[jboss-jira] [JBoss JIRA] (SECURITY-951) AdvancedLdapLoginModule with roleAttributeID=null and empty or unset roleFilter can lead to authentication failure

Ondrej Lukas (JIRA) issues at jboss.org
Mon Aug 22 07:22:00 EDT 2016 

     [ https://issues.jboss.org/browse/SECURITY-951?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ondrej Lukas updated SECURITY-951:
----------------------------------
    Affects Version/s: Negotiation_3_0_3_Final


> AdvancedLdapLoginModule with roleAttributeID=null and empty or unset roleFilter can lead to authentication failure
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-951
>                 URL: https://issues.jboss.org/browse/SECURITY-951
>             Project: PicketBox 
>          Issue Type: Bug
>    Affects Versions: Negotiation_3_0_3_Final
>            Reporter: Ondrej Lukas
>            Assignee: Stefan Guilhen
>
> In case when AdvancedLdapLoginModule is correctly configured for authentication, but its attribute roleAttributeID is not set (i.e. is null) and roleFilter is not set (i.e. is null) or roleFilter is empty string, then authentication with correct username and password fails. It is caused by internal NPE for searching roles.
> Expected behavior is that users should be authenticated but no roles should be assigned to them.
> Internal NPE:
> {code}
> java.lang.NullPointerException
> 	at javax.naming.directory.BasicAttributes.get(BasicAttributes.java:164)
> 	at org.jboss.security.negotiation.AdvancedLdapLoginModule.obtainRole(AdvancedLdapLoginModule.java:820)
> 	at org.jboss.security.negotiation.AdvancedLdapLoginModule.rolesSearch(AdvancedLdapLoginModule.java:762)
> 	at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:412)
> 	at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:981)
> 	at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:331)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list