[jboss-jira] [JBoss JIRA] (SECURITY-639) DatabaseRolesMappingProvider fails when no roles are present for user

Kory Markevich (Created) (JIRA) jira-events at lists.jboss.org
Mon Jan 9 19:08:09 EST 2012 

DatabaseRolesMappingProvider fails when no roles are present for user
---------------------------------------------------------------------

                 Key: SECURITY-639
                 URL: https://issues.jboss.org/browse/SECURITY-639
             Project: PicketBox (JBoss Security and Identity Management)
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: PicketBox
    Affects Versions: PicketBox_v4_0_1
         Environment: JBoss AS 7.0.1
            Reporter: Kory Markevich
            Assignee: Anil Saldhana


When using DatabaseRolesMappingProvider as part of a web app, everything works fine if the query returns at least one role. If the user does not have any (a valid case in our system) then an IllegalArgumentException is thrown, which is not caught and aborts the authentication process (see stack trace at bottom.)

In particular the Util.addRolesToGroup method explicitly checks for the no-role case, but only to for logging purposes, and then continues on trying to read the roles. This will obviously always fail as per JDBC specs. It looks like the reading should have been put inside an else clause.

15:55:55,700 ERROR [org.apache.catalina.connector.CoyoteAdapter] (http--127.0.0.1-8080-4) An exception or error occurred in the container during the request processing: java.lang.IllegalArgumentException: Query failed
	at org.jboss.security.mapping.providers.role.Util.addRolesToGroup(Util.java:250) [picketbox-4.0.1.jar:4.0.1]
	at org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider.performMapping(DatabaseRolesMappingProvider.java:100) [picketbox-4.0.1.jar:4.0.1]
	at org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider.performMapping(DatabaseRolesMappingProvider.java:42) [picketbox-4.0.1.jar:4.0.1]
	at org.jboss.security.mapping.MappingContext.performMapping(MappingContext.java:54) [picketbox-4.0.1.jar:4.0.1]
	at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:396) [picketbox-4.0.1.jar:4.0.1]
	at org.jboss.security.plugins.JBossAuthorizationManager.getSubjectRoles(JBossAuthorizationManager.java:323) [picketbox-4.0.1.jar:4.0.1]
	at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:144) [jboss-as-web-7.0.1.Final.jar:7.0.1.Final]
	at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:372) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
	at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.1.Final.jar:7.0.1.Final]
	at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:49) [jboss-as-jpa-7.0.1.Final.jar:7.0.1.Final]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:667) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
	at java.lang.Thread.run(Thread.java:662) [:1.6.0_29]
Caused by: java.sql.SQLException: Exhausted Resultset
	at oracle.jdbc.driver.OracleResultSetImpl.getString(OracleResultSetImpl.java:1270)
	at org.jboss.jca.adapters.jdbc.WrappedResultSet.getString(WrappedResultSet.java:1338)
	at org.jboss.security.mapping.providers.role.Util.addRolesToGroup(Util.java:239) [picketbox-4.0.1.jar:4.0.1]
	... 18 more



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list