Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8106

500 return for nonexistent user in legacy ldap security realm

XMLWordPrintable

    • Regression
    • Hide

      1) Start server

      ./standalone.sh
      

      2) Configure server with CLI

      /core-service=management/ldap-connection=ldapConnection:add(url="ldap://localhost:10389", search-credential="secret", search-dn="uid=admin,ou=system")
      /core-service=management/security-realm=ldap-realm:add()
      /core-service=management/security-realm=ldap-realm/authentication=ldap:add(connection=ldapConnection, base-dn="ou=People,dc=jboss,dc=org", username-attribute=uid)
      /core-service=management/management-interface=http-interface:write-attribute(name=security-realm, value=ldap-realm)
      reload
      

      3) Access http://localhost:9990/management?operation=attribute&name=server-state in browser and provide non-existent user
      4) Instead of 401 status code 500 is returned

      Show
      1) Start server ./standalone.sh 2) Configure server with CLI /core-service=management/ldap-connection=ldapConnection:add(url= "ldap: //localhost:10389" , search-credential= "secret" , search-dn= "uid=admin,ou=system" ) /core-service=management/security-realm=ldap-realm:add() /core-service=management/security-realm=ldap-realm/authentication=ldap:add(connection=ldapConnection, base-dn= "ou=People,dc=jboss,dc=org" , username-attribute=uid) /core-service=management/management- interface =http- interface :write-attribute(name=security-realm, value=ldap-realm) reload 3) Access http://localhost:9990/management?operation=attribute&name=server-state in browser and provide non-existent user 4) Instead of 401 status code 500 is returned

      In case of securing management interface with ldap in security realm. When nonexistent user is provided, EAP answers with 500 http status code. It is different behaviour compared to EAP 7.0, which returns 401. I think http status code 401 is proper in this situation, because it is client fault (e.g. typo in username) and can be repaired on client side.

      server.log
      10:49:18,745 TRACE [org.wildfly.security] (management task-10) Handling MechanismInformationCallback
      10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling AvailableRealmsCallback: realms = [ldap-realm]
      10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling RealmCallback: selected = [ldap-realm]
      10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling NameCallback: authenticationName = anil
      10:49:18,746 TRACE [org.wildfly.security] (management task-10) Name assigning: [anil], pre-realm rewritten: [anil], realm name: [PLAIN], post realm rewritten: [anil], realm rewritten: [anil]
      10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Non caching search for 'anil'
      10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Performing single level search
      10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Searching for user 'anil' using filter '(uid={0})'.
      10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Connecting to LDAP with properties ({java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://localhost.localdomain:10389, java.naming.security.principal=uid=admin,ou=system, java.naming.security.credentials=***, java.naming.referral=ignore})
      10:49:18,749 WARN  [org.apache.directory.server.core.api.interceptor.context.FilteringOperationContext] (pool-7-thread-1) Requested attribute dn does not exist in the schema, it will be ignored
      10:49:18,750 TRACE [org.jboss.as.domain.management.security] (management task-10) User 'anil' not found in directory.
      

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: