Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-5343

(7.1.0) The root cause of login module failures gets lost when multiple login modules are stacked

XMLWordPrintable

    • Hide

      Configuration from customer case:

      <security-domain name="Clarety" cache-type="default">
          <authentication>
              <login-module code="Remoting" flag="optional">
                  <module-option name="password-stacking" value="useFirstPass"/>
              </login-module>
              <login-module name="Clarety" code="AdvancedLdap" flag="optional">
                  <module-option name="java.naming.security.authentication" value="simple"/>
                  <module-option name="java.naming.security.protocol" value="ssl"/>
                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                  <module-option name="java.naming.provider.url" value="LDAP://ldap.AD.TRS.STATE.TX.US:636"/>
                  <module-option name="java.naming.referral" value="follow"/>
                  <module-option name="bindDN" value="JB_SVRADM@AD.TRS.STATE.TX.US"/>
                  <module-option name="bindCredential" value="${VAULT::TST4::InternalLDAPLoginPassword::1}"/>
                  <module-option name="baseCtxDN" value="DC=ad,DC=trs,DC=state,DC=tx,DC=us"/>
                  <module-option name="rolesCtxDN" value="DC=ad,DC=trs,DC=state,DC=tx,DC=us"/>
                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                  <module-option name="roleAttributeID" value="memberOf"/>
                  <module-option name="roleAttributeIsDN" value="true"/>
                  <module-option name="roleNameAttributeID" value="cn"/>
                  <module-option name="recurseRoles" value="true"/>
                  <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                  <module-option name="allowEmptyPassword" value="false"/>
              </login-module>
              <login-module name="SelfService" code="LdapExtended" flag="optional">
                  <module-option name="java.naming.security.authentication" value="simple"/>
                  <module-option name="java.naming.security.protocol" value="ssl"/>
                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                  <module-option name="java.naming.provider.url" value="LDAP://ldap.AD.TRS.STATE.TX.US:636"/>
                  <module-option name="java.naming.referral" value="follow"/>
                  <module-option name="bindDN" value="JB_SVRADM@AD.TRS.STATE.TX.US"/>
                  <module-option name="bindCredential" value="${VAULT::TST4::ExternalLDAPLoginPassword::1}"/>
                  <module-option name="baseCtxDN" value="DC=ad,DC=trs,DC=state,DC=tx,DC=us"/>
                  <module-option name="rolesCtxDN" value="DC=ad,DC=trs,DC=state,DC=tx,DC=us"/>
                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                  <module-option name="roleFilter" value="(sAMAccountName={0})"/>
                  <module-option name="roleAttributeID" value="memberOf"/>
                  <module-option name="roleAttributeIsDN" value="true"/>
                  <module-option name="roleNameAttributeID" value="cn"/>
                  <module-option name="roleRecursion" value="true"/>
                  <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                  <module-option name="allowEmptyPasswords" value="false"/>
                  <module-option name="throwValidateError" value="true"/>
              </login-module>
              <login-module name="RoleMapping" code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required">
                  <module-option name="password-stacking" value="useFirstPass"/>
                  <module-option name="rolesProperties"
                                 value="file:///C:/Clarety/TST4/configs/JBoss/role-mapping.properties"/>
                  <module-option name="replaceRole" value="false"/>
              </login-module>
          </authentication>
      </security-domain>
      
      Show
      Configuration from customer case: <security-domain name= "Clarety" cache-type= " default " > <authentication> <login-module code= "Remoting" flag= "optional" > <module-option name= "password-stacking" value= "useFirstPass" /> </login-module> <login-module name= "Clarety" code= "AdvancedLdap" flag= "optional" > <module-option name= "java.naming.security.authentication" value= "simple" /> <module-option name= "java.naming.security.protocol" value= "ssl" /> <module-option name= "java.naming.factory.initial" value= "com.sun.jndi.ldap.LdapCtxFactory" /> <module-option name= "java.naming.provider.url" value= "LDAP: //ldap.AD.TRS.STATE.TX.US:636" /> <module-option name= "java.naming.referral" value= "follow" /> <module-option name= "bindDN" value= "JB_SVRADM@AD.TRS.STATE.TX.US" /> <module-option name= "bindCredential" value= "${VAULT::TST4::InternalLDAPLoginPassword::1}" /> <module-option name= "baseCtxDN" value= "DC=ad,DC=trs,DC=state,DC=tx,DC=us" /> <module-option name= "rolesCtxDN" value= "DC=ad,DC=trs,DC=state,DC=tx,DC=us" /> <module-option name= "baseFilter" value= "(sAMAccountName={0})" /> <module-option name= "roleAttributeID" value= "memberOf" /> <module-option name= "roleAttributeIsDN" value= " true " /> <module-option name= "roleNameAttributeID" value= "cn" /> <module-option name= "recurseRoles" value= " true " /> <module-option name= "searchScope" value= "SUBTREE_SCOPE" /> <module-option name= "allowEmptyPassword" value= " false " /> </login-module> <login-module name= "SelfService" code= "LdapExtended" flag= "optional" > <module-option name= "java.naming.security.authentication" value= "simple" /> <module-option name= "java.naming.security.protocol" value= "ssl" /> <module-option name= "java.naming.factory.initial" value= "com.sun.jndi.ldap.LdapCtxFactory" /> <module-option name= "java.naming.provider.url" value= "LDAP: //ldap.AD.TRS.STATE.TX.US:636" /> <module-option name= "java.naming.referral" value= "follow" /> <module-option name= "bindDN" value= "JB_SVRADM@AD.TRS.STATE.TX.US" /> <module-option name= "bindCredential" value= "${VAULT::TST4::ExternalLDAPLoginPassword::1}" /> <module-option name= "baseCtxDN" value= "DC=ad,DC=trs,DC=state,DC=tx,DC=us" /> <module-option name= "rolesCtxDN" value= "DC=ad,DC=trs,DC=state,DC=tx,DC=us" /> <module-option name= "baseFilter" value= "(sAMAccountName={0})" /> <module-option name= "roleFilter" value= "(sAMAccountName={0})" /> <module-option name= "roleAttributeID" value= "memberOf" /> <module-option name= "roleAttributeIsDN" value= " true " /> <module-option name= "roleNameAttributeID" value= "cn" /> <module-option name= "roleRecursion" value= " true " /> <module-option name= "searchScope" value= "SUBTREE_SCOPE" /> <module-option name= "allowEmptyPasswords" value= " false " /> <module-option name= "throwValidateError" value= " true " /> </login-module> <login-module name= "RoleMapping" code= "org.jboss.security.auth.spi.RoleMappingLoginModule" flag= "required" > <module-option name= "password-stacking" value= "useFirstPass" /> <module-option name= "rolesProperties" value= "file: ///C:/Clarety/TST4/configs/JBoss/role-mapping.properties" /> <module-option name= "replaceRole" value= " false " /> </login-module> </authentication> </security-domain>

      https://bugzilla.redhat.com/show_bug.cgi?id=1288668

      The root cause of login module failures gets lost when multiple login modules are stacked and the "flag" attribute is set to "optional".

      When the login attempt fails (invalid bindCredential on the AdvancedLdapLoginModule for example) the authentication request will continue to the next login module in the stack. In this situation, the exceptions "cause" attribute is getting overwritten during the processing of the other login modules. This results in the actual cause to get lost during processing.

      This makes troubleshooting authentication failures difficult.

              thofman Tomas Hofman
              rhn-cservice-bbaranow Bartosz Baranowski
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: