[jboss-jira] [JBoss JIRA] (AS7-3077) security subsystem fails to add JASPI authentication configuration
Stefan Guilhen (JIRA)
jira-events at lists.jboss.org
Wed Jan 18 13:00:22 EST 2012
[ https://issues.jboss.org/browse/AS7-3077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12660261#comment-12660261 ]
Stefan Guilhen commented on AS7-3077:
-------------------------------------
I'm looking into the JASPI configuration now that the security subsystem has been redesigned. I've found a minor issue with the JASPI modules processing and I'm submitting a fix for it.
> security subsystem fails to add JASPI authentication configuration
> ------------------------------------------------------------------
>
> Key: AS7-3077
> URL: https://issues.jboss.org/browse/AS7-3077
> Project: Application Server 7
> Issue Type: Bug
> Components: Security
> Affects Versions: 7.1.0.Beta1b
> Reporter: Ben Schofield
> Assignee: Stefan Guilhen
> Labels: JASPI, security
> Fix For: 7.1.0.Final
>
>
> The security subsystem is either not parsing the JASPI config or interpreting the resulting add operation correctly. The login-module-stack tag requires a name attribute. The parsed ModelNode does not reflect the attribute name of 'name' only the value. When org.jboss.as.security.SecurityDomainAdd.processJASPIAuth(...) is executed an exception is thrown when validating that 'name' exists. (stack.require(NAME).asString();) Below is an example config recreating the problem, the ModelNodes created from the config and the resulting exception. Attempts to add a child 'name' element to the configuration as a work around caused failures during parsing of the security subsystem.
> h3.Example JASPI configuration consistent with jboss-as-security_1_1.xsd
> <security-domain name="tutor-ldap">
> <authentication-jaspi>
> <login-module-stack name="ldap-stack" >
> <login-module code="LdapExtended" flag="required">
> <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
> <module-option name="bindDN" value="uid=admin,ou=system"/>
> <module-option name="bindCredential" value="secret"/>
> <module-option name="baseCtxDN" value="ou=users,ou=system"/>
> <module-option name="baseFilter" value="(sn={0})"/>
> <module-option name="rolesCtxDN" value="ou=groups,ou=system"/>
> <module-option name="roleFilter" value="(member={1})"/>
> <module-option name="roleAttributeID" value="cn"/>
> <module-option name="roleAttributeIsDN" value="false"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="roleRecursion" value="-1"/>
> <module-option name="searchScope" value="SUBTREE_SCOPE"/>
> <module-option name="java.naming.security.authentication" value="simple"/>
> <module-option name="allowEmptyPasswords" value="false"/>
> </login-module>
> </login-module-stack>
> <auth-module code="org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule" login-module-stack-ref="ldap-stack">
> </auth-module>
> </authentication-jaspi>
> </security-domain>
> h3.Operations created during parsing of authentication-jaspi config
> {
> "operation" => "add",
> "address" => [
> ("subsystem" => "security"),
> ("security-domain" => "tutor-ldap")
> ]
> }, {
> "operation" => "add",
> "address" => [
> ("subsystem" => "security"),
> ("security-domain" => "tutor-ldap"),
> ("authentication" => "jaspi")
> ],
> "auth-modules" => [{
> "code" => "org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule",
> "login-module-stack-ref" => "ldap-stack",
> "module-options" => undefined
> }]
> }, {
> "operation" => "add",
> "address" => [
> ("subsystem" => "security"),
> ("security-domain" => "tutor-ldap"),
> ("authentication" => "jaspi"),
> ("login-module-stack" => "ldap-stack")
> ],
> "login-modules" => [{
> "code" => "LdapExtended",
> "flag" => "required",
> "module-options" => [
> ("java.naming.provider.url" => "ldap://localhost:10389"),
> ("bindDN" => "uid=admin,ou=system"),
> ("bindCredential" => "secret"),
> ("baseCtxDN" => "ou=users,ou=system"),
> ("baseFilter" => "(sn={0})"),
> ("rolesCtxDN" => "ou=groups,ou=system"),
> ("roleFilter" => "(member={1})"),
> ("roleAttributeID" => "cn"),
> ("roleAttributeIsDN" => "false"),
> ("java.naming.referral" => "follow"),
> ("roleRecursion" => "-1"),
> ("searchScope" => "SUBTREE_SCOPE"),
> ("java.naming.security.authentication" => "simple"),
> ("allowEmptyPasswords" => "false")
> ]
> }
> h3.ModelNode during execution of add operation
> "cache-type" => undefined,
> "authentication" => {"jaspi" => {
> "auth-modules" => [{
> "code" => "org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule",
> "login-module-stack-ref" => "ldap-stack",
> "module-options" => undefined
> }],
> "login-module-stack" => {"ldap-stack" => {"login-modules" => [{
> "code" => "LdapExtended",
> "flag" => "required",
> "module-options" => [
> ("java.naming.provider.url" => "ldap://localhost:10389"),
> ("bindDN" => "uid=admin,ou=system"),
> ("bindCredential" => "secret"),
> ("baseCtxDN" => "ou=users,ou=system"),
> ("baseFilter" => "(sn={0})"),
> ("rolesCtxDN" => "ou=groups,ou=system"),
> ("roleFilter" => "(member={1})"),
> ("roleAttributeID" => "cn"),
> ("roleAttributeIsDN" => "false"),
> ("java.naming.referral" => "follow"),
> ("roleRecursion" => "-1"),
> ("searchScope" => "SUBTREE_SCOPE"),
> ("java.naming.security.authentication" => "simple"),
> ("allowEmptyPasswords" => "false")
> ]
> }]}}
> }}
> }
> h3.Exception thrown during process of operations
> 08:11:13,947 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 44) JBAS014612: Operation ("add") failed - address: ([
> ("subsystem" => "security"),
> ("security-domain" => "tutor-ldap")
> ]): java.util.NoSuchElementException: No child 'name' exists
> at org.jboss.dmr.ModelValue.requireChild(ModelValue.java:362) [jboss-dmr-1.1.1.Final.jar:]
> at org.jboss.dmr.PropertyModelValue.requireChild(PropertyModelValue.java:156) [jboss-dmr-1.1.1.Final.jar:]
> at org.jboss.dmr.ModelNode.require(ModelNode.java:812) [jboss-dmr-1.1.1.Final.jar:]
> at org.jboss.as.security.SecurityDomainAdd.processJASPIAuth(SecurityDomainAdd.java:333) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.security.SecurityDomainAdd.createApplicationPolicy(SecurityDomainAdd.java:213) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.security.SecurityDomainAdd.launchServices(SecurityDomainAdd.java:167) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:156) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.security.SecurityDomainAdd$1.execute(SecurityDomainAdd.java:157) [jboss-as-security-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.server.AbstractDeploymentChainStep.execute(AbstractDeploymentChainStep.java:46) [jboss-as-server-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.server.AbstractDeploymentChainStep.execute(AbstractDeploymentChainStep.java:46) [jboss-as-server-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:311) [jboss-as-controller-7.1.0.CR1-SNAPSHOT.jar:]
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_25]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_25]
> at java.lang.Thread.run(Thread.java:662) [:1.6.0_25]
> at org.jboss.threads.JBossThread.run(JBossThread.java:122)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list