Loading...

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.0.2.CR1, 7.0.2.GA
Affects Version/s: 7.0.0.ER3
Component/s: Security
Labels:
- upstream-fixed

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1288668
Target Release:

7.0.z.GA
Git Pull Request:
https://github.com/wildfly-security/jboss-negotiation/pull/27, https://github.com/jbossas/redhat-picketbox/pull/19
Steps to Reproduce:
Hide

Configuration from customer case:

<security-domain name="Clarety" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module name="Clarety" code="AdvancedLdap" flag="optional"> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="java.naming.security.protocol" value="ssl"/> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="LDAP://ldap.AD.TRS.STATE.TX.US:636"/> <module-option name="java.naming.referral" value="follow"/> <module-option name="bindDN" value="JB_SVRADM@AD.TRS.STATE.TX.US"/> <module-option name="bindCredential" value="${VAULT::TST4::InternalLDAPLoginPassword::1}"/> <module-option name="baseCtxDN" value="DC=ad,DC=trs,DC=state,DC=tx,DC=us"/> <module-option name="rolesCtxDN" value="DC=ad,DC=trs,DC=state,DC=tx,DC=us"/> <module-option name="baseFilter" value="(sAMAccountName={0})"/> <module-option name="roleAttributeID" value="memberOf"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="recurseRoles" value="true"/> <module-option name="searchScope" value="SUBTREE_SCOPE"/> <module-option name="allowEmptyPassword" value="false"/> </login-module> <login-module name="SelfService" code="LdapExtended" flag="optional"> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="java.naming.security.protocol" value="ssl"/> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="LDAP://ldap.AD.TRS.STATE.TX.US:636"/> <module-option name="java.naming.referral" value="follow"/> <module-option name="bindDN" value="JB_SVRADM@AD.TRS.STATE.TX.US"/> <module-option name="bindCredential" value="${VAULT::TST4::ExternalLDAPLoginPassword::1}"/> <module-option name="baseCtxDN" value="DC=ad,DC=trs,DC=state,DC=tx,DC=us"/> <module-option name="rolesCtxDN" value="DC=ad,DC=trs,DC=state,DC=tx,DC=us"/> <module-option name="baseFilter" value="(sAMAccountName={0})"/> <module-option name="roleFilter" value="(sAMAccountName={0})"/> <module-option name="roleAttributeID" value="memberOf"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="roleRecursion" value="true"/> <module-option name="searchScope" value="SUBTREE_SCOPE"/> <module-option name="allowEmptyPasswords" value="false"/> <module-option name="throwValidateError" value="true"/> </login-module> <login-module name="RoleMapping" code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="rolesProperties" value="file:///C:/Clarety/TST4/configs/JBoss/role-mapping.properties"/> <module-option name="replaceRole" value="false"/> </login-module> </authentication> </security-domain>
Show
Configuration from customer case: <security-domain name= "Clarety" cache-type= " default " > <authentication> <login-module code= "Remoting" flag= "optional" > <module-option name= "password-stacking" value= "useFirstPass" /> </login-module> <login-module name= "Clarety" code= "AdvancedLdap" flag= "optional" > <module-option name= "java.naming.security.authentication" value= "simple" /> <module-option name= "java.naming.security.protocol" value= "ssl" /> <module-option name= "java.naming.factory.initial" value= "com.sun.jndi.ldap.LdapCtxFactory" /> <module-option name= "java.naming.provider.url" value= "LDAP: //ldap.AD.TRS.STATE.TX.US:636" /> <module-option name= "java.naming.referral" value= "follow" /> <module-option name= "bindDN" value= "JB_SVRADM@AD.TRS.STATE.TX.US" /> <module-option name= "bindCredential" value= "${VAULT::TST4::InternalLDAPLoginPassword::1}" /> <module-option name= "baseCtxDN" value= "DC=ad,DC=trs,DC=state,DC=tx,DC=us" /> <module-option name= "rolesCtxDN" value= "DC=ad,DC=trs,DC=state,DC=tx,DC=us" /> <module-option name= "baseFilter" value= "(sAMAccountName={0})" /> <module-option name= "roleAttributeID" value= "memberOf" /> <module-option name= "roleAttributeIsDN" value= " true " /> <module-option name= "roleNameAttributeID" value= "cn" /> <module-option name= "recurseRoles" value= " true " /> <module-option name= "searchScope" value= "SUBTREE_SCOPE" /> <module-option name= "allowEmptyPassword" value= " false " /> </login-module> <login-module name= "SelfService" code= "LdapExtended" flag= "optional" > <module-option name= "java.naming.security.authentication" value= "simple" /> <module-option name= "java.naming.security.protocol" value= "ssl" /> <module-option name= "java.naming.factory.initial" value= "com.sun.jndi.ldap.LdapCtxFactory" /> <module-option name= "java.naming.provider.url" value= "LDAP: //ldap.AD.TRS.STATE.TX.US:636" /> <module-option name= "java.naming.referral" value= "follow" /> <module-option name= "bindDN" value= "JB_SVRADM@AD.TRS.STATE.TX.US" /> <module-option name= "bindCredential" value= "${VAULT::TST4::ExternalLDAPLoginPassword::1}" /> <module-option name= "baseCtxDN" value= "DC=ad,DC=trs,DC=state,DC=tx,DC=us" /> <module-option name= "rolesCtxDN" value= "DC=ad,DC=trs,DC=state,DC=tx,DC=us" /> <module-option name= "baseFilter" value= "(sAMAccountName={0})" /> <module-option name= "roleFilter" value= "(sAMAccountName={0})" /> <module-option name= "roleAttributeID" value= "memberOf" /> <module-option name= "roleAttributeIsDN" value= " true " /> <module-option name= "roleNameAttributeID" value= "cn" /> <module-option name= "roleRecursion" value= " true " /> <module-option name= "searchScope" value= "SUBTREE_SCOPE" /> <module-option name= "allowEmptyPasswords" value= " false " /> <module-option name= "throwValidateError" value= " true " /> </login-module> <login-module name= "RoleMapping" code= "org.jboss.security.auth.spi.RoleMappingLoginModule" flag= "required" > <module-option name= "password-stacking" value= "useFirstPass" /> <module-option name= "rolesProperties" value= "file: ///C:/Clarety/TST4/configs/JBoss/role-mapping.properties" /> <module-option name= "replaceRole" value= " false " /> </login-module> </authentication> </security-domain>

Sprint:
EAP 7.0.2

SFDC Cases Counter:
SFDC Cases Links:

Description

https://bugzilla.redhat.com/show_bug.cgi?id=1288668

The root cause of login module failures gets lost when multiple login modules are stacked and the "flag" attribute is set to "optional".

When the login attempt fails (invalid bindCredential on the AdvancedLdapLoginModule for example) the authentication request will continue to the next login module in the stack. In this situation, the exceptions "cause" attribute is getting overwritten during the processing of the other login modules. This results in the actual cause to get lost during processing.

This makes troubleshooting authentication failures difficult.

Attachments

Issue Links

clones

JBEAP-5343 (7.1.0) The root cause of login module failures gets lost when multiple login modules are stacked

Verified

incorporates

SECURITY-933 The root cause of login module failures gets lost when multiple login modules are stacked

Resolved

is incorporated by

JBEAP-3813 [GSS](7.0.z) Upgrade PicketBox from 4.9.6.Final to 4.9.7.Final

Verified

JBEAP-4715 (7.0.z) Upgrade jboss-negotiation to 3.0.3

Verified

[GSS](7.0.z) The root cause of login module failures gets lost when multiple login modules are stacked

Details

Description

Attachments

Issue Links

Activity

People

Dates