[jboss-jira] [JBoss JIRA] (SECURITY-955) Regression in parsing username in LdapExtLoginModule
Ondrej Lukas (JIRA)
issues at jboss.org
Wed Sep 7 02:32:01 EDT 2016
Ondrej Lukas created SECURITY-955:
-------------------------------------
Summary: Regression in parsing username in LdapExtLoginModule
Key: SECURITY-955
URL: https://issues.jboss.org/browse/SECURITY-955
Project: PicketBox
Issue Type: Bug
Reporter: Ondrej Lukas
Assignee: Stefan Guilhen
Priority: Blocker
In case when customers using LdapExtLoginModule with option parseUsername=true but without option usernameBeginString (i.e. usernameBeginString=null) then all users cannot be successfully authenticated into application. Authentication failure is caused by hidden internal NPE.
It is the same issue as was reported in [1], but fix is missing in current EAP 7.1 version of PicketBox (5.0.0.Alpha3).
We request blocker flag because:
* Valid configuration which works for 7.0.x becomes invalid after migration to 7.1.0
* All users cannot authenticate to application despite of valid EAP configuration
* Authetication failure caused by NPE is logged to server log
Thrown NPE:
{code}
java.lang.NullPointerException
at org.jboss.security.auth.spi.LdapExtLoginModule.getUsername(LdapExtLoginModule.java:963)
at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:342)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
{code}
[1] https://issues.jboss.org/browse/JBEAP-364?focusedCommentId=13160168&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13160168
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list