse/HARMONY-4229

As previously mentioned, this does not happen on IBM 1.7 JDK, Oracle 1.6 or 1.7.

At this point, I think the best approach would be to modify the catch statement in the parseRole to be more broad in what it catches.  That way it would be less likely that odd parsing issues would cause authentication issues.
Comment 46 Ivo Studensky 2016-01-22 08:29:41 UTC 
Derek, thanks for the clarification.
Comment 50 Ondrej Lukas 2016-01-26 12:49:30 UTC 
Verified in EAP 6.4.6.CP.CR2.
Comment 51 JBoss JIRA Server 2016-06-14 11:37:01 UTC 
Jiri Pallich <jpallich> updated the status of jira JBEAP-2320 to Closed
Comment 52 Petr Penicka 2017-01-17 11:45:22 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.
Note You need to log in before you can comment on or make changes to this bug.