Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22053

[GSS](7.4.z) WFNAM00007 exception when group name contains a colon

    XMLWordPrintable

Details

    • False
    • False
    • +
    • Undefined
    • Hide
      • Add an LDAP security domain to the configuration (similar to the one shown in the description).
      • Configure a simple application to use the LDAP domain (jboss-web.xml).
      • Configure a user in the ldap that is member of a group with a colon in the name (in my case cn=lala:lala,ou=groups,dc=sample,dc=com).
      • Try to login with that user and the exception is thrown.
      Show
      Add an LDAP security domain to the configuration (similar to the one shown in the description). Configure a simple application to use the LDAP domain (jboss-web.xml). Configure a user in the ldap that is member of a group with a colon in the name (in my case cn=lala:lala,ou=groups,dc=sample,dc=com ). Try to login with that user and the exception is thrown.

    Description

      With the following picketbox ldap configuration:

                      <security-domain name="LDAP" cache-type="default">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="allowEmptyPasswords" value="true"/>
                            <module-option name="baseCtxDN" value="cn=users,dc=sample,dc=com"/>
                            <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                            <module-option name="bindCredential" value="XXXXX"/>
                            <module-option name="bindDN" value="cn=testuser,cn=users,dc=sample,dc=com"/>
                            <module-option name="java.naming.provider.url" value="ldap://ldap.sample.com:389"/>
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="roleAttributeID" value="memberOf"/>
                            <module-option name="roleAttributeIsDN" value="true"/>
                            <module-option name="roleFilter" value="member={1}"/>
                            <module-option name="roleNameAttributeID" value="cn"/>
                            <module-option name="roleRecursion" value="-1"/>
                            <module-option name="rolesCtxDN" value="ou=groups,dc=sample,dc=com"/>
                            <module-option name="throwValidateError" value="true"/>
                            <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                        </login-module>
                    </authentication>
                </security-domain>

      When a user is member of a group that contains a colon : and that group is retrieved the exception is thrown:

      2021-06-10 10:44:51,260 DEBUG [org.jboss.security] (default task-1) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070
: Password invalid/Password required
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access(LoginContext.java:195)
        at javax.security.auth.login.LoginContext.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
        at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:167)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:268)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access(SecurityContextImpl.java:231)
        at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
        at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
        at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
        at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
        at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78)
        at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:133)
        at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:130)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create(SecurityContextThreadSetupAction.java:105)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoServ
ice.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoServ
ice.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1530)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
        at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:99)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
        at io.undertow.server.HttpServerExchange.run(HttpServerExchange.java:830)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348)
        at org.xnio.XnioWorker$WorkerThreadFactory.run(XnioWorker.java:1280)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.naming.InvalidNameException: WFNAM00007: Invalid URL scheme name "ldap"
        at org.wildfly.naming.client.WildFlyRootContext.getProviderContext(WildFlyRootContext.java:808)
        at org.wildfly.naming.client.WildFlyRootContext.getAttributes(WildFlyRootContext.java:432)
        at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
        at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
        at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:673)
        at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:479)
        at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:343)
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
        ... 62 more

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22054 [GSS] (7.3.z) WFNAM00007 exception when group name contains a colon

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-22084 [GSS](7.4.z) Upgrade PicketBox from 5.0.3.Final-redhat-00007 to 5.0.3.Final-redhat-00008

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: