Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.4.1.CR1, 7.4.1.GA
Affects Version/s: 7.3.7.GA
Component/s: Security
Labels:
- test_included

Blocked:
False
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
+
Release Note Text:
Undefined
Target Release:

7.4.z.GA
Git Pull Request:
https://github.com/jbossas/redhat-picketbox/pull/42
Steps to Reproduce:
Hide

Add an LDAP security domain to the configuration (similar to the one shown in the description).

Configure a simple application to use the LDAP domain (jboss-web.xml).

Configure a user in the ldap that is member of a group with a colon in the name (in my case cn=lala:lala,ou=groups,dc=sample,dc=com).

Try to login with that user and the exception is thrown.
Show
Add an LDAP security domain to the configuration (similar to the one shown in the description). Configure a simple application to use the LDAP domain (jboss-web.xml). Configure a user in the ldap that is member of a group with a colon in the name (in my case cn=lala:lala,ou=groups,dc=sample,dc=com ). Try to login with that user and the exception is thrown.
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

With the following picketbox ldap configuration:

                <security-domain name="LDAP" cache-type="default">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="allowEmptyPasswords" value="true"/>
                            <module-option name="baseCtxDN" value="cn=users,dc=sample,dc=com"/>
                            <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                            <module-option name="bindCredential" value="XXXXX"/>
                            <module-option name="bindDN" value="cn=testuser,cn=users,dc=sample,dc=com"/>
                            <module-option name="java.naming.provider.url" value="ldap://ldap.sample.com:389"/>
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="roleAttributeID" value="memberOf"/>
                            <module-option name="roleAttributeIsDN" value="true"/>
                            <module-option name="roleFilter" value="member={1}"/>
                            <module-option name="roleNameAttributeID" value="cn"/>
                            <module-option name="roleRecursion" value="-1"/>
                            <module-option name="rolesCtxDN" value="ou=groups,dc=sample,dc=com"/>
                            <module-option name="throwValidateError" value="true"/>
                            <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                        </login-module>
                    </authentication>
                </security-domain>

When a user is member of a group that contains a colon : and that group is retrieved the exception is thrown:

2021-06-10 10:44:51,260 DEBUG [org.jboss.security] (default task-1) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070
: Password invalid/Password required
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access(LoginContext.java:195)
        at javax.security.auth.login.LoginContext.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
        at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:167)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:268)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access(SecurityContextImpl.java:231)
        at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
        at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
        at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
        at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
        at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78)
        at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:133)
        at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:130)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create(SecurityContextThreadSetupAction.java:105)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoServ
ice.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoServ
ice.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1530)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
        at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:99)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
        at io.undertow.server.HttpServerExchange.run(HttpServerExchange.java:830)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348)
        at org.xnio.XnioWorker$WorkerThreadFactory.run(XnioWorker.java:1280)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.naming.InvalidNameException: WFNAM00007: Invalid URL scheme name "ldap"
        at org.wildfly.naming.client.WildFlyRootContext.getProviderContext(WildFlyRootContext.java:808)
        at org.wildfly.naming.client.WildFlyRootContext.getAttributes(WildFlyRootContext.java:432)
        at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
        at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
        at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:673)
        at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:479)
        at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:343)
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
        ... 62 more

is cloned by

JBEAP-22054 [GSS] (7.3.z) WFNAM00007 exception when group name contains a colon

Closed

is incorporated by

JBEAP-22084 [GSS](7.4.z) Upgrade PicketBox from 5.0.3.Final-redhat-00007 to 5.0.3.Final-redhat-00008

Closed

Assignee:: Ricardo Martin Camarero

Reporter:: Ricardo Martin Camarero

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2021/06/10 9:04 AM

Updated:: 2024/08/27 1:54 PM

Resolved:: 2021/07/08 9:59 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates