[jboss-jira] [JBoss JIRA] (AS7-3077) security subsystem fails to add JASPI authentication configuration
Ben Schofield (Created) (JIRA)
jira-events at lists.jboss.org
Sun Dec 18 13:28:09 EST 2011
security subsystem fails to add JASPI authentication configuration
------------------------------------------------------------------
Key: AS7-3077
URL: https://issues.jboss.org/browse/AS7-3077
Project: Application Server 7
Issue Type: Bug
Components: Security
Affects Versions: 7.1.0.Beta1b
Reporter: Ben Schofield
Assignee: Anil Saldhana
Fix For: 7.1.0.CR1
The security subsystem is either not parsing the JASPI config or interpreting the resulting add operation correctly. The login-module-stack tag requires a name attribute. The parsed ModelNode does not reflect the attribute name of 'name' only the value. When org.jboss.as.security.SecurityDomainAdd.processJASPIAuth(...) is executed an exception is thrown when validating that 'name' exists. (stack.require(NAME).asString();) Below is an example config recreating the problem, the ModelNodes created from the config and the resulting exception. Attempts to add a child 'name' element to the configuration as a work around caused failures during parsing of the security subsystem.
h3.Example JASPI configuration consistent with jboss-as-security_1_1.xsd
<security-domain name="tutor-ldap">
<authentication-jaspi>
<login-module-stack name="ldap-stack" >
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="bindDN" value="uid=admin,ou=system"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="baseCtxDN" value="ou=users,ou=system"/>
<module-option name="baseFilter" value="(sn={0})"/>
<module-option name="rolesCtxDN" value="ou=groups,ou=system"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="java.naming.referral" value="follow"/>
<module-option name="roleRecursion" value="-1"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="allowEmptyPasswords" value="false"/>
</login-module>
</login-module-stack>
<auth-module code="org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule" login-module-stack-ref="ldap-stack">
</auth-module>
</authentication-jaspi>
</security-domain>
h3.Operations created during parsing of authentication-jaspi config
{
"operation" => "add",
"address" => [
("subsystem" => "security"),
("security-domain" => "tutor-ldap")
]
}, {
"operation" => "add",
"address" => [
("subsystem" => "security"),
("security-domain" => "tutor-ldap"),
("authentication" => "jaspi")
],
"auth-modules" => [{
"code" => "org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule",
"login-module-stack-ref" => "ldap-stack",
"module-options" => undefined
}]
}, {
"operation" => "add",
"address" => [
("subsystem" => "security"),
("security-domain" => "tutor-ldap"),
("authentication" => "jaspi"),
("login-module-stack" => "ldap-stack")
],
"login-modules" => [{
"code" => "LdapExtended",
"flag" => "required",
"module-options" => [
("java.naming.provider.url" => "ldap://localhost:10389"),
("bindDN" => "uid=admin,ou=system"),
("bindCredential" => "secret"),
("baseCtxDN" => "ou=users,ou=system"),
("baseFilter" => "(sn={0})"),
("rolesCtxDN" => "ou=groups,ou=system"),
("roleFilter" => "(member={1})"),
("roleAttributeID" => "cn"),
("roleAttributeIsDN" => "false"),
("java.naming.referral" => "follow"),
("roleRecursion" => "-1"),
("searchScope" => "SUBTREE_SCOPE"),
("java.naming.security.authentication" => "simple"),
("allowEmptyPasswords" => "false")
]
}
h3.ModelNode during execution of add operation
"cache-type" => undefined,
"authentication" => {"jaspi" => {
"auth-modules" => [{
"code" => "org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule",
"login-module-stack-ref" => "ldap-stack",
"module-options" => undefined
}],
"login-module-stack" => {"ldap-stack" => {"login-modules" => [{
"code" => "LdapExtended",
"flag" => "required",
"module-options" => [
("java.naming.provider.url" => "ldap://localhost:10389"),
("bindDN" => "uid=admin,ou=system"),
("bindCredential" => "secret"),
("baseCtxDN" => "ou=users,ou=system"),
("baseFilter" => "(sn={0})"),
("rolesCtxDN" => "ou=groups,ou=system"),
("roleFilter" => "(member={1})"),
("roleAttributeID" => "cn"),
("roleAttributeIsDN" => "false"),
("java.naming.referral" => "follow"),
("roleRecursion" => "-1"),
("searchScope" => "SUBTREE_SCOPE"),
("java.naming.security.authentication" => "simple"),
("allowEmptyPasswords" => "false")
]
}]}}
}}
}
h3.Exception thrown during process of operations
08:11:13,947 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 44) JBAS014612: Operation ("add") failed - address: ([
("subsystem" => "security"),
("security-domain" => "tutor-ldap")
]): java.util.NoSuchElementException: No child 'name' exists
at org.jboss.dmr.ModelValue.requireChild(ModelValue.java:362) [jboss-dmr-1.1.1.Final.jar:]
at org.jboss.dmr.PropertyModelValue.requireChild(PropertyModelValue.java:156) [jboss-dmr-1.1.1.Final.jar:]
at org.jboss.dmr.ModelNode.require(ModelNode.java:812) [jboss-dmr-1.1.1.Final.jar:]
at org.jboss.as.security.SecurityDomainAdd.processJASPIAuth(SecurityDomainAdd.java:333) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.security.SecurityDomainAdd.createApplicationPolicy(SecurityDomainAdd.java:213) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.security.SecurityDomainAdd.launchServices(SecurityDomainAdd.java:167) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:156) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.server.AbstractDeploymentChainStep.execute(AbstractDeploymentChainStep.java:46) [jboss-as-server-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.server.AbstractDeploymentChainStep.execute(AbstractDeploymentChainStep.java:46) [jboss-as-server-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:311) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_25]
at java.lang.Thread.run(Thread.java:662) [:1.6.0_25]
at org.jboss.threads.JBossThread.run(JBossThread.java:122)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list