[jboss-jira] [JBoss JIRA] (AS7-3077) security subsystem fails to add JASPI authentication configuration

security subsystem fails to add JASPI authentication configuration ------------------------------------------------------------------ Key: AS7-3077 URL: https://issues.jboss.org/browse/AS7-3077 Project: Application Server 7 Issue Type: Bug Components: Security Affects Versions: 7.1.0.Beta1b Reporter: Ben Schofield Assignee: Stefan Guilhen Labels: JASPI, security Fix For: 7.1.0.Final The security subsystem is either not parsing the JASPI config or interpreting the resulting add operation correctly. The login-module-stack tag requires a name attribute. The parsed ModelNode does not reflect the attribute name of 'name' only the value. When org.jboss.as.security.SecurityDomainAdd.processJASPIAuth(...) is executed an exception is thrown when validating that 'name' exists. (stack.require(NAME).asString();) Below is an example config recreating the problem, the ModelNodes created from the config and the resulting exception. Attempts to add a child 'name' element to the configuration as a work around caused failures during parsing of the security subsystem. h3.Example JASPI configuration consistent with jboss-as-security_1_1.xsd <security-domain name="tutor-ldap"> <authentication-jaspi> <login-module-stack name="ldap-stack" > <login-module code="LdapExtended" flag="required"> <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/> <module-option name="bindDN" value="uid=admin,ou=system"/> <module-option name="bindCredential" value="secret"/> <module-option name="baseCtxDN" value="ou=users,ou=system"/> <module-option name="baseFilter" value="(sn={0})"/> <module-option name="rolesCtxDN" value="ou=groups,ou=system"/> <module-option name="roleFilter" value="(member={1})"/> <module-option name="roleAttributeID" value="cn"/> <module-option name="roleAttributeIsDN" value="false"/> <module-option name="java.naming.referral" value="follow"/> <module-option name="roleRecursion" value="-1"/> <module-option name="searchScope" value="SUBTREE_SCOPE"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="allowEmptyPasswords" value="false"/> </login-module> </login-module-stack> <auth-module code="org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule" login-module-stack-ref="ldap-stack"> </auth-module> </authentication-jaspi> </security-domain> h3.Operations created during parsing of authentication-jaspi config { "operation" => "add", "address" => [ ("subsystem" => "security"), ("security-domain" => "tutor-ldap") ] }, { "operation" => "add", "address" => [ ("subsystem" => "security"), ("security-domain" => "tutor-ldap"), ("authentication" => "jaspi") ], "auth-modules" => [{ "code" => "org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule", "login-module-stack-ref" => "ldap-stack", "module-options" => undefined }] }, { "operation" => "add", "address" => [ ("subsystem" => "security"), ("security-domain" => "tutor-ldap"), ("authentication" => "jaspi"), ("login-module-stack" => "ldap-stack") ], "login-modules" => [{ "code" => "LdapExtended", "flag" => "required", "module-options" => [ ("java.naming.provider.url" => "ldap://localhost:10389"), ("bindDN" => "uid=admin,ou=system"), ("bindCredential" => "secret"), ("baseCtxDN" => "ou=users,ou=system"), ("baseFilter" => "(sn={0})"), ("rolesCtxDN" => "ou=groups,ou=system"), ("roleFilter" => "(member={1})"), ("roleAttributeID" => "cn"), ("roleAttributeIsDN" => "false"), ("java.naming.referral" => "follow"), ("roleRecursion" => "-1"), ("searchScope" => "SUBTREE_SCOPE"), ("java.naming.security.authentication" => "simple"), ("allowEmptyPasswords" => "false") ] } h3.ModelNode during execution of add operation "cache-type" => undefined, "authentication" => {"jaspi" => { "auth-modules" => [{ "code" => "org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule", "login-module-stack-ref" => "ldap-stack", "module-options" => undefined }], "login-module-stack" => {"ldap-stack" => {"login-modules" => [{ "code" => "LdapExtended", "flag" => "required", "module-options" => [ ("java.naming.provider.url" => "ldap://localhost:10389"), ("bindDN" => "uid=admin,ou=system"), ("bindCredential" => "secret"), ("baseCtxDN" => "ou=users,ou=system"), ("baseFilter" => "(sn={0})"), ("rolesCtxDN" => "ou=groups,ou=system"), ("roleFilter" => "(member={1})"), ("roleAttributeID" => "cn"), ("roleAttributeIsDN" => "false"), ("java.naming.referral" => "follow"), ("roleRecursion" => "-1"), ("searchScope" => "SUBTREE_SCOPE"), ("java.naming.security.authentication" => "simple"), ("allowEmptyPasswords" => "false") ] }]}} }} } h3.Exception thrown during process of operations 08:11:13,947 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 44) JBAS014612: Operation ("add") failed - address: ([ ("subsystem" => "security"), ("security-domain" => "tutor-ldap") ]): java.util.NoSuchElementException: No child 'name' exists at org.jboss.dmr.ModelValue.requireChild(ModelValue.java:362) [jboss-dmr-1.1.1.Final.jar:] at org.jboss.dmr.PropertyModelValue.requireChild(PropertyModelValue.java:156) [jboss-dmr-1.1.1.Final.jar:] at org.jboss.dmr.ModelNode.require(ModelNode.java:812) [jboss-dmr-1.1.1.Final.jar:] at org.jboss.as.security.SecurityDomainAdd.processJASPIAuth(SecurityDomainAdd.java:333) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.security.SecurityDomainAdd.createApplicationPolicy(SecurityDomainAdd.java:213) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.security.SecurityDomainAdd.launchServices(SecurityDomainAdd.java:167) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:156) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.server.AbstractDeploymentChainStep.execute(AbstractDeploymentChainStep.java:46) [jboss-as-server-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.server.AbstractDeploymentChainStep.execute(AbstractDeploymentChainStep.java:46) [jboss-as-server-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:311) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:] at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_25] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_25] at java.lang.Thread.run(Thread.java:662) [:1.6.0_25] at org.jboss.threads.JBossThread.run(JBossThread.java:122)