Bug 1296823 - NPE in principal-to-group group searching
NPE in principal-to-group group searching
Status: CLOSED DEFERRED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management, Security (Show other bugs)
6.4.0
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: jboss-set
Ondrej Lukas
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-08 03:40 EST by Ondrej Lukas
Modified: 2017-02-20 11:31 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-02-20 11:31:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
groupsearch.ldif (747 bytes, text/plain)
2016-01-08 03:41 EST, Ondrej Lukas
no flags Details

  None (edit)
Description Ondrej Lukas 2016-01-08 03:40:10 EST
In case when ldap authorization with principal-to-group group searching is used in security realm and LDAP entry found by value of 'group-attribute' does not include attribute mentioned in 'group-name-attribute' then it causes authentication fail. It is caused by missing null check for groupNameAttr and hidden NPE thrown from [1].

Steps to reproduce:
1) use following security domain:
            <security-realm name="ldap-security-realm">
                <authentication>
                    <ldap connection="ldap_connection" base-dn="dc=jboss,dc=org" recursive="true">
                        <username-filter attribute="uid"/>
                    </ldap>
                </authentication>
                <authorization>
                    <ldap connection="ldap_connection">
                        <group-search group-name="SIMPLE" iterative="false" group-dn-attribute="dn" group-name-attribute="description">
                            <principal-to-group group-attribute="sn"/>
                        </group-search>
                    </ldap>
                </authorization>
            </security-realm>
...
        <outbound-connections>
            <ldap name="ldap_connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
        </outbound-connections>

2) Use this security domain for RBAC access to management console:
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket-binding native="management-native"/>
            </native-interface>
            <http-interface security-realm="ldap-security-realm">
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                        <group name="JBossAdmin"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>

3) Use ldap server with attached ldif

4) Try to access management console with jduke/Password - it will fail.

5) Uncomment line 'description: Monitor' from ldif and try to access management console again - it will be successful.

[1] https://github.com/jbossas/jboss-eap/blob/8d2e4ac38fc3a170b3d049532a3cbb0dc13efe65/domain-management/src/main/java/org/jboss/as/domain/management/security/LdapGroupSearcherFactory.java#L302
Comment 1 Ondrej Lukas 2016-01-08 03:41 EST
Created attachment 1112781 [details]
groupsearch.ldif

Note You need to log in before you can comment on or make changes to this bug.