[jboss-jira] [JBoss JIRA] (WFLY-3593) Empty username login attempt with custom security-realm plug-in in PLAIN mode throws Exception and blocks gui

Phenix Phenix (JIRA) issues at jboss.org
Mon Jul 7 17:12:24 EDT 2014 

Phenix Phenix created WFLY-3593:
-----------------------------------

             Summary: Empty username login attempt with custom security-realm plug-in in PLAIN mode throws Exception and blocks gui
                 Key: WFLY-3593
                 URL: https://issues.jboss.org/browse/WFLY-3593
             Project: WildFly
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Domain Management, Web (Undertow)
    Affects Versions: 8.1.0.Final, 8.1.0.CR2
         Environment: JDK 1.8
Chrome 35

            Reporter: Phenix Phenix
            Assignee: Brian Stansberry


I exchanged the security realm 'ManagementRealm' for the management-interfaces with a custom one (which I wrote) like this:

{code:xml}
<management-interfaces>
            <http-interface security-realm="SaltAndPepperRealm" http-upgrade-enabled="true" >
                <socket-binding http="management-http"/>
            </http-interface>
</management-interfaces>
{code}

My custom security realm is using the "PLAIN" mechanism, because I need the ValidatePasswordCredential interface.

It is all working fine as long as you do not try to log into the wildfly management (http://localhost:9990/console/App.html) with an empty username.

Here is the stacktrace, which an empty username login attempt creates:

{noformat}22:20:34,722 ERROR [io.undertow.request] (XNIO-1 task-9) Blocking request failed HttpServerExchange{ POST /management}: java.lang.IllegalArgumentException
	at javax.security.auth.callback.NameCallback.<init>(NameCallback.java:90) [rt.jar:1.8.0]
	at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:137) [wildfly-domain-http-interface-8.1.0.Final.jar:8.1.0.Final]
	at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:120) [wildfly-domain-http-interface-8.1.0.Final.jar:8.1.0.Final]
	at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:110) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:57) [wildfly-domain-http-interface-8.1.0.Final.jar:8.1.0.Final]
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]{noformat}


I then debugged the wildfly and undertow code and found out that in 
BasicAuthenticationMechanism.java at line 102 the variable 'plainChallenge' had the value ":" (just a colon) and the if-condition is nevertheless fulfilled. Maybe this is correct behavior (I do not know), but then in RealmIdentityManager.java at line 137 the upper exception gets thrown.

The problem is that the user will not get any feedback in his browser and just stares at the "Loading ..." text and gif. Also with reloading the page or open it again in a new tab the site will still show the loading message. One needs to restart the browser, clear the cache or do it in a private tab to get it work.



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)

More information about the jboss-jira mailing list