Bug 1218663 - [QE](6.4.z) LdapExtLoginModule throws FailedLoginException when rolesCtxDN and roleFilter attributes are not set
Summary: [QE](6.4.z) LdapExtLoginModule throws FailedLoginException when rolesCtxDN an...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: CR1
: EAP 6.4.12
Assignee: Lin Gao
QA Contact: Josef Cacek
URL:
Whiteboard:
Depends On:
Blocks: 1274287 eap6412-payload
TreeView+ depends on / blocked
 
Reported: 2015-05-05 13:51 UTC by Ondrej Lukas
Modified: 2017-01-17 13:14 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-01-17 13:14:12 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-137 0 Minor Closed LdapExtLoginModule throws FailedLoginException when rolesCtxDN and roleFilter attributes are not set 2017-08-04 11:50:25 UTC

Description Ondrej Lukas 2015-05-05 13:51:42 UTC 
In case when LdapExtLoginModule is correctly configured for authentication, but its attributes rolesCtxDN and roleFilter are not set, then authentication with correct username and password leads to FailedLoginException.

Expected behavior is that user should be authenticated but no roles should be assigned to them.

Another LDAP login module cannot be used for some use cases since this is only LDAP login module which uses referrals.

Possible EAP configuration:
<security-domain name="ldap">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="baseFilter" value="(uid={0})"/>
                <module-option name="bindDN" value="uid=admin,ou=system"/>
                <module-option name="baseCtxDN" value="ou=People,o=MyOrg,o=primary,dc=jboss,dc=org"/>
                <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                <module-option name="java.naming.security.authentication" value="simple"/>
                <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
                <module-option name="bindCredential" value="secret"/>
        </login-module>
    </authentication>
</security-domain>

In case when these attributes are added
<module-option name="rolesCtxDN" value="ou=Roles,o=MyOrg,o=primary,dc=jboss,dc=org"/>
<module-option name="roleFilter" value="(member={0})"/>
then user is correctly authenticated (even in case when no role is assigned to them).

It is caused by internal NPE thrown from method rolesSearch in LdapExtLoginModule class (line 647):
NamingEnumeration results = ldapCtx.search(rolesCtxDN, roleFilter, filterArgs, constraints);

FailedLoginException mentioned above:
DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_55]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_55]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_55]
        at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_55]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_55]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_55]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_55]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_55]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_55]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_55]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_55]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:424) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:363) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:351) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:156) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:217) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:178) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]
Comment 1 Lin Gao 2015-05-12 07:51:57 UTC 
I will give it a try.
Comment 4 Peter Skopek 2015-05-19 18:43:09 UTC 
reviewed: good to merge (missing ACKs).
Comment 5 Mike McCune 2016-03-28 22:55:34 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 7 JBoss JIRA Server 2016-04-11 07:36:18 UTC 
Peter Skopek <pskopek> updated the status of jira JBEAP-137 to Resolved
Comment 9 JBoss JIRA Server 2016-05-26 11:15:24 UTC 
Peter Skopek <pskopek> updated the status of jira JBEAP-137 to Closed
Comment 10 Ivo Hradek 2016-11-25 07:44:55 UTC 
Verified with EAP 6.4.12.CP.CR1;
Comment 11 Petr Penicka 2017-01-17 13:14:12 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.
Comment 12 Petr Penicka 2017-01-17 13:14:53 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.
Note You need to log in before you can comment on or make changes to this bug.