AdvancedLdapLoginModule with roleAttributeID="" and empty or unset roleFilter can lead to authentication failure ---------------------------------------------------------------------------------------------------------------- Key: SECURITY-952 URL: https://issues.jboss.org/browse/SECURITY-952 Project: PicketBox Issue Type: Bug Affects Versions: Negotiation_3_0_3_Final Reporter: Ondrej Lukas Assignee: Stefan Guilhen In case when AdvancedLdapLoginModule is correctly configured for authentication, but its attribute roleAttributeID is empty string and roleFilter is not set (i.e. is null) or roleFilter is empty string, then authentication with correct username and password fails. It is caused by internal NPE for searching roles. Expected behavior is that users should be authenticated but no roles should be assigned to them. Internal NPE: {code} java.lang.NullPointerException at org.jboss.security.negotiation.AdvancedLdapLoginModule.obtainRole(AdvancedLdapLoginModule.java:821) at org.jboss.security.negotiation.AdvancedLdapLoginModule.rolesSearch(AdvancedLdapLoginModule.java:762) at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:412) at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:981) at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:331) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) {code}