[jboss-jira] [JBoss JIRA] (SECURITY-955) Regression in parsing username in LdapExtLoginModule
Ondrej Lukas (JIRA)
issues at jboss.org
Wed Sep 7 02:33:00 EDT 2016
[ https://issues.jboss.org/browse/SECURITY-955?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ondrej Lukas updated SECURITY-955:
----------------------------------
Affects Version/s: PicketBox_5_0_0.Alpha3
> Regression in parsing username in LdapExtLoginModule
> ----------------------------------------------------
>
> Key: SECURITY-955
> URL: https://issues.jboss.org/browse/SECURITY-955
> Project: PicketBox
> Issue Type: Bug
> Affects Versions: PicketBox_5_0_0.Alpha3
> Reporter: Ondrej Lukas
> Assignee: Stefan Guilhen
> Priority: Blocker
>
> In case when customers using LdapExtLoginModule with option parseUsername=true but without option usernameBeginString (i.e. usernameBeginString=null) then all users cannot be successfully authenticated into application. Authentication failure is caused by hidden internal NPE.
> It is the same issue as was reported in [1], but fix is missing in current EAP 7.1 version of PicketBox (5.0.0.Alpha3).
> We request blocker flag because:
> * Valid configuration which works for 7.0.x becomes invalid after migration to 7.1.0
> * All users cannot authenticate to application despite of valid EAP configuration
> * Authetication failure caused by NPE is logged to server log
> Thrown NPE:
> {code}
> java.lang.NullPointerException
> at org.jboss.security.auth.spi.LdapExtLoginModule.getUsername(LdapExtLoginModule.java:963)
> at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:342)
> at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
> {code}
> [1] https://issues.jboss.org/browse/JBEAP-364?focusedCommentId=13160168&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13160168
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list