Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-3077

security subsystem fails to add JASPI authentication configuration

    Details

      Description

      The security subsystem is either not parsing the JASPI config or interpreting the resulting add operation correctly. The login-module-stack tag requires a name attribute. The parsed ModelNode does not reflect the attribute name of 'name' only the value. When org.jboss.as.security.SecurityDomainAdd.processJASPIAuth(...) is executed an exception is thrown when validating that 'name' exists. (stack.require(NAME).asString() Below is an example config recreating the problem, the ModelNodes created from the config and the resulting exception. Attempts to add a child 'name' element to the configuration as a work around caused failures during parsing of the security subsystem.

      Example JASPI configuration consistent with jboss-as-security_1_1.xsd

      <security-domain name="tutor-ldap">
      <authentication-jaspi>
      <login-module-stack name="ldap-stack" >
      <login-module code="LdapExtended" flag="required">
      <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
      <module-option name="bindDN" value="uid=admin,ou=system"/>
      <module-option name="bindCredential" value="secret"/>
      <module-option name="baseCtxDN" value="ou=users,ou=system"/>
      <module-option name="baseFilter" value="(sn=

      {0})"/>
      <module-option name="rolesCtxDN" value="ou=groups,ou=system"/>
      <module-option name="roleFilter" value="(member={1})"/>
      <module-option name="roleAttributeID" value="cn"/>
      <module-option name="roleAttributeIsDN" value="false"/>
      <module-option name="java.naming.referral" value="follow"/>
      <module-option name="roleRecursion" value="-1"/>
      <module-option name="searchScope" value="SUBTREE_SCOPE"/>
      <module-option name="java.naming.security.authentication" value="simple"/>
      <module-option name="allowEmptyPasswords" value="false"/>
      </login-module>
      </login-module-stack>
      <auth-module code="org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule" login-module-stack-ref="ldap-stack">
      </auth-module>
      </authentication-jaspi>
      </security-domain>

      h3.Operations created during parsing of authentication-jaspi config

      { "operation" => "add", "address" => [ ("subsystem" => "security"), ("security-domain" => "tutor-ldap") ] }, {
      "operation" => "add",
      "address" => [
      ("subsystem" => "security"),
      ("security-domain" => "tutor-ldap"),
      ("authentication" => "jaspi")
      ],
      "auth-modules" => [{ "code" => "org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule", "login-module-stack-ref" => "ldap-stack", "module-options" => undefined }]
      }, {
      "operation" => "add",
      "address" => [
      ("subsystem" => "security"),
      ("security-domain" => "tutor-ldap"),
      ("authentication" => "jaspi"),
      ("login-module-stack" => "ldap-stack")
      ],
      "login-modules" => [{
      "code" => "LdapExtended",
      "flag" => "required",
      "module-options" => [
      ("java.naming.provider.url" => "ldap://localhost:10389"),
      ("bindDN" => "uid=admin,ou=system"),
      ("bindCredential" => "secret"),
      ("baseCtxDN" => "ou=users,ou=system"),
      ("baseFilter" => "(sn={0}

      )"),
      ("rolesCtxDN" => "ou=groups,ou=system"),
      ("roleFilter" => "(member=

      {1})"),
      ("roleAttributeID" => "cn"),
      ("roleAttributeIsDN" => "false"),
      ("java.naming.referral" => "follow"),
      ("roleRecursion" => "-1"),
      ("searchScope" => "SUBTREE_SCOPE"),
      ("java.naming.security.authentication" => "simple"),
      ("allowEmptyPasswords" => "false")
      ]
      }

      h3.ModelNode during execution of add operation

      "cache-type" => undefined,
      "authentication" => {"jaspi" => {
      "auth-modules" => [{ "code" => "org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule", "login-module-stack-ref" => "ldap-stack", "module-options" => undefined }],
      "login-module-stack" => {"ldap-stack" => {"login-modules" => [{
      "code" => "LdapExtended",
      "flag" => "required",
      "module-options" => [
      ("java.naming.provider.url" => "ldap://localhost:10389"),
      ("bindDN" => "uid=admin,ou=system"),
      ("bindCredential" => "secret"),
      ("baseCtxDN" => "ou=users,ou=system"),
      ("baseFilter" => "(sn={0})"),
      ("rolesCtxDN" => "ou=groups,ou=system"),
      ("roleFilter" => "(member={1}

      )"),
      ("roleAttributeID" => "cn"),
      ("roleAttributeIsDN" => "false"),
      ("java.naming.referral" => "follow"),
      ("roleRecursion" => "-1"),
      ("searchScope" => "SUBTREE_SCOPE"),
      ("java.naming.security.authentication" => "simple"),
      ("allowEmptyPasswords" => "false")
      ]
      }]}}
      }}
      }

      Exception thrown during process of operations

      08:11:13,947 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool – 44) JBAS014612: Operation ("add") failed - address: ([
      ("subsystem" => "security"),
      ("security-domain" => "tutor-ldap")
      ]): java.util.NoSuchElementException: No child 'name' exists
      at org.jboss.dmr.ModelValue.requireChild(ModelValue.java:362) [jboss-dmr-1.1.1.Final.jar:]
      at org.jboss.dmr.PropertyModelValue.requireChild(PropertyModelValue.java:156) [jboss-dmr-1.1.1.Final.jar:]
      at org.jboss.dmr.ModelNode.require(ModelNode.java:812) [jboss-dmr-1.1.1.Final.jar:]
      at org.jboss.as.security.SecurityDomainAdd.processJASPIAuth(SecurityDomainAdd.java:333) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.security.SecurityDomainAdd.createApplicationPolicy(SecurityDomainAdd.java:213) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.security.SecurityDomainAdd.launchServices(SecurityDomainAdd.java:167) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:156) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.server.AbstractDeploymentChainStep.execute(AbstractDeploymentChainStep.java:46) [jboss-as-server-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.server.AbstractDeploymentChainStep.execute(AbstractDeploymentChainStep.java:46) [jboss-as-server-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:311) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_25]
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_25]
      at java.lang.Thread.run(Thread.java:662) [:1.6.0_25]
      at org.jboss.threads.JBossThread.run(JBossThread.java:122)

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                sguilhen Stefan Guilhen
                Reporter:
                dbschofield Ben Schofield
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: