Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3027

Referrals 'throw' does not work correctly for LdapExtLoginModule with MS Active Directory

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • 7.0.0.ER4
    • Security
    • None

      In case when crossRef object to different domain is configured on MS Active Directory for handling referrals and JBoss EAP 7 uses LdapExtLoginModule with configured referrals 'throw' then authentication fails for referrals. It is inconsistent with behavior of EAP with another login modules (e.g. AdvancedLdap) or with another LDAP providers (e.g. Red Hat Directory Server). In correct behavior authentication should pass.

      It seems it is caused by thrown LdapReferralException for searching roles before it is handled by try-catch block in LdapExtLoginModule code. Stack trace of thrown LdapReferralException:

      com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2975)
      com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
      com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)
      com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
      com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786)
      com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)
      com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)
      com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378)
      javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
      javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
      org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:647)
      org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:479)
      org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:343)
      org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
      sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      java.lang.reflect.Method.invoke(Method.java:497)
      javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
      javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      java.security.AccessController.doPrivileged(Native Method)
      javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
      org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
      org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
      org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
      org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
      org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
      io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:118)
      io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
      io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
      io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
      io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
      io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
      io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
      io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
      io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
      io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
      io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
      io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
      io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
      io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
      io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
      java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      java.lang.Thread.run(Thread.java:745)

              Unassigned Unassigned
              olukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: