[jboss-jira] [JBoss JIRA] (SECURITY-797) Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set

Derek Horton (JIRA) issues at jboss.org
Tue Feb 18 15:15:48 EST 2014 

    [ https://issues.jboss.org/browse/SECURITY-797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12945736#comment-12945736 ] 

Derek Horton commented on SECURITY-797:
---------------------------------------

Attached a first attempt at a fix.  However, maybe the fix should be made above this method.  Perhaps the code that calls the mapping providers should be changed so that exceptions from the mapping providers do not cause the authentication attempts to fail.  Maybe it needs to be fixed both ways.  This particular issue probably needs to be fixed either way.  That way this situation does not lead to excessive log messages for something that could be a normal situation.
                
> Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set
> -------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-797
>                 URL: https://issues.jboss.org/browse/SECURITY-797
>             Project: PicketBox 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: JBossSX
>    Affects Versions: PicketBox_4_0_19.Final
>            Reporter: Derek Horton
>            Assignee: Stefan Guilhen
>         Attachments: SECURITY-797.patch
>
>
> If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail.  Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.
> It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set.  This causes an exception which in turn causes the authentication attempt to fail.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list