Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1192

HTTP status 500 when no principal is returned by aggregate-principal-transformer

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Major
    • None
    • 1.1.0.Beta42
    • None
    • None
    • Hide

      In security-domain which is used for application authentication use decision tree mentioned in [1] as its pre-realm-principal-transformer but remove line

      <principal-transformer name="genericEmail" />

      from aggregate-principal-transformer. Then try to authenticate with some username without any email - it will throw HTTP status 500 and you have no possibility to repeat authentication process and use user with email address.

      [1] https://issues.jboss.org/browse/JBEAP-9628?focusedCommentId=13399462&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13399462

      Show
      In security-domain which is used for application authentication use decision tree mentioned in [1] as its pre-realm-principal-transformer but remove line <principal-transformer name= "genericEmail" /> from aggregate-principal-transformer . Then try to authenticate with some username without any email - it will throw HTTP status 500 and you have no possibility to repeat authentication process and use user with email address. [1] https://issues.jboss.org/browse/JBEAP-9628?focusedCommentId=13399462&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13399462

    Description

      In case security domain used by deployed application uses aggregate-principal-transformer which includes some principal-transformers and none of them returns non-null principal then HTTP status 500 with 'ELY01003: No authentication is in progress' is returned by application. It causes that authentication cannot be repeated (e.g. when user provides some typo in username). It should rather throw HTTP status 401 to allow repeating authentication process.

      This situation can happen if aggregate-principal-transformer is used as decision tree (see [1] for details) and uses only transformers which can return null principal (e.g. only chained-principal-transformers).

      This happens when aggregate-principal-transformer is used in pre-realm-principal-transformer for security domain. It does not happen when aggregate-principal-transformer is used in principal-transformer for realm in security domain.

      [1] https://issues.jboss.org/browse/JBEAP-9628?focusedCommentId=13399462&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13399462

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11107 HTTP status 500 when no principal is returned by aggregate-principal-transformer

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              Unassigned Unassigned
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: