Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2258

500 return for nonexistent user in legacy ldap security realm

    XMLWordPrintable

Details

    • Hide

      1) Start server

      ./standalone.sh

      2) Configure server with CLI

      /core-service=management/ldap-connection=ldapConnection:add(url="ldap://localhost:10389", search-credential="secret", search-dn="uid=admin,ou=system")
/core-service=management/security-realm=ldap-realm:add()
/core-service=management/security-realm=ldap-realm/authentication=ldap:add(connection=ldapConnection, base-dn="ou=People,dc=jboss,dc=org", username-attribute=uid)
/core-service=management/management-interface=http-interface:write-attribute(name=security-realm, value=ldap-realm)
reload

      3) Access http://localhost:9990/management?operation=attribute&name=server-state in browser and provide non-existent user
      4) Instead of 401 status code 500 is returned

      Show
      1) Start server ./standalone.sh 2) Configure server with CLI /core-service=management/ldap-connection=ldapConnection:add(url= "ldap: //localhost:10389" , search-credential= "secret" , search-dn= "uid=admin,ou=system" ) /core-service=management/security-realm=ldap-realm:add() /core-service=management/security-realm=ldap-realm/authentication=ldap:add(connection=ldapConnection, base-dn= "ou=People,dc=jboss,dc=org" , username-attribute=uid) /core-service=management/management- interface =http- interface :write-attribute(name=security-realm, value=ldap-realm) reload 3) Access http://localhost:9990/management?operation=attribute&name=server-state in browser and provide non-existent user 4) Instead of 401 status code 500 is returned

    Description

      In case of securing management interface with ldap in security realm. When nonexistent user is provided, wildfly answers with 500 http status code. It is different behaviour compared to wildfly 10.1, which returns 401. I think http status code 401 is proper in this situation, because it is client fault (e.g. typo in username) and can be repaired on client side.

      server.log
      10:49:18,745 TRACE [org.wildfly.security] (management task-10) Handling MechanismInformationCallback
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling AvailableRealmsCallback: realms = [ldap-realm]
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling RealmCallback: selected = [ldap-realm]
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling NameCallback: authenticationName = anil
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Name assigning: [anil], pre-realm rewritten: [anil], realm name: [PLAIN], post realm rewritten: [anil], realm rewritten: [anil]
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Non caching search for 'anil'
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Performing single level search
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Searching for user 'anil' using filter '(uid={0})'.
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Connecting to LDAP with properties ({java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://localhost.localdomain:10389, java.naming.security.principal=uid=admin,ou=system, java.naming.security.credentials=***, java.naming.referral=ignore})
10:49:18,749 WARN  [org.apache.directory.server.core.api.interceptor.context.FilteringOperationContext] (pool-7-thread-1) Requested attribute dn does not exist in the schema, it will be ignored
10:49:18,750 TRACE [org.jboss.as.domain.management.security] (management task-10) User 'anil' not found in directory.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-8106 500 return for nonexistent user in legacy ldap security realm

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2257 Missing username in LDAP entry for legacy ldap realm returns 500 instead of 401

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: