1432440 – [GSS](6.4.z) The username is not getting parsed properly in the method getUsername() of LdapExtLoginModule which results in StringIndexOutOfBoundsException .

Bug 1432440 - [GSS](6.4.z) The username is not getting parsed properly in the method getUsername() of LdapExtLoginModule which results in StringIndexOutOfBoundsException .

Summary: [GSS](6.4.z) The username is not getting parsed properly in the method getUse...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.4.12
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	CR1
Target Release:	EAP 6.4.16
Assignee:	Petr Jurak
QA Contact:	Josef Cacek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1434171 eap6416-payload 1452022
TreeView+	depends on / blocked

Reported:	2017-03-15 12:05 UTC by indrajit
Modified:	2020-06-11 13:25 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Clones:	1434171 (view as bug list)
Environment:
Last Closed:	2017-06-22 09:18:56 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description indrajit 2017-03-15 12:05:10 UTC

Description of problem:

Getting StringIndexOutOfBoundsException while executing getUsername() of org.jboss.security.auth.spi.LdapExtLoginModule in picketbox-4.1.3.Final-redhat-1.jar .

Version-Release number of selected component (if applicable):


How reproducible:

To reproduce the issue , run below Junit test case.

--------------------------------------------

import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is;
 
import java.util.HashMap;
import java.util.Map;
 
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
 
public class LDAPUsernameTest {
 
    private static final String PARSE_USERNAME = "parseUsername";
    private static final String USERNAME_BEGIN_STRING = "usernameBeginString";
    private static final String USERNAME_END_STRING = "usernameEndString";
    protected Map options = new HashMap<String, String>();
    protected boolean parseUsername;
    protected String usernameBeginString;
    protected String usernameEndString;
 
    @Before
    public void setUp() throws Exception {
        options.put(PARSE_USERNAME, "true");
        options.put(USERNAME_BEGIN_STRING, "C=XX, O=aaaabbbbccccdddd, CN=");
        options.put(USERNAME_END_STRING, "@aa.xxxxxxx.zz");
    }
 
    @Test
    public void testGetUsername() {
        Assert.assertThat("user1111", is(equalTo(getUsername_4_1_2_Final_redhat_1())));
        Assert.assertThat("user1111", is(equalTo(getUsername_4_1_3_Final_redhat_1())));
    }
 
    protected String getUsername_4_1_2_Final_redhat_1() {
        String username = "C=XX, O=aaaabbbbccccdddd, CN=user1111.zz";// super.getUsername();
        parseUsername = Boolean.valueOf((String) options.get(PARSE_USERNAME));
        if (parseUsername) {
            usernameBeginString = (String) options.get(USERNAME_BEGIN_STRING);
            usernameEndString = (String) options.get(USERNAME_END_STRING);
            int beginIndex = 0;
            if (usernameBeginString != null && !usernameBeginString.equals(""))
                beginIndex = username.indexOf(usernameBeginString) + usernameBeginString.length();
            if (beginIndex == -1) // not allowed. reset
                beginIndex = 0;
            int endIndex = username.length();
            if (usernameEndString != null && !usernameEndString.equals(""))
                endIndex = username.substring(beginIndex).indexOf(usernameEndString);
            if (endIndex == -1) // not allowed. reset
                endIndex = username.length();
            else
                endIndex += beginIndex;
            System.out.println("beginIndex = "+beginIndex +"endIndex ="+endIndex);
            username = username.substring(beginIndex, endIndex);
        }
        return username;
    }
 
    protected String getUsername_4_1_3_Final_redhat_1() {
        String username = "C=XX, O=aaaabbbbccccdddd, CN=user1111.zz";// super.getUsername();
        parseUsername = Boolean.valueOf((String) options.get(PARSE_USERNAME));
        if (parseUsername) {
            usernameBeginString = (String) options.get(USERNAME_BEGIN_STRING);
            usernameEndString = (String) options.get(USERNAME_END_STRING);
            int beginIndex = 0;
            if (usernameBeginString != null && !usernameBeginString.equals(""))
                beginIndex = username.indexOf(usernameBeginString) + usernameBeginString.length();
            if (beginIndex == -1) // not allowed. reset
            {
                beginIndex = 0;
            } else {
                beginIndex += usernameBeginString.length();
            }
 
            if (usernameEndString == null || usernameEndString.equals("")) {
                return username.substring(beginIndex, username.length());
            }
 
            int endIndex = username.indexOf(usernameEndString, beginIndex);
            if (endIndex == -1) { // not allowed. reset
                endIndex = username.length();
            }
            System.out.println("beginIndex = "+beginIndex +"endIndex ="+endIndex);
 
            username = username.substring(beginIndex, endIndex);
        }
        return username;
    }
}
--------------------------------------------

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:

However , it is working in picketbox-4.1.2.Final-redhat-1.jar .

Additional info:

Comment 11 Ivo Hradek 2017-06-06 06:42:16 UTC

Working as expected now, verified with EAP-6.4.16-CP.CR1;

Thanks to @olukas for catching the "missing" part.

Comment 12 Petr Penicka 2017-06-22 09:18:56 UTC

Released on June 20 2017 as part of the EAP 6.4.16 maintenance release.

Note You need to log in before you can comment on or make changes to this bug.