Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2258

500 return for nonexistent user in legacy ldap security realm

XMLWordPrintable

    • Hide

      1) Start server

      ./standalone.sh

      2) Configure server with CLI

      /core-service=management/ldap-connection=ldapConnection:add(url="ldap://localhost:10389", search-credential="secret", search-dn="uid=admin,ou=system")
/core-service=management/security-realm=ldap-realm:add()
/core-service=management/security-realm=ldap-realm/authentication=ldap:add(connection=ldapConnection, base-dn="ou=People,dc=jboss,dc=org", username-attribute=uid)
/core-service=management/management-interface=http-interface:write-attribute(name=security-realm, value=ldap-realm)
reload

      3) Access http://localhost:9990/management?operation=attribute&name=server-state in browser and provide non-existent user
      4) Instead of 401 status code 500 is returned

      Show
      1) Start server ./standalone.sh 2) Configure server with CLI /core-service=management/ldap-connection=ldapConnection:add(url= "ldap: //localhost:10389" , search-credential= "secret" , search-dn= "uid=admin,ou=system" ) /core-service=management/security-realm=ldap-realm:add() /core-service=management/security-realm=ldap-realm/authentication=ldap:add(connection=ldapConnection, base-dn= "ou=People,dc=jboss,dc=org" , username-attribute=uid) /core-service=management/management- interface =http- interface :write-attribute(name=security-realm, value=ldap-realm) reload 3) Access http://localhost:9990/management?operation=attribute&name=server-state in browser and provide non-existent user 4) Instead of 401 status code 500 is returned

      In case of securing management interface with ldap in security realm. When nonexistent user is provided, wildfly answers with 500 http status code. It is different behaviour compared to wildfly 10.1, which returns 401. I think http status code 401 is proper in this situation, because it is client fault (e.g. typo in username) and can be repaired on client side.

      server.log
      10:49:18,745 TRACE [org.wildfly.security] (management task-10) Handling MechanismInformationCallback
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling AvailableRealmsCallback: realms = [ldap-realm]
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling RealmCallback: selected = [ldap-realm]
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling NameCallback: authenticationName = anil
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Name assigning: [anil], pre-realm rewritten: [anil], realm name: [PLAIN], post realm rewritten: [anil], realm rewritten: [anil]
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Non caching search for 'anil'
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Performing single level search
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Searching for user 'anil' using filter '(uid={0})'.
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Connecting to LDAP with properties ({java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://localhost.localdomain:10389, java.naming.security.principal=uid=admin,ou=system, java.naming.security.credentials=***, java.naming.referral=ignore})
10:49:18,749 WARN  [org.apache.directory.server.core.api.interceptor.context.FilteringOperationContext] (pool-7-thread-1) Requested attribute dn does not exist in the schema, it will be ignored
10:49:18,750 TRACE [org.jboss.as.domain.management.security] (management task-10) User 'anil' not found in directory.

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: