[jboss-jira] [JBoss JIRA] (WFCORE-2258) 500 return for nonexistent user in legacy ldap security realm

Martin Choma (JIRA) issues at jboss.org
Thu Feb 2 02:16:01 EST 2017 

     [ https://issues.jboss.org/browse/WFCORE-2258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Choma updated WFCORE-2258:
---------------------------------
    Description: 
In case of securing management interface with ldap in security realm. When nonexistent user is provided, wildfly answers with {{500}} http status code. It is different behaviour compared to wildfly 10.1, which returns {{401}}. I think http status code {{401}} is proper in this situation, because it is client fault (e.g. typo in username) and can be repaired on client side.

{code:title=server.log}
10:49:18,745 TRACE [org.wildfly.security] (management task-10) Handling MechanismInformationCallback
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling AvailableRealmsCallback: realms = [ldap-realm]
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling RealmCallback: selected = [ldap-realm]
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling NameCallback: authenticationName = anil
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Name assigning: [anil], pre-realm rewritten: [anil], realm name: [PLAIN], post realm rewritten: [anil], realm rewritten: [anil]
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Non caching search for 'anil'
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Performing single level search
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Searching for user 'anil' using filter '(uid={0})'.
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Connecting to LDAP with properties ({java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://localhost.localdomain:10389, java.naming.security.principal=uid=admin,ou=system, java.naming.security.credentials=***, java.naming.referral=ignore})
10:49:18,749 WARN  [org.apache.directory.server.core.api.interceptor.context.FilteringOperationContext] (pool-7-thread-1) Requested attribute dn does not exist in the schema, it will be ignored
10:49:18,750 TRACE [org.jboss.as.domain.management.security] (management task-10) User 'anil' not found in directory.
{code} 


  was:
In case of securing management interface with ldap in security realm. When nonexistent user is provided, EAP answers with {{500}} http status code. It is different behaviour compared to wildfly 10.1, which returns {{401}}. I think http status code {{401}} is proper in this situation, because it is client fault (e.g. typo in username) and can be repaired on client side.

{code:title=server.log}
10:49:18,745 TRACE [org.wildfly.security] (management task-10) Handling MechanismInformationCallback
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling AvailableRealmsCallback: realms = [ldap-realm]
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling RealmCallback: selected = [ldap-realm]
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling NameCallback: authenticationName = anil
10:49:18,746 TRACE [org.wildfly.security] (management task-10) Name assigning: [anil], pre-realm rewritten: [anil], realm name: [PLAIN], post realm rewritten: [anil], realm rewritten: [anil]
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Non caching search for 'anil'
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Performing single level search
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Searching for user 'anil' using filter '(uid={0})'.
10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Connecting to LDAP with properties ({java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://localhost.localdomain:10389, java.naming.security.principal=uid=admin,ou=system, java.naming.security.credentials=***, java.naming.referral=ignore})
10:49:18,749 WARN  [org.apache.directory.server.core.api.interceptor.context.FilteringOperationContext] (pool-7-thread-1) Requested attribute dn does not exist in the schema, it will be ignored
10:49:18,750 TRACE [org.jboss.as.domain.management.security] (management task-10) User 'anil' not found in directory.
{code} 




> 500 return for nonexistent user in legacy ldap security realm
> -------------------------------------------------------------
>
>                 Key: WFCORE-2258
>                 URL: https://issues.jboss.org/browse/WFCORE-2258
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>              Labels: eap71_alpha, regression
>
> In case of securing management interface with ldap in security realm. When nonexistent user is provided, wildfly answers with {{500}} http status code. It is different behaviour compared to wildfly 10.1, which returns {{401}}. I think http status code {{401}} is proper in this situation, because it is client fault (e.g. typo in username) and can be repaired on client side.
> {code:title=server.log}
> 10:49:18,745 TRACE [org.wildfly.security] (management task-10) Handling MechanismInformationCallback
> 10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling AvailableRealmsCallback: realms = [ldap-realm]
> 10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling RealmCallback: selected = [ldap-realm]
> 10:49:18,746 TRACE [org.wildfly.security] (management task-10) Handling NameCallback: authenticationName = anil
> 10:49:18,746 TRACE [org.wildfly.security] (management task-10) Name assigning: [anil], pre-realm rewritten: [anil], realm name: [PLAIN], post realm rewritten: [anil], realm rewritten: [anil]
> 10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Non caching search for 'anil'
> 10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Performing single level search
> 10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Searching for user 'anil' using filter '(uid={0})'.
> 10:49:18,746 TRACE [org.jboss.as.domain.management.security] (management task-10) Connecting to LDAP with properties ({java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://localhost.localdomain:10389, java.naming.security.principal=uid=admin,ou=system, java.naming.security.credentials=***, java.naming.referral=ignore})
> 10:49:18,749 WARN  [org.apache.directory.server.core.api.interceptor.context.FilteringOperationContext] (pool-7-thread-1) Requested attribute dn does not exist in the schema, it will be ignored
> 10:49:18,750 TRACE [org.jboss.as.domain.management.security] (management task-10) User 'anil' not found in directory.
> {code} 



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list