Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-797

Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • PicketBox_4_0_19.Final
    • JBossSX
    • None
    • Hide

      Configure jboss to use the DatabaseRolesMappingProvider:

      <security-domain name="jmx-console" cache-type="default">
      <authentication>
      <login-module code="UsersRoles" flag="required">
      <module-option name="usersProperties" value="file:///${jboss.server.config.dir}/users.properties"/>
      <module-option name="rolesProperties" value="file:///${jboss.server.config.dir}/roles.properties"/>
      </login-module>
      </authentication>
      <mapping>
      <mapping-module name="DatabaseRolesMappingProvider-3" code="org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider" type="role">
      <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>
      <module-option name="rolesQuery" value="select rolename as RoleName from test.roletable where username = ?"/>
      </mapping-module>
      </mapping>
      </security-domain>

      Attempt to login as a user where the query will result in an empty set.

      Show
      Configure jboss to use the DatabaseRolesMappingProvider: <security-domain name="jmx-console" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="file:///${jboss.server.config.dir}/users.properties"/> <module-option name="rolesProperties" value="file:///${jboss.server.config.dir}/roles.properties"/> </login-module> </authentication> <mapping> <mapping-module name="DatabaseRolesMappingProvider-3" code="org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider" type="role"> <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/> <module-option name="rolesQuery" value="select rolename as RoleName from test.roletable where username = ?"/> </mapping-module> </mapping> </security-domain> Attempt to login as a user where the query will result in an empty set.

    Description

      If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail. Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.

      It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set. This causes an exception which in turn causes the authentication attempt to fail.

      Attachments

        Activity

          People

            sguilhen Stefan Guilhen
            rhn-support-dehort Derek Horton
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: