[jboss-jira] [JBoss JIRA] (SECURITY-849) LdapExtLoginModule fails when role* options not specified

Darran Lofthouse (JIRA) issues at jboss.org
Fri Jul 25 07:43:30 EDT 2014 

     [ https://issues.jboss.org/browse/SECURITY-849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated SECURITY-849:
--------------------------------------

    Assignee: Stefan Guilhen  (was: Darran Lofthouse)


> LdapExtLoginModule fails when role* options not specified
> ---------------------------------------------------------
>
>                 Key: SECURITY-849
>                 URL: https://issues.jboss.org/browse/SECURITY-849
>             Project: PicketBox 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: PicketBox
>    Affects Versions: PicketBox_4_0_19.SP5
>            Reporter: Jess Holle
>            Assignee: Stefan Guilhen
>
> If one does not specify role* options on this login module (i.e. does not specify rolesCtxDN, roleFilter, roleAttributeID, etc), then this module fails.
> There are 2 issues with this.
> First and foremost, it is readily apparent in this case that no roles search should be performed in this case -- as no input data was provided to allow for such a search.  Tomcat's JNDIRealm simply does no role search in such a case, for instance.  Instead LdapExtLoginModule stubbornly insists on doing a search which is guaranteed to fail.  LdapExtLoginModule should simply not perform the search.  In my case I've specified a default role and that's all I want -- I don't even want the overhead of any further role searches, much less a failure.
> To add insult to injury, when this failure occurs the error messaging is horribly misleading, stating "Bad password for username xxx".  The password was absolutely fine.  The issue here is the role search, which clearly never even should have been attempted.  In the case that the role search should have been attempted and failed, the error messaging should clearly state this -- not claim the password was incorrect when that's absolutely untrue.



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)

More information about the jboss-jira mailing list