[jboss-jira] [JBoss JIRA] (WFLY-8261) ldap role should ignore javax.naming.PartialResultException when referrals=ignore

Tue Feb 28 09:06:00 EST 2017

Peter Palaga created WFLY-8261:
----------------------------------

             Summary: ldap role should ignore javax.naming.PartialResultException when referrals=ignore
                 Key: WFLY-8261
                 URL: https://issues.jboss.org/browse/WFLY-8261
             Project: WildFly
          Issue Type: Task
          Components: Security
            Reporter: Peter Palaga
            Assignee: Peter Palaga

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1418685 

ldap role should ignore javax.naming.PartialResultException when referrals=ignore.

In this case, the customer has a role which is causing a referral.  They have referrals=ignore which causes a PartialResultException to be logged.  This ends up causing a 500 error.
{code}
15:10:04,355 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 7) Group found with distinguishedName=CN=AGENTS-REGISTERED-DS 7431,OU=Automated,OU=Groups,DC=AGENTS,DC=AMFAM,DC=NET
15:10:04,357 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 7) Failure supplementing Subject: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100742, data 0, 1 access points
	ref 1: 'AGENTS.AMFAM.NET'
\00]; remaining name 'CN=AGENTS-REGISTERED-DS 7431,OU=Automated,OU=Groups,DC=AGENTS,DC=AMFAM,DC=NET'
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971) [rt.jar:1.8.0_66]
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) [rt.jar:1.8.0_66]
	at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329) [rt.jar:1.8.0_66]
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235) [rt.jar:1.8.0_66]
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141) [rt.jar:1.8.0_66]
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129) [rt.jar:1.8.0_66]
	at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) [rt.jar:1.8.0_66]
	at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) [rt.jar:1.8.0_66]
	at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:297) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:215) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroupEntries(LdapSubjectSupplementalService.java:218) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroups(LdapSubjectSupplementalService.java:195) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroups(LdapSubjectSupplementalService.java:188) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.supplementSubject(LdapSubjectSupplementalService.java:163) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.management.security.SecurityRealmService$1.createSubjectUserInfo(SecurityRealmService.java:223) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.http.server.security.BasicAuthenticator._authenticate(BasicAuthenticator.java:120) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.http.server.security.BasicAuthenticator.authenticate(BasicAuthenticator.java:85) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78)
	at org.jboss.as.domain.http.server.XFrameHeaderFilter.doFilter(XFrameHeaderFilter.java:45) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.as.domain.http.server.RealmReadinessFilter.doFilter(RealmReadinessFilter.java:48) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.as.domain.http.server.DmrFailureReadinessFilter.doFilter(DmrFailureReadinessFilter.java:45) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:680)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_66]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_66]
	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_66]
	at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
{code}

Setting referrals=follows worked around the issue in this case.

Steps to reproduce: https://bugzilla.redhat.com/show_bug.cgi?id=1417272

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)