[jboss-jira] [JBoss JIRA] (SECURITY-709) Auth. using LdapLoginModule does not return HTTP 500 when the LDAP server not available

Tue Mar 12 10:19:43 EDT 2013

    [ https://issues.jboss.org/browse/SECURITY-709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12760570#comment-12760570 ] 

Anil Saldhana edited comment on SECURITY-709 at 3/12/13 10:18 AM:
------------------------------------------------------------------

[~yichen] JBossAS using JAAS authentication, we cannot tie the container security to individual errors of the login modules.  I understand the non-availability of an LDAP server is a big factor.  But those situations can be handled better by infrastructure monitoring solutions. We are planning to deprecate JAAS login and move toward a data store centric authentication in future versions of the AS. But until that happens, we cannot tie the HTTP response code to an error in the LDAP login module.

This can be fixed on your end easily by writing a simple tomcat authenticator that extends the Tomcat Form Authenticator which returns the appropriate response code you desire, based on the error in ldap login module.
https://community.jboss.org/wiki/JBossAS7SecurityDomainModel#Deploying_Custom_Tomcat_Authenticators_in_AS7

      was (Author: anil.saldhana):
    [~yi chen] JBossAS using JAAS authentication, we cannot tie the container security to individual errors of the login modules.  I understand the non-availability of an LDAP server is a big factor.  But those situations can be handled better by infrastructure monitoring solutions. We are planning to deprecate JAAS login and move toward a data store centric authentication in future versions of the AS. But until that happens, we cannot tie the HTTP response code to an error in the LDAP login module.

This can be fixed on your end easily by writing a simple tomcat authenticator that extends the Tomcat Form Authenticator which returns the appropriate response code you desire, based on the error in ldap login module.
https://community.jboss.org/wiki/JBossAS7SecurityDomainModel#Deploying_Custom_Tomcat_Authenticators_in_AS7

> Auth. using LdapLoginModule does not return HTTP 500 when the LDAP server not available
> ---------------------------------------------------------------------------------------
>
>                 Key: SECURITY-709
>                 URL: https://issues.jboss.org/browse/SECURITY-709
>             Project: PicketBox 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: PicketBox
>    Affects Versions: PicketBox_v4_0_7
>            Reporter: Yi Chen
>            Assignee: Anil Saldhana
>
> I am using the LdapLoginModule from PicketBox in JBoss AS 7.1.1 to enable authentication against our company's LDAP server. However, I always get a HTTP 401 back no matter what kind of problem caused the authentication failure. Tracing through the Picketbox and JBoss code, I found that the problem seems to be from the private method "proceedWithJaasLogin" in "JBossCachedAuthenticationManager". At the end of this method:
> ...
> 	   catch (LoginException e)
> 	   {
> 		   // Don't log anonymous user failures unless trace level logging is on
> 		   if (principal != null && principal.getName() != null || trace)
> 			   log.error("Login failure", e);
> 		   authException = e;
> 	   }
> 	   // Set the security association thread context info exception
> 	   SubjectActions.setContextInfo("org.jboss.security.exception", authException);
> 	   return authenticated;
> }
> So basically, whatever exception that was sent up from the login modules is simply store in the thread context. The methods then simply returns true or false to indicate whether an authentication is successful or not. Whatever exception is store in the thread context doesn't appear to be used to generate a more appropriate error code to the client.
> Steps to reproduce:
> Just set up a LdapLoginModule and verify that it can be used to authenticate some users for a web application. Then shut down the LDAP server and try again. The client of the web application will always get back HTTP 401.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira