July 2016 - jboss-jira - Jboss List Archives

[JBoss JIRA] (SECURITY-946) AdvancedLdapLoginModule with rolesCtxDN="" can lead to authentication failure

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-946?page=com.atlassian.jira.plug... ] Darran Lofthouse resolved SECURITY-946. --------------------------------------- Resolution: Done > AdvancedLdapLoginModule with rolesCtxDN="" can lead to authentication failure > ----------------------------------------------------------------------------- > > Key: SECURITY-946 > URL: https://issues.jboss.org/browse/SECURITY-946 > Project: PicketBox > Issue Type: Bug > Components: Negotiation > Affects Versions: Negotiation_3_0_2_Final > Reporter: Ondrej Lukas > Assignee: Tomas Hofman > Fix For: Negotiation_3_0_3_CR1 > > > In case when AdvancedLdapLoginModule is correctly configured for authentication and its attribute rolesCtxDN="", then authentication can fail. This happens when any role is found in LDAP by role search. It is caused by {{canonicalize}} method which returns string which ends with comma for empty rolesCtxDN which is invalid name for searching LDAP. > In correct behavior authentication should pass and found roles should be assigned to user. > In case when no role is found, then authentication succeed which is correct behavior. > Thrown exception: > {code} > javax.naming.InvalidNameException: cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,: [LDAP: error code 34 - Invalid root Dn given : cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org, (0x63 0x6E 0x3D 0x45 0x63 0x68 0x6F 0x2C 0x6F 0x75 0x3D 0x52 0x6F 0x6C 0x65 0x73 0x32 0x2C 0x6F 0x3D 0x41 0x64 0x76 0x61 0x6E 0x63 0x65 0x64 0x4C 0x64 0x61 0x70 0x4C 0x4D 0x45 0x6D 0x70 0x74 0x79 0x52 0x6F 0x6C 0x65 0x73 0x43 0x74 0x78 0x44 0x6E 0x4F 0x70 0x74 0x69 0x6F 0x6E 0x54 0x65 0x73 0x74 0x43 0x61 0x73 0x65 0x65 0x37 0x62 0x36 0x62 0x32 0x39 0x64 0x2C 0x6F 0x3D 0x70 0x72 0x69 0x6D 0x61 0x72 0x79 0x2C 0x64 0x63 0x3D 0x6A 0x62 0x6F 0x73 0x73 0x2C 0x64 0x63 0x3D 0x6F 0x72 0x67 0x2C ) is invalid]; remaining name 'cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,' > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3074) > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) > com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329) > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235) > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141) > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129) > javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) > javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) > org.jboss.security.negotiation.AdvancedLdapLoginModule.obtainRole(AdvancedLdapLoginModule.java:801) > org.jboss.security.negotiation.AdvancedLdapLoginModule.rolesSearch(AdvancedLdapLoginModule.java:737) > org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:403) > org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967) > org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326) > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ... > {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-944) AdvancedLdapLoginModule with rolesCtxDN=null leads to authentication failure

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-944?page=com.atlassian.jira.plug... ] Darran Lofthouse resolved SECURITY-944. --------------------------------------- Resolution: Done > AdvancedLdapLoginModule with rolesCtxDN=null leads to authentication failure > ---------------------------------------------------------------------------- > > Key: SECURITY-944 > URL: https://issues.jboss.org/browse/SECURITY-944 > Project: PicketBox > Issue Type: Bug > Components: Negotiation > Affects Versions: Negotiation_3_0_2_Final > Reporter: Ondrej Lukas > Assignee: Tomas Hofman > Fix For: Negotiation_3_0_3_CR1 > > > In case when AdvancedLdapLoginModule is correctly configured for authentication, but its attribute rolesCtxDN is not set (i.e. is null), then authentication with correct username and password fails. It is caused be internal NPE for searching roles. > Expected behavior is that user should be authenticated but no roles should be assigned to them. > Internal NPE: > {code} > java.lang.NullPointerException: > at org.jboss.as.naming.InitialContext.getURLScheme(InitialContext.java:160) > at org.jboss.as.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:128) > at javax.naming.directory.InitialDirContext.getURLOrDefaultInitDirCtx(InitialDirContext.java:106) > at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286) > at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286) > at org.jboss.security.negotiation.AdvancedLdapLoginModule.rolesSearch(AdvancedLdapLoginModule.java:720) > at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:403) > at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967) > at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326) > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ... > {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-946) AdvancedLdapLoginModule with rolesCtxDN="" can lead to authentication failure

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-946?page=com.atlassian.jira.plug... ] Darran Lofthouse updated SECURITY-946: -------------------------------------- Fix Version/s: Negotiation_3_0_3_CR1 > AdvancedLdapLoginModule with rolesCtxDN="" can lead to authentication failure > ----------------------------------------------------------------------------- > > Key: SECURITY-946 > URL: https://issues.jboss.org/browse/SECURITY-946 > Project: PicketBox > Issue Type: Bug > Components: Negotiation > Affects Versions: Negotiation_3_0_2_Final > Reporter: Ondrej Lukas > Assignee: Tomas Hofman > Fix For: Negotiation_3_0_3_CR1 > > > In case when AdvancedLdapLoginModule is correctly configured for authentication and its attribute rolesCtxDN="", then authentication can fail. This happens when any role is found in LDAP by role search. It is caused by {{canonicalize}} method which returns string which ends with comma for empty rolesCtxDN which is invalid name for searching LDAP. > In correct behavior authentication should pass and found roles should be assigned to user. > In case when no role is found, then authentication succeed which is correct behavior. > Thrown exception: > {code} > javax.naming.InvalidNameException: cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,: [LDAP: error code 34 - Invalid root Dn given : cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org, (0x63 0x6E 0x3D 0x45 0x63 0x68 0x6F 0x2C 0x6F 0x75 0x3D 0x52 0x6F 0x6C 0x65 0x73 0x32 0x2C 0x6F 0x3D 0x41 0x64 0x76 0x61 0x6E 0x63 0x65 0x64 0x4C 0x64 0x61 0x70 0x4C 0x4D 0x45 0x6D 0x70 0x74 0x79 0x52 0x6F 0x6C 0x65 0x73 0x43 0x74 0x78 0x44 0x6E 0x4F 0x70 0x74 0x69 0x6F 0x6E 0x54 0x65 0x73 0x74 0x43 0x61 0x73 0x65 0x65 0x37 0x62 0x36 0x62 0x32 0x39 0x64 0x2C 0x6F 0x3D 0x70 0x72 0x69 0x6D 0x61 0x72 0x79 0x2C 0x64 0x63 0x3D 0x6A 0x62 0x6F 0x73 0x73 0x2C 0x64 0x63 0x3D 0x6F 0x72 0x67 0x2C ) is invalid]; remaining name 'cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,' > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3074) > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) > com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329) > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235) > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141) > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129) > javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) > javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) > org.jboss.security.negotiation.AdvancedLdapLoginModule.obtainRole(AdvancedLdapLoginModule.java:801) > org.jboss.security.negotiation.AdvancedLdapLoginModule.rolesSearch(AdvancedLdapLoginModule.java:737) > org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:403) > org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967) > org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326) > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ... > {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-615) Improvement for usage of file.mkdirs() in FileSystemSecurityRealm.Identity

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/ELY-615?page=com.atlassian.jira.plugin.sy... ] Tomaz Cerar commented on ELY-615: --------------------------------- Better than using file.mkdirs() would be to use Files#createDirectories as it properly throws exceptions > Improvement for usage of file.mkdirs() in FileSystemSecurityRealm.Identity > -------------------------------------------------------------------------- > > Key: ELY-615 > URL: https://issues.jboss.org/browse/ELY-615 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Minor > Labels: static_analysis > Fix For: 1.1.0.Beta8 > > > There is method {{tempPath()}} in org.wildfly.security.auth.realm.FileSystemSecurityRealm.Identity which uses {{file.mkdirs()}} without checking its return value. It is bad practice to ignore return value of this method (since false means that file has not been created and it can result to any unexpected and confusing failure later). -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-6728) JDBC persistence-store for Artemis

by Daniel Fröhlich (JIRA)

[ https://issues.jboss.org/browse/WFLY-6728?page=com.atlassian.jira.plugin.... ] Daniel Fröhlich commented on WFLY-6728: --------------------------------------- No, it is not the same thing as with EAP6. With EAP6, the use AMQ6 embedded, not via RA. So the AMQ broker is running inside the same jvm as EAP does. They do so because they want a very high likelihood that the PUT of a message does succeed. And if Sender and Broker a within the same JVM, that is the case. In the RAR approach with an external running Broker (maybe on the same host, but different jvm process), there is a chance that the broker might be offline (not yet started, killed by kernel oom killer, whatever). That approach follows good HA principles to reduce the number of components in your design. So again, a perfectly good architectural decision. And again that makes it important that we support JDBC persistence not only in AMQ via RAR, but also embedded in EAP. They have a standing rule in place to never ever go into production with "x.0.0" numbers ;-) They will start the migration from EAP5/7 to EAP7 next year with go live target in 2018. So there should be enough time for us to implement and stabilize the functionality. > JDBC persistence-store for Artemis > ---------------------------------- > > Key: WFLY-6728 > URL: https://issues.jboss.org/browse/WFLY-6728 > Project: WildFly > Issue Type: Enhancement > Components: JMS > Affects Versions: 10.0.0.Final > Reporter: Jochen Cordes > Assignee: Jeff Mesnil > > Apache ActiveMQ had the capability to store messages into a database via JDBC. In Apache ActiveMQ Artemis this has gone. > For a consistent backup data of various (co-located) systems participating in transactions should reside at the same datastore as otherwise this needs to be achieved through application software design (i.e. idempotent consumers etc.). > As in Apache ActiveMQ Artemis a JDBC Persistence-Store is about to be introduced we should also offer this capability on WildFly / EAP. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-615) Improvement for usage of file.mkdirs() in FileSystemSecurityRealm.Identity

