Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9635

Failed validation in regex-validating-principal-transformer causes NPE for Elytron audit logging

XMLWordPrintable

    • Hide

      Use following regex-validating-principal-transformer for security domain

      <regex-validating-principal-transformer name="transformer" pattern="someUser" match="true"/>
      

      to set from CLI:

      /subsystem=elytron/regex-validating-principal-transformer=transformer:add(pattern=someUser,match=true)
      /subsystem=elytron/security-domain=ApplicationDomain:write-attribute(name=pre-realm-principal-transformer,value=transformer)
      

      and try to authenticate through that security domain as otherUser

      Show
      Use following regex-validating-principal-transformer for security domain <regex-validating-principal-transformer name= "transformer" pattern= "someUser" match= " true " /> to set from CLI: /subsystem=elytron/regex-validating-principal-transformer=transformer:add(pattern=someUser,match= true ) /subsystem=elytron/security-domain=ApplicationDomain:write-attribute(name=pre-realm-principal-transformer,value=transformer) and try to authenticate through that security domain as otherUser

      In case when validation in Elytron regex-validating-principal-transformer fails then following NPE occurs in server log:

      ERROR [org.wildfly.security] (default task-2) ELY01094: An event handler threw an exception: java.lang.NullPointerException: Value in JsonObjects name/value pair cannot be null
      	at org.glassfish.json.JsonObjectBuilderImpl.validateValue(JsonObjectBuilderImpl.java:164)
      	at org.glassfish.json.JsonObjectBuilderImpl.add(JsonObjectBuilderImpl.java:74)
      	at org.wildfly.security.audit.JsonSecurityEventFormatter.handleAuthenticationFailedEvent(JsonSecurityEventFormatter.java:99)
      	at org.wildfly.security.audit.JsonSecurityEventFormatter.handleAuthenticationFailedEvent(JsonSecurityEventFormatter.java:93)
      	at org.wildfly.security.audit.JsonSecurityEventFormatter.handleAuthenticationFailedEvent(JsonSecurityEventFormatter.java:43)
      	at org.wildfly.security.auth.server.event.SecurityAuthenticationFailedEvent.accept(SecurityAuthenticationFailedEvent.java:49)
      	at org.wildfly.extension.elytron.AuditResourceDefinitions$1.lambda$null$1(AuditResourceDefinitions.java:156)
      	at org.wildfly.security.audit.AuditLogger.accept(AuditLogger.java:56)
      	at org.wildfly.security.audit.AuditLogger.accept(AuditLogger.java:35)
      	at org.wildfly.security.auth.server.SecurityDomain.handleSecurityEvent(SecurityDomain.java:680)
      	at org.wildfly.security.auth.server.SecurityDomain.safeHandleSecurityEvent(SecurityDomain.java:687)
      	at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.fail(ServerAuthenticationContext.java:1793)
      	at org.wildfly.security.auth.server.ServerAuthenticationContext.fail(ServerAuthenticationContext.java:433)
      	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:865)
      	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:728)
      	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
      	at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.fail(UsernamePasswordAuthenticationMechanism.java:107)
      	at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:170)
      	at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
      	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
      	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:110)
      	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
      	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
      	at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:97)
      	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
      	at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
      	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
      	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:46)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
      	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
      	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
      	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
      	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      

      It happens only in case when Elytron audit log is enabled. It happens in case when match attribute is set to true and principal name does not match given pattern as well as in case when match attribute is set to false and principal name matches given pattern.

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: