[jboss-jira] [JBoss JIRA] (SECURITY-944) AdvancedLdapLoginModule with rolesCtxDN=null leads to authentication failure

Darran Lofthouse (JIRA) issues at jboss.org
Wed Apr 20 05:59:00 EDT 2016 

     [ https://issues.jboss.org/browse/SECURITY-944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated SECURITY-944:
--------------------------------------
    Fix Version/s: Negotiation_3_0_3_CR1


> AdvancedLdapLoginModule with rolesCtxDN=null leads to authentication failure
> ----------------------------------------------------------------------------
>
>                 Key: SECURITY-944
>                 URL: https://issues.jboss.org/browse/SECURITY-944
>             Project: PicketBox 
>          Issue Type: Bug
>          Components: Negotiation
>    Affects Versions: Negotiation_3_0_2_Final
>            Reporter: Ondrej Lukas
>            Assignee: Tomas Hofman
>             Fix For: Negotiation_3_0_3_CR1
>
>
> In case when AdvancedLdapLoginModule is correctly configured for authentication, but its attribute rolesCtxDN is not set (i.e. is null), then authentication with correct username and password fails. It is caused be internal NPE for searching roles.
> Expected behavior is that user should be authenticated but no roles should be assigned to them.
> Internal NPE:
> {code}
> java.lang.NullPointerException: 
>     at org.jboss.as.naming.InitialContext.getURLScheme(InitialContext.java:160)
>     at org.jboss.as.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:128)
>     at javax.naming.directory.InitialDirContext.getURLOrDefaultInitDirCtx(InitialDirContext.java:106)
>     at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
>     at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
>     at org.jboss.security.negotiation.AdvancedLdapLoginModule.rolesSearch(AdvancedLdapLoginModule.java:720)
>     at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:403)
>     at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967)
>     at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326)
>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     ...
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list