Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22054

[GSS] (7.3.z) WFNAM00007 exception when group name contains a colon

    XMLWordPrintable

Details

    • Hide
      • Add an LDAP security domain to the configuration (similar to the one shown in the description).
      • Configure a simple application to use the LDAP domain (jboss-web.xml).
      • Configure a user in the ldap that is member of a group with a colon in the name (in my case cn=lala:lala,ou=groups,dc=sample,dc=com).
      • Try to login with that user and the exception is thrown.
      Show
      Add an LDAP security domain to the configuration (similar to the one shown in the description). Configure a simple application to use the LDAP domain (jboss-web.xml). Configure a user in the ldap that is member of a group with a colon in the name (in my case cn=lala:lala,ou=groups,dc=sample,dc=com ). Try to login with that user and the exception is thrown.
    • +

    Description

      With the following picketbox ldap configuration:

                      <security-domain name="LDAP" cache-type="default">
                          <authentication>
                              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                                  <module-option name="allowEmptyPasswords" value="true"/>
                                  <module-option name="baseCtxDN" value="cn=users,dc=sample,dc=com"/>
                                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                                  <module-option name="bindCredential" value="XXXXX"/>
                                  <module-option name="bindDN" value="cn=testuser,cn=users,dc=sample,dc=com"/>
                                  <module-option name="java.naming.provider.url" value="ldap://ldap.sample.com:389"/>
                                  <module-option name="java.naming.security.authentication" value="simple"/>
                                  <module-option name="roleAttributeID" value="memberOf"/>
                                  <module-option name="roleAttributeIsDN" value="true"/>
                                  <module-option name="roleFilter" value="member={1}"/>
                                  <module-option name="roleNameAttributeID" value="cn"/>
                                  <module-option name="roleRecursion" value="-1"/>
                                  <module-option name="rolesCtxDN" value="ou=groups,dc=sample,dc=com"/>
                                  <module-option name="throwValidateError" value="true"/>
                                  <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

      When a user is member of a group that contains a colon : and that group is retrieved the exception is thrown:

      2021-06-10 10:44:51,260 DEBUG [org.jboss.security] (default task-1) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070
      : Password invalid/Password required
              at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
              at java.security.AccessController.doPrivileged(Native Method)
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
              at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
              at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
              at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
              at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:167)
              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:268)
              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
              at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
              at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
              at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
              at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
              at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
              at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
              at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
              at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
              at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
              at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
              at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
              at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
              at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
              at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
              at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
              at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
              at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
              at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
              at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoServ
      ice.java:1530)
              at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoServ
      ice.java:1530)
              at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
              at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
              at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
              at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
              at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
              at io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
              at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
              at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
              at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
              at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
              at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348)
              at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
              at java.lang.Thread.run(Thread.java:748)
      Caused by: javax.naming.InvalidNameException: WFNAM00007: Invalid URL scheme name "ldap"
              at org.wildfly.naming.client.WildFlyRootContext.getProviderContext(WildFlyRootContext.java:808)
              at org.wildfly.naming.client.WildFlyRootContext.getAttributes(WildFlyRootContext.java:432)
              at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
              at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
              at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:673)
              at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:479)
              at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:343)
              at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
              ... 62 more
      

      Attachments

        Issue Links

          Activity

            People

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: