]
Ilia Vassilev updated SECURITY-955:
-----------------------------------
Git Pull Request:
Regression in parsing username in LdapExtLoginModule
----------------------------------------------------
Key: SECURITY-955
URL:
https://issues.jboss.org/browse/SECURITY-955
Project: PicketBox
Issue Type: Bug
Affects Versions: PicketBox_5_0_0.Alpha3
Reporter: Ondrej Lukas
Assignee: Ilia Vassilev
Priority: Blocker
In case when customers using LdapExtLoginModule with option parseUsername=true but
without option usernameBeginString (i.e. usernameBeginString=null) then all users cannot
be successfully authenticated into application. Authentication failure is caused by hidden
internal NPE.
It is the same issue as was reported in [1], but fix is missing in current EAP 7.1
version of PicketBox (5.0.0.Alpha3).
We request blocker flag because:
* Valid configuration which works for 7.0.x becomes invalid after migration to 7.1.0
* All users cannot authenticate to application despite of valid EAP configuration
* Authetication failure caused by NPE is logged to server log
Thrown NPE:
{code}
java.lang.NullPointerException
at
org.jboss.security.auth.spi.LdapExtLoginModule.getUsername(LdapExtLoginModule.java:963)
at
org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:342)
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
{code}
[1]
https://issues.jboss.org/browse/JBEAP-364?focusedCommentId=13160168&p...