Uploaded image for project: 'Seam 2'
  1. Seam 2
  2. JBSEAM-4834

LdapIdentityStore throws NameNotFoundException when a role contains a forward slash

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Steps to Reproduce:
      Hide

      1. Configure security:ldap-identity-store for your LDAP server. Make sure role-attribute-is-DN is set to true (default).
      2. Give an LDAP user entry a role containing a forward slash.
      3. Attempt to login with the user in #2.
      4. LoginException (wrapping a NameNotFoundException) will be thrown.

      Show
      1. Configure security:ldap-identity-store for your LDAP server. Make sure role-attribute-is-DN is set to true (default). 2. Give an LDAP user entry a role containing a forward slash. 3. Attempt to login with the user in #2. 4. LoginException (wrapping a NameNotFoundException) will be thrown.

      Description

      When using LdapIdentityStore for the role-identity-store, if a user's LDAP entry contains a role with a forward slash , the following exception occurs:

      javax.security.auth.login.LoginException: Failed to query roles
      at org.jboss.seam.security.jaas.SeamLoginModule.login(SeamLoginModule.java:141)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      [snip]
      Caused by:
      org.jboss.seam.security.management.IdentityManagementException: Failed to query roles
      at org.jboss.seam.security.management.LdapIdentityStore.getGrantedRoles(LdapIdentityStore.java:903)
      at org.jboss.seam.security.management.LdapIdentityStore.getImpliedRoles(LdapIdentityStore.java:938)
      at org.jboss.seam.security.management.IdentityManager.getImpliedRoles(IdentityManager.java:254)
      at org.jboss.seam.security.jaas.SeamLoginModule.login(SeamLoginModule.java:130)
      ... 81 more
      Caused by:
      javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; Remaining name: 'cn=umg/somerole,dc=acme,dc=com'
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3078)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2999)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2806)
      at com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1023)
      at com.sun.jndi.toolkit.ctx.ComponentContext.c_resolveIntermediate_nns(ComponentContext.java:164)
      at com.sun.jndi.toolkit.ctx.AtomicContext.c_resolveIntermediate_nns(AtomicContext.java:354)
      at com.sun.jndi.toolkit.ctx.ComponentContext.p_resolveIntermediate(ComponentContext.java:393)
      at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:217)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:133)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
      at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:151)
      at org.jboss.seam.security.management.LdapIdentityStore.getGrantedRoles(LdapIdentityStore.java:890)
      ... 84 more

      This error does not occur when the user's record does not contain roles with a forward slash. I was able to eliminate this exception by changing line 890 in LdapIdentityStore from this:

      Attributes result2 = ctx.getAttributes(roleDN, returnAttribute);

      To this:

      Attributes result2 = ctx.getAttributes(new javax.naming.ldap.LdapName(roleDN), returnAttribute);

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            orr94 Jeremiah Orr (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: