[jboss-jira] [JBoss JIRA] (SECURITY-913) NPE if use LdapExtLoginModule in j2se

Kylin Soong (JIRA) issues at jboss.org
Fri Sep 18 05:58:00 EDT 2015 

Kylin Soong created SECURITY-913:
------------------------------------

             Summary: NPE if use LdapExtLoginModule in j2se
                 Key: SECURITY-913
                 URL: https://issues.jboss.org/browse/SECURITY-913
             Project: PicketBox 
          Issue Type: Enhancement
          Components: JBossSX
    Affects Versions: PicketBox_5_0_0.Alpha1
            Reporter: Kylin Soong
            Assignee: Kylin Soong
             Fix For: PicketBox_5_0_0.Alpha1


Use LdapExtLoginModule in j2se with condifg:
{code}
<?xml version='1.0'?> 
 
<policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
         xsi:schemaLocation="urn:jboss:security-config:5.0"
         xmlns="urn:jboss:security-config:5.0"
         xmlns:jbxb="urn:jboss:security-config:5.0">
         
    <application-policy name = "Sample-Ldap"> 
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">  
              <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
              <module-option name="java.naming.provider.url">ldap://10.66.218.46:389</module-option>
              <module-option name="java.naming.security.authentication">simple</module-option>
              <module-option name="bindDN">cn=Manager,dc=example,dc=com</module-option>
              <module-option name="bindCredential">redhat</module-option>
              <module-option name="baseCtxDN">ou=Customers,dc=example,dc=com</module-option>
              <module-option name="baseFilter">(uid={0})</module-option>
              <module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option>
              <module-option name="roleFilter">(uniqueMember={1})</module-option>
              <module-option name="roleAttributeID">cn</module-option>
          </login-module> 
       </authentication> 
    </application-policy>  
     
</policy> 
{code}

authentication parse section code [1]  line 123:
{code}
AuthenticationInfo authInfo = new AuthenticationInfo();
{code}
which this cause null set as AuthenticationInfo name, then cause 'jboss.security.security_domain=null' as options be passed to LdapExtLoginModule, this null value finally cause NPE in LdapExtLoginModule line around 840
{code}
Entry entry = (Entry) iter.next();
env.put(entry.getKey(), entry.getValue());
{code}

[1] https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/config/parser/ApplicationPolicyParser.java
[2] https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list