Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3027

Referrals 'throw' does not work correctly for LdapExtLoginModule with MS Active Directory

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 7.0.0.ER4
    • Security
    • None

    Description

      In case when crossRef object to different domain is configured on MS Active Directory for handling referrals and JBoss EAP 7 uses LdapExtLoginModule with configured referrals 'throw' then authentication fails for referrals. It is inconsistent with behavior of EAP with another login modules (e.g. AdvancedLdap) or with another LDAP providers (e.g. Red Hat Directory Server). In correct behavior authentication should pass.

      It seems it is caused by thrown LdapReferralException for searching roles before it is handled by try-catch block in LdapExtLoginModule code. Stack trace of thrown LdapReferralException:

      com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2975)
      com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
      com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)
      com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
      com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786)
      com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)
      com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)
      com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378)
      javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
      javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
      org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:647)
      org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:479)
      org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:343)
      org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
      sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      java.lang.reflect.Method.invoke(Method.java:497)
      javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
      javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      java.security.AccessController.doPrivileged(Native Method)
      javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
      org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
      org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
      org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
      org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
      org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
      io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:118)
      io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
      io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
      io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
      io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
      io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
      io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
      io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
      io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
      io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
      io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
      io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
      io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
      io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
      io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
      java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      java.lang.Thread.run(Thread.java:745)

      Attachments

        Issue Links

          duplicates

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-3029 (7.4.z) Referrals 'throw' does not work correctly for ldap authentication to mgmt console with MS Active Directory

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              Unassigned Unassigned
              olukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: