[jboss-jira] [JBoss JIRA] (SECURITY-784) LdapExtLoginModule cannot find custom ldap socket factory

Pedro Igor (JIRA) issues at jboss.org
Wed Jul 29 12:31:07 EDT 2015 

    [ https://issues.jboss.org/browse/SECURITY-784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13094024#comment-13094024 ] 

Pedro Igor commented on SECURITY-784:
-------------------------------------

After investigating this issue, I've found that [1] has impacted how the classloader is configured when using the *module* attribute on the *login-module* resource.

The code introduced by this issue 

{code:title=org.jboss.security.auth.spi.LdapExtLoginModule#createLdapInitContext|borderStyle=solid}
InitialLdapContext ctx = null;
ClassLoader currentTCCL = SecurityActions.getContextClassLoader();
try
{
    if (currentTCCL != null)
        SecurityActions.setContextClassLoader(null);
    ctx = constructInitialLdapContext(bindDN, bindCredential);
    ...
} finally {
if (ctx != null)
    ctx.close();
if (currentTCCL != null)
    SecurityActions.setContextClassLoader(currentTCCL);
}
{code}

is setting the TCCL to null and overriding the previously configured classloader which was created based on the module configured for a given login-module resource.

Removing the code above, the solution for this issue is pretty much like what [~dlofthouse] described. Except that you don't really need to have a dependency to the picketbox module inside the custom's module.xml. Something like that should work:

{code:xml}
<module xmlns="urn:jboss:module:1.1" name="ldap-custom-socket">
    <resources>
        <resource-root path="custom-socket-factory.jar"/>
        <!-- Insert resources here -->
    </resources>

    <dependencies>
        <module name="javax.api"/>
    </dependencies>
</module>
{code}

After doing some tests I've got the follow messages in my log:

{code}
13:24:07,487 INFO  [stdout] (http-/127.0.0.1:8080-1) >>> org.jboss.example.CustomSocketFactory.getDefault : 42
13:24:07,490 INFO  [stdout] (http-/127.0.0.1:8080-1) >>> org.jboss.example.CustomSocketFactory.<init> : 38
13:24:07,494 INFO  [stdout] (http-/127.0.0.1:8080-1) >>> org.jboss.example.CustomSocketFactory.createSocket : 48
13:24:07,687 INFO  [stdout] (http-/127.0.0.1:8080-1) >>> org.jboss.example.CustomSocketFactory.getDefault : 42
13:24:07,689 INFO  [stdout] (http-/127.0.0.1:8080-1) >>> org.jboss.example.CustomSocketFactory.<init> : 38
13:24:07,691 INFO  [stdout] (http-/127.0.0.1:8080-1) >>> org.jboss.example.CustomSocketFactory.createSocket : 48
{code}

and the user was authenticated just like expected.

I'm going to run some more tests and check with [~sguilhen] if that code can be safely removed or not. IMO, it seems that that code was added to workaround some AS7-specific issue, which should not be a problem anymore in EAP 6.4.

[1] https://issues.jboss.org/browse/SECURITY-597

> LdapExtLoginModule cannot find custom ldap socket factory
> ---------------------------------------------------------
>
>                 Key: SECURITY-784
>                 URL: https://issues.jboss.org/browse/SECURITY-784
>             Project: PicketBox 
>          Issue Type: Feature Request
>          Components: PicketBox
>    Affects Versions: PicketBox_4_0_19.Final
>            Reporter: Derek Horton
>            Assignee: Pedro Igor
>         Attachments: SECURITY-784.patch
>
>
> LdapExtLoginModule cannot find custom ldap socket factory.
> Passing the  "java.naming.ldap.factory.socket" property in as an
> module-option:
>   <module-option name="java.naming.ldap.factory.socket" value="org.jboss.example.CustomSocketFactory"/>
> results in a ClassNotFoundException:
> Caused by: javax.naming.CommunicationException: 192.168.1.8:389 [Root exception is java.lang.ClassNotFoundException: org/jboss/example/CustomSocketFactory]
>      at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) [rt.jar:1.7.0_45]
>      at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136) [rt.jar:1.7.0_45]
>      at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1608) [rt.jar:1.7.0_45]
>      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698) [rt.jar:1.7.0_45]
>      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) [rt.jar:1.7.0_45]
>      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) [rt.jar:1.7.0_45]
>      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) [rt.jar:1.7.0_45]
>      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) [rt.jar:1.7.0_45]
>      at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) [rt.jar:1.7.0_45]
>      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.7.0_45]
>      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) [rt.jar:1.7.0_45]
>      at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_45]
>      at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_45]
>      at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:767) [picketbox-4.0.17.SP2-redhat-2.jar:4.0.17.SP2-redhat-2]
> I tried making the custom socket factory into a jboss module and adding the module as a dependency to picketbox and
> sun.jdk.  Unfortunately, that did not work.  I also added the socket
> factory jar to the jre/lib/ext directory.  That didn't work either.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list