-
Bug
-
Resolution: Done
-
Major
-
7.3.7.GA
-
False
-
False
-
-
-
-
-
-
+
-
Undefined
-
-
With the following picketbox ldap configuration:
<security-domain name="LDAP" cache-type="default"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="allowEmptyPasswords" value="true"/> <module-option name="baseCtxDN" value="cn=users,dc=sample,dc=com"/> <module-option name="baseFilter" value="(sAMAccountName={0})"/> <module-option name="bindCredential" value="XXXXX"/> <module-option name="bindDN" value="cn=testuser,cn=users,dc=sample,dc=com"/> <module-option name="java.naming.provider.url" value="ldap://ldap.sample.com:389"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="roleAttributeID" value="memberOf"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleFilter" value="member={1}"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="roleRecursion" value="-1"/> <module-option name="rolesCtxDN" value="ou=groups,dc=sample,dc=com"/> <module-option name="throwValidateError" value="true"/> <module-option name="searchScope" value="SUBTREE_SCOPE"/> </login-module> </authentication> </security-domain>
When a user is member of a group that contains a colon : and that group is retrieved the exception is thrown:
2021-06-10 10:44:51,260 DEBUG [org.jboss.security] (default task-1) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070 : Password invalid/Password required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access(LoginContext.java:195) at javax.security.auth.login.LoginContext.run(LoginContext.java:682) at javax.security.auth.login.LoginContext.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406) at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123) at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94) at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:167) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:268) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access(SecurityContextImpl.java:231) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99) at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78) at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:133) at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:130) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoServ ice.java:1530) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoServ ice.java:1530) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1530) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1530) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78) at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:99) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:370) at io.undertow.server.HttpServerExchange.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348) at org.xnio.XnioWorker$WorkerThreadFactory.run(XnioWorker.java:1280) at java.lang.Thread.run(Thread.java:748) Caused by: javax.naming.InvalidNameException: WFNAM00007: Invalid URL scheme name "ldap" at org.wildfly.naming.client.WildFlyRootContext.getProviderContext(WildFlyRootContext.java:808) at org.wildfly.naming.client.WildFlyRootContext.getAttributes(WildFlyRootContext.java:432) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:673) at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:479) at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:343) at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283) ... 62 more
- is cloned by
-
JBEAP-22054 [GSS] (7.3.z) WFNAM00007 exception when group name contains a colon
- Closed
- is incorporated by
-
JBEAP-22084 [GSS](7.4.z) Upgrade PicketBox from 5.0.3.Final-redhat-00007 to 5.0.3.Final-redhat-00008
- Closed