[jboss-jira] [JBoss JIRA] (WFCORE-1281) NPE in principal-to-group group searching
Ondrej Lukas (JIRA)
issues at jboss.org
Mon Jan 18 00:38:00 EST 2016
[ https://issues.jboss.org/browse/WFCORE-1281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ondrej Lukas updated WFCORE-1281:
---------------------------------
Steps to Reproduce:
1) use following security realm:
{code:xml}
<security-realm name="ldap-security-realm">
<authentication>
<ldap connection="ldap_connection" base-dn="dc=jboss,dc=org" recursive="true">
<username-filter attribute="uid"/>
</ldap>
</authentication>
<authorization>
<ldap connection="ldap_connection">
<group-search group-name="SIMPLE" iterative="false" group-dn-attribute="dn" group-name-attribute="description">
<principal-to-group group-attribute="sn"/>
</group-search>
</ldap>
</authorization>
</security-realm>
{code}
...
{code:xml}
<outbound-connections>
<ldap name="ldap_connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>
{code}
2) Use this security domain for RBAC access to management console:
{code:xml}
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ldap-security-realm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
<group name="JBossAdmin"/>
</include>
</role>
</role-mapping>
</access-control>
{code}
3) Use ldap server with attached ldif
4) Try to access management console with jduke/Password - it will fail.
5) Uncomment line 'description: Monitor' from ldif and try to access management console again - it will be successful.
was:
1) use following security domain:
{code:xml}
<security-realm name="ldap-security-realm">
<authentication>
<ldap connection="ldap_connection" base-dn="dc=jboss,dc=org" recursive="true">
<username-filter attribute="uid"/>
</ldap>
</authentication>
<authorization>
<ldap connection="ldap_connection">
<group-search group-name="SIMPLE" iterative="false" group-dn-attribute="dn" group-name-attribute="description">
<principal-to-group group-attribute="sn"/>
</group-search>
</ldap>
</authorization>
</security-realm>
{code}
...
{code:xml}
<outbound-connections>
<ldap name="ldap_connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>
{code}
2) Use this security domain for RBAC access to management console:
{code:xml}
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ldap-security-realm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
<group name="JBossAdmin"/>
</include>
</role>
</role-mapping>
</access-control>
{code}
3) Use ldap server with attached ldif
4) Try to access management console with jduke/Password - it will fail.
5) Uncomment line 'description: Monitor' from ldif and try to access management console again - it will be successful.
> NPE in principal-to-group group searching
> -----------------------------------------
>
> Key: WFCORE-1281
> URL: https://issues.jboss.org/browse/WFCORE-1281
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management, Security
> Affects Versions: 2.0.5.Final
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Attachments: groupsearch.ldif
>
>
> In case when ldap authorization with principal-to-group group searching is used in security realm and LDAP entry found by value of 'group-attribute' does not include attribute mentioned in 'group-name-attribute' then it causes authentication fail. It is caused by missing null check for groupNameAttr and hidden NPE thrown from [1].
> [1] https://github.com/wildfly/wildfly-core/blob/18393273a1c9e464fb0cc959795118fd5a453904/domain-management/src/main/java/org/jboss/as/domain/management/security/LdapGroupSearcherFactory.java#L301
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list