Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-797

Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: PicketBox_4_0_19.Final
    • Fix Version/s: None
    • Component/s: JBossSX
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Configure jboss to use the DatabaseRolesMappingProvider:

      <security-domain name="jmx-console" cache-type="default">
      <authentication>
      <login-module code="UsersRoles" flag="required">
      <module-option name="usersProperties" value="file:///${jboss.server.config.dir}/users.properties"/>
      <module-option name="rolesProperties" value="file:///${jboss.server.config.dir}/roles.properties"/>
      </login-module>
      </authentication>
      <mapping>
      <mapping-module name="DatabaseRolesMappingProvider-3" code="org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider" type="role">
      <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>
      <module-option name="rolesQuery" value="select rolename as RoleName from test.roletable where username = ?"/>
      </mapping-module>
      </mapping>
      </security-domain>

      Attempt to login as a user where the query will result in an empty set.

      Show
      Configure jboss to use the DatabaseRolesMappingProvider: <security-domain name="jmx-console" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="file:///${jboss.server.config.dir}/users.properties"/> <module-option name="rolesProperties" value="file:///${jboss.server.config.dir}/roles.properties"/> </login-module> </authentication> <mapping> <mapping-module name="DatabaseRolesMappingProvider-3" code="org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider" type="role"> <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/> <module-option name="rolesQuery" value="select rolename as RoleName from test.roletable where username = ?"/> </mapping-module> </mapping> </security-domain> Attempt to login as a user where the query will result in an empty set.
    • Bugzilla Update:
      Perform

      Description

      If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail. Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.

      It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set. This causes an exception which in turn causes the authentication attempt to fail.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                sguilhen Stefan Guilhen
                Reporter:
                dehort Derek Horton
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: