[jboss-jira] [JBoss JIRA] (SECURITY-709) Auth. using LdapLoginModule does not return HTTP 500 when the LDAP server not available

Tue Feb 19 13:06:56 EST 2013

    [ https://issues.jboss.org/browse/SECURITY-709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12755169#comment-12755169 ] 

Yi Chen commented on SECURITY-709:
----------------------------------

Hi, Anil

I apologize for the delayed reply to your latest reply...

I've been giving this quite a bit of thought. I realized that JBoss is built in a very modular fashion and this problem is not solely an issue with the security module. However, this does not account for the fact that an LDAP server down (or any situation where the authentication source is unreachable) situation is not the same as an authentication failure. The security module should have passed this detail to the module that requested authentication so that the calling module can make the best decision possible instead of lumping everything into just a single authentication error. I understand that this will also require that the calling module knows what do to with the extra detail. But it is very important to our project that this functionality be present. So please consider working with the web container team to see if there is any way to accomplish this. It would be really great for us if JBoss can do this and this would likely help other people as well.

Thank you,

Yi

> Auth. using LdapLoginModule does not return HTTP 500 when the LDAP server not available
> ---------------------------------------------------------------------------------------
>
>                 Key: SECURITY-709
>                 URL: https://issues.jboss.org/browse/SECURITY-709
>             Project: PicketBox 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: PicketBox
>    Affects Versions: PicketBox_v4_0_7
>            Reporter: Yi Chen
>            Assignee: Anil Saldhana
>
> I am using the LdapLoginModule from PicketBox in JBoss AS 7.1.1 to enable authentication against our company's LDAP server. However, I always get a HTTP 401 back no matter what kind of problem caused the authentication failure. Tracing through the Picketbox and JBoss code, I found that the problem seems to be from the private method "proceedWithJaasLogin" in "JBossCachedAuthenticationManager". At the end of this method:
> ...
> 	   catch (LoginException e)
> 	   {
> 		   // Don't log anonymous user failures unless trace level logging is on
> 		   if (principal != null && principal.getName() != null || trace)
> 			   log.error("Login failure", e);
> 		   authException = e;
> 	   }
> 	   // Set the security association thread context info exception
> 	   SubjectActions.setContextInfo("org.jboss.security.exception", authException);
> 	   return authenticated;
> }
> So basically, whatever exception that was sent up from the login modules is simply store in the thread context. The methods then simply returns true or false to indicate whether an authentication is successful or not. Whatever exception is store in the thread context doesn't appear to be used to generate a more appropriate error code to the client.
> Steps to reproduce:
> Just set up a LdapLoginModule and verify that it can be used to authenticate some users for a web application. Then shut down the LDAP server and try again. The client of the web application will always get back HTTP 401.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira