[jboss-jira] [JBoss JIRA] (SECURITY-955) Regression in parsing username in LdapExtLoginModule

Stefan Guilhen (JIRA) issues at jboss.org
Mon Feb 27 15:08:00 EST 2017 

     [ https://issues.jboss.org/browse/SECURITY-955?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Guilhen closed SECURITY-955.
-----------------------------------
    Fix Version/s: PicketBox_5_0_0.Beta1
       Resolution: Done


The commit that was missing in PicketBox/master was merged.

> Regression in parsing username in LdapExtLoginModule
> ----------------------------------------------------
>
>                 Key: SECURITY-955
>                 URL: https://issues.jboss.org/browse/SECURITY-955
>             Project: PicketBox 
>          Issue Type: Bug
>    Affects Versions: PicketBox_5_0_0.Alpha3
>            Reporter: Ondrej Lukas
>            Assignee: Ilia Vassilev
>            Priority: Blocker
>             Fix For: PicketBox_5_0_0.Beta1
>
>
> In case when customers using LdapExtLoginModule with option parseUsername=true but without option usernameBeginString (i.e. usernameBeginString=null) then all users cannot be successfully authenticated into application. Authentication failure is caused by hidden internal NPE.
> It is the same issue as was reported in [1], but fix is missing in current EAP 7.1 version of PicketBox (5.0.0.Alpha3).
> We request blocker flag because:
> * Valid configuration which works for 7.0.x becomes invalid after migration to 7.1.0
> * All users cannot authenticate to application despite of valid EAP configuration
> * Authetication failure caused by NPE is logged to server log
> Thrown NPE:
> {code}
> java.lang.NullPointerException
>         at org.jboss.security.auth.spi.LdapExtLoginModule.getUsername(LdapExtLoginModule.java:963)
>         at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:342)
>         at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
> {code}
> [1] https://issues.jboss.org/browse/JBEAP-364?focusedCommentId=13160168&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13160168



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list