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-615?page=com.atlassian.jira.plugin.sy... ] Ondrej Lukas updated ELY-615: ----------------------------- Fix Version/s: 1.1.0.Beta8 > Improvement for usage of file.mkdirs() in FileSystemSecurityRealm.Identity > -------------------------------------------------------------------------- > > Key: ELY-615 > URL: https://issues.jboss.org/browse/ELY-615 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Minor > Labels: static_analysis > Fix For: 1.1.0.Beta8 > > > There is method {{tempPath()}} in org.wildfly.security.auth.realm.FileSystemSecurityRealm.Identity which uses {{file.mkdirs()}} without checking its return value. It is bad practice to ignore return value of this method (since false means that file has not been created and it can result to any unexpected and confusing failure later). -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-612) Missing or unnecessary null check in AbstractDigestMechanism

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-612?page=com.atlassian.jira.plugin.sy... ] Ondrej Lukas updated ELY-612: ----------------------------- Fix Version/s: 1.1.0.Beta8 > Missing or unnecessary null check in AbstractDigestMechanism > ------------------------------------------------------------ > > Key: ELY-612 > URL: https://issues.jboss.org/browse/ELY-612 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: static_analysis > Fix For: 1.1.0.Beta8 > > > There is missing or unnecessary null check in {{getSaltedPasswordFromTwoWay}} method of org.wildfly.security.sasl.digest.AbstractDigestMechanism. {{char[] passwordChars}} is assigned on line 650 [1]. > * In case when null can be assigned to {{passwordChars}} then there is missing null check before calling {{userRealmPasswordDigest(messageDigest, username, realm, passwordChars);}} on line 658 which can result to NPE. > * In case when null cannot be assigned to {{passwordChars}} then there is unnecessary null check on line 659. > [1] https://github.com/wildfly-security/wildfly-elytron/blob/e01a09572b02f33d... -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-613) Some nested classes should be considered to be static nested in Elytron

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-613?page=com.atlassian.jira.plugin.sy... ] Ondrej Lukas updated ELY-613: ----------------------------- Fix Version/s: 1.1.0.Beta8 > Some nested classes should be considered to be static nested in Elytron > ----------------------------------------------------------------------- > > Key: ELY-613 > URL: https://issues.jboss.org/browse/ELY-613 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: static_analysis > Fix For: 1.1.0.Beta8 > > > There are some inner classes in Elytron which should be considered to be static nested to avoid dependency on their outer class. Following nested classes should be considered: > * LoadedIdentity and Identity from org.wildfly.security.auth.realm.FileSystemSecurityRealm > * DecoderState from org.wildfly.security.asn1.DERDecoder > * AccountEntry from org.wildfly.security.auth.realm.LegacyPropertiesSecurityRealm > * JaasAuthorizationIdentity and DefaultCallbackHandler from org.wildfly.security.auth.realm.JaasSecurityRealm > * LoadKey from org.wildfly.security.keystore.AtomicLoadKeyStore -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-614) Missing null check in equals() method of AbstractPermission

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-614?page=com.atlassian.jira.plugin.sy... ] Ondrej Lukas updated ELY-614: ----------------------------- Fix Version/s: 1.1.0.Beta8 > Missing null check in equals() method of AbstractPermission > ----------------------------------------------------------- > > Key: ELY-614 > URL: https://issues.jboss.org/browse/ELY-614 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: static_analysis > Fix For: 1.1.0.Beta8 > > > There is missing null check in {{org.wildfly.security.permission.AbstractPermission.equals(Object obj)}} method. NPE is thrown for null {{obj}} parameter. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-610) Missing null check in build() method of X509CertificateBuilder

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-610?page=com.atlassian.jira.plugin.sy... ] Ondrej Lukas updated ELY-610: ----------------------------- Fix Version/s: 1.1.0.Beta8 > Missing null check in build() method of X509CertificateBuilder > -------------------------------------------------------------- > > Key: ELY-610 > URL: https://issues.jboss.org/browse/ELY-610 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: static_analysis > Fix For: 1.1.0.Beta8 > > > Calling {{ASN1.oidFromSignatureAlgorithm(String)}} in {{org.wildfly.security.x500.cert.X509CertificateBuilder.build()}} method on line 375 [1] for unknown algorithms returns null which is assigned to {{signatureAlgorithmOid}} and results to NPE thrown from {{derEncoder.encodeObjectIdentifier(signatureAlgorithmOid)}} on line 377. > [1] https://github.com/wildfly-security/wildfly-elytron/blob/e01a09572b02f33d... -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2016