-
1. Re: jbpm rest api is allowed to access by any user with password "EMPTY_STR" if using SAML2LoginModule
the calling stacktrace:
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57), sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43), java.lang.reflect.Method.invoke(Method.java:606), javax.security.auth.login.LoginContext.invoke(LoginContext.java:762), javax.security.auth.login.LoginContext.access$000(LoginContext.java:203), javax.security.auth.login.LoginContext$4.run(LoginContext.java:690), javax.security.auth.login.LoginContext$4.run(LoginContext.java:688), java.security.AccessController.doPrivileged(Native Method), javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687), javax.security.auth.login.LoginContext.login(LoginContext.java:595), org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408), org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345), org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333), org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146), org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:111), org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:82), io.undertow.security.impl.SecurityContextImpl.login(SecurityContextImpl.java:210), io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:418), org.uberfire.ext.security.server.ServletSecurityAuthenticationService.login(ServletSecurityAuthenticationService.java:65), org.uberfire.ext.security.server.ServletSecurityAuthenticationService$Proxy$_$$_WeldClientProxy.login(Unknown Source), org.uberfire.ext.security.server.BasicAuthSecurityFilter.authenticate(BasicAuthSecurityFilter.java:91), org.uberfire.ext.security.server.BasicAuthSecurityFilter.doFilter(BasicAuthSecurityFilter.java:52),