[jboss-jira] [JBoss JIRA] (WFLY-3665) LdapExtLoginModule fails when role* options not specified
Jess Holle (JIRA)
issues at jboss.org
Fri Jul 25 07:37:30 EDT 2014
Jess Holle created WFLY-3665:
--------------------------------
Summary: LdapExtLoginModule fails when role* options not specified
Key: WFLY-3665
URL: https://issues.jboss.org/browse/WFLY-3665
Project: WildFly
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Security
Affects Versions: 8.0.0.Final
Reporter: Jess Holle
Assignee: Darran Lofthouse
If one does not specify role* options on this login module (i.e. does not specify rolesCtxDN, roleFilter, roleAttributeID, etc), then this module fails.
There are 2 issues with this.
First and foremost, it is readily apparent in this case that no roles search should be performed in this case -- as no input data was provided to allow for such a search. Tomcat's JNDIRealm simply does no role search in such a case, for instance. Instead LdapExtLoginModule stubbornly insists on doing a search which is guaranteed to fail. LdapExtLoginModule should simply not perform the search. In my case I've specified a default role and that's all I want -- I don't even want the overhead of any further role searches, much less a failure.
To add insult to injury, when this failure occurs the error messaging is horribly misleading, stating "Bad password for username xxx". The password was absolutely fine. The issue here is the role search, which clearly never even should have been attempted. In the case that the role search should have been attempted and failed, the error messaging should clearly state this -- not claim the password was incorrect when that's absolutely untrue.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
More information about the jboss-jira
mailing list