[jboss-jira] [JBoss JIRA] (SECURITY-913) NPE if use LdapExtLoginModule in j2se
Kylin Soong (JIRA)
issues at jboss.org
Fri Sep 18 06:18:00 EDT 2015
[ https://issues.jboss.org/browse/SECURITY-913?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kylin Soong updated SECURITY-913:
---------------------------------
Attachment: picketbox-j2se.zip
h2. How to reproduce
{code}
$ unzip picketbox-j2se.zip
$ cd picketbox-j2se
$ mvn clean install dependency:copy-dependencies
$ java -cp target/dependency/*:target/picketbox-loginModule-j2se.jar ReproduceMain
{code}
Run LoginException will throw
> NPE if use LdapExtLoginModule in j2se
> -------------------------------------
>
> Key: SECURITY-913
> URL: https://issues.jboss.org/browse/SECURITY-913
> Project: PicketBox
> Issue Type: Enhancement
> Components: JBossSX
> Affects Versions: PicketBox_5_0_0.Alpha1
> Reporter: Kylin Soong
> Assignee: Kylin Soong
> Fix For: PicketBox_5_0_0.Alpha1
>
> Attachments: picketbox-j2se.zip
>
>
> Use LdapExtLoginModule in j2se with condifg:
> {code}
> <?xml version='1.0'?>
>
> <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="urn:jboss:security-config:5.0"
> xmlns="urn:jboss:security-config:5.0"
> xmlns:jbxb="urn:jboss:security-config:5.0">
>
> <application-policy name = "Sample-Ldap">
> <authentication>
> <login-module code = "org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
> <module-option name="java.naming.provider.url">ldap://10.66.218.46:389</module-option>
> <module-option name="java.naming.security.authentication">simple</module-option>
> <module-option name="bindDN">cn=Manager,dc=example,dc=com</module-option>
> <module-option name="bindCredential">redhat</module-option>
> <module-option name="baseCtxDN">ou=Customers,dc=example,dc=com</module-option>
> <module-option name="baseFilter">(uid={0})</module-option>
> <module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option>
> <module-option name="roleFilter">(uniqueMember={1})</module-option>
> <module-option name="roleAttributeID">cn</module-option>
> </login-module>
> </authentication>
> </application-policy>
>
> </policy>
> {code}
> authentication parse section code [1] line 123:
> {code}
> AuthenticationInfo authInfo = new AuthenticationInfo();
> {code}
> which this cause null set as AuthenticationInfo name, then cause 'jboss.security.security_domain=null' as options be passed to LdapExtLoginModule, this null value finally cause NPE in LdapExtLoginModule line around 840
> {code}
> Entry entry = (Entry) iter.next();
> env.put(entry.getKey(), entry.getValue());
> {code}
> [1] https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/config/parser/ApplicationPolicyParser.java
> [2] https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list