[jboss-jira] [JBoss JIRA] (SECURITY-797) Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set

Stefan Guilhen (JIRA) issues at jboss.org
Wed Feb 19 15:35:47 EST 2014 

    [ https://issues.jboss.org/browse/SECURITY-797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12946158#comment-12946158 ] 

Stefan Guilhen commented on SECURITY-797:
-----------------------------------------

Your patch is definitely needed here. I'm not sure about chaning the AuthorizationManager to "swallow" exceptions thrown by mapping managers. Yes, authentication won't fail if we do this but authorization will prob fail anyway later on because we might not have the correct (i.e. mapped) roles.

One thing we could do is log exceptions thrown by mapping managers at WARN or ERROR level and let the invocation go through. Authentication will succeed and if authorization fails an admin can check the logs to find out why mapping has failed.
                
> Authentication attempts will fail if the DatabaseRolesMappingProvider's rolesQuery returns an empty set
> -------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-797
>                 URL: https://issues.jboss.org/browse/SECURITY-797
>             Project: PicketBox 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: JBossSX
>    Affects Versions: PicketBox_4_0_19.Final
>            Reporter: Derek Horton
>            Assignee: Stefan Guilhen
>         Attachments: SECURITY-797.patch
>
>
> If the DatabaseRolesMappingProvider's rolesQuery returns an empty set, then the authentication attempts will fail.  Seems like it should not cause the authentication attempt to fail, since this is about mapping/adding roles.
> It looks like the code detects that the result set is empty, but then it tries to get the role from the empty set.  This causes an exception which in turn causes the authentication attempt to fail.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list