Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-797

Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • PicketBox_4_0_19.Final
    • JBossSX
    • None
    • Hide

      Configure jboss to use the DatabaseRolesMappingProvider:

      <security-domain name="jmx-console" cache-type="default">
      <authentication>
      <login-module code="UsersRoles" flag="required">
      <module-option name="usersProperties" value="file:///${jboss.server.config.dir}/users.properties"/>
      <module-option name="rolesProperties" value="file:///${jboss.server.config.dir}/roles.properties"/>
      </login-module>
      </authentication>
      <mapping>
      <mapping-module name="DatabaseRolesMappingProvider-3" code="org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider" type="role">
      <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>
      <module-option name="rolesQuery" value="select rolename as RoleName from test.roletable where username = ?"/>
      </mapping-module>
      </mapping>
      </security-domain>

      Attempt to login as a user where the query will result in an empty set.

      Show
      Configure jboss to use the DatabaseRolesMappingProvider: <security-domain name="jmx-console" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="file:///${jboss.server.config.dir}/users.properties"/> <module-option name="rolesProperties" value="file:///${jboss.server.config.dir}/roles.properties"/> </login-module> </authentication> <mapping> <mapping-module name="DatabaseRolesMappingProvider-3" code="org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider" type="role"> <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/> <module-option name="rolesQuery" value="select rolename as RoleName from test.roletable where username = ?"/> </mapping-module> </mapping> </security-domain> Attempt to login as a user where the query will result in an empty set.

      If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail. Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.

      It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set. This causes an exception which in turn causes the authentication attempt to fail.

        1. SECURITY-797.patch
          1.0 kB

            sguilhen Stefan Guilhen
            rhn-support-dehort Derek Horton
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: