Jess Holle created WFLY-3665:
--------------------------------
Summary: LdapExtLoginModule fails when role* options not specified
Key: WFLY-3665
URL:
https://issues.jboss.org/browse/WFLY-3665
Project: WildFly
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Security
Affects Versions: 8.0.0.Final
Reporter: Jess Holle
Assignee: Darran Lofthouse
If one does not specify role* options on this login module (i.e. does not specify
rolesCtxDN, roleFilter, roleAttributeID, etc), then this module fails.
There are 2 issues with this.
First and foremost, it is readily apparent in this case that no roles search should be
performed in this case -- as no input data was provided to allow for such a search.
Tomcat's JNDIRealm simply does no role search in such a case, for instance. Instead
LdapExtLoginModule stubbornly insists on doing a search which is guaranteed to fail.
LdapExtLoginModule should simply not perform the search. In my case I've specified a
default role and that's all I want -- I don't even want the overhead of any
further role searches, much less a failure.
To add insult to injury, when this failure occurs the error messaging is horribly
misleading, stating "Bad password for username xxx". The password was
absolutely fine. The issue here is the role search, which clearly never even should have
been attempted. In the case that the role search should have been attempted and failed,
the error messaging should clearly state this -- not claim the password was incorrect when
that's absolutely untrue.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)