2 Replies Latest reply on Oct 30, 2015 8:02 AM by jaysensharma

    Login Module is messed up when one of the module-option is empty

    jprasanna

      Environment:

       

      CentOS Linux release 7.1.1503 (Core)

      /usr/java/jdk1.8.0_45/

      WildFly 8.2.0

       

      Description:

       

      When one of the module-option is given as empty the whole login-module is messed up. But in real time there will be cases where the module-option can be empty. For Eg. while configuring org.jboss.security.auth.spi.LdapLoginModule, the principalDNPrefix can be empty

      Command with principalDNPrefix empty

      /subsystem=security/security-domain=SourceForge/authentication=classic/login-module=org.jboss.security.auth.spi.LdapLoginModule33:add(code=org.jboss.security.auth.spi.LdapLoginModule, flag=sufficient, module-options=[ "java.naming.provider.url" => "ldap://ldaphost.jboss.org:1", "java.naming.security.authentication" => "simple", "principalDNPrefix" => "", "principalDNSuffix" => ",ou=People,o=jboss.org", "allowEmptyPasswords" => "false", "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory", "throwValidateError" => "true" ])

      {allow-resource-service-restart=true}

       

      Output in standalone-full.xml

       

      Wrong value is stored as principalDNPrefix

       

      <login-module name="org.jboss.security.auth.spi.LdapLoginModule33" code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">

      <module-option name="java.naming.provider.url" value="ldap://ldaphost.jboss.org:1"/>

      <module-option name="java.naming.security.authentication" value="simple"/>

      <module-option name="principalDNPrefix" value="principalDNSuffix"/>

      <module-option name="allowEmptyPasswords" value="false"/>

      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

      <module-option name="throwValidateError" value="true"/>

      </login-module>

       

       

      Command with principalDNPrefix with some value

       

      /subsystem=security/security-domain=SourceForge/authentication=classic/login-module=org.jboss.security.auth.spi.LdapLoginModule44:add(code=org.jboss.security.auth.spi.LdapLoginModule, flag=sufficient, module-options=[ "java.naming.provider.url" => "ldap://ldaphost.jboss.org:1", "java.naming.security.authentication" => "simple", "principalDNPrefix" => "test", "principalDNSuffix" => ",ou=People,o=jboss.org", "allowEmptyPasswords" => "false", "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory", "throwValidateError" => "true" ]){allow-resource-service-restart=true}


      Output in standalone-full.xml

       

      Values are stored correctly.

      <login-module name="org.jboss.security.auth.spi.LdapLoginModule44" code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
      <module-option name="java.naming.provider.url" value="ldap://ldaphost.jboss.org:1"/>
      <module-option name="java.naming.security.authentication" value="simple"/>
      <module-option name="principalDNPrefix" value="test"/>
      <module-option name="principalDNSuffix" value=",ou=People,o=jboss.org"/>
      <module-option name="allowEmptyPasswords" value="false"/>
      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
      <module-option name="throwValidateError" value="true"/>
      </login-module>

        • 1. Re: Login Module is messed up when one of the module-option is empty
          jprasanna

          Any solution is much appreciated.

          Please let us know.

          • 2. Re: Login Module is messed up when one of the module-option is empty
            jaysensharma

            Hello Prasanna,

             

                Looks like your syntax is not right.  I tried the following in WildFLy 8.2 can you test the same at your end?

             

            [standalone@localhost:9990 /] batch
            
            [standalone@localhost:9990 / #] /subsystem=security/security-domain=SourceForge:add(cache-type=default)
            
            [standalone@localhost:9990 / #] /subsystem=security/security-domain=SourceForge/authentication=classic:add()
            
            [standalone@localhost:9990 / #] /subsystem=security/security-domain=SourceForge/authentication=classic/login-module=org.jboss.security.auth.spi.LdapLoginModule33:add(code="org.jboss.security.auth.spi.LdapLoginModule", flag="sufficient", module-options={"java.naming.provider.url" => "ldap://ldaphost.jboss.org:1", "java.naming.security.authentication" => "simple", "principalDNPrefix" => "", "principalDNSuffix" => ",ou=People,o=jboss.org", "allowEmptyPasswords" => "false", "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory", "throwValidateError" => "true" })
            
            [standalone@localhost:9990 / #] run-batch
            

             

            After running the above CLI command i get the following XML snippet:

             

                            <security-domain name="SourceForge" cache-type="default">
                                <authentication>
                                    <login-module name="org.jboss.security.auth.spi.LdapLoginModule33" code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
                                        <module-option name="java.naming.provider.url" value="ldap://ldaphost.jboss.org:1"/>
                                        <module-option name="java.naming.security.authentication" value="simple"/>
                                        <module-option name="principalDNPrefix" value=""/>
                                        <module-option name="principalDNSuffix" value=",ou=People,o=jboss.org"/>
                                        <module-option name="allowEmptyPasswords" value="false"/>
                                        <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                                        <module-option name="throwValidateError" value="true"/>
                                    </login-module>
                                </authentication>
                            </security-domain>