1 Reply Latest reply on Mar 31, 2010 5:45 AM by jmesnil

NPE causing authentication failure

jmesnil Mar 29, 2010 1:07 PM

re https://jira.jboss.org/jira/browse/SECURITY-484

While running JMS tck tests, tests started to fail because of auth issue.

The root cause seems to be a JNDI lookup failure:

13:13:27,409 TRACE [org.jboss.security.integration.JNDIBasedSecurityManagement] Look up of JNDI for cts/mappingMgr failed with null

Which then causes a NPE:

13:13:27,410 TRACE [org.jboss.security.integration.JNDIBasedSecurityManagement] Exception in getting MappingManager: java.lang.NullPointerException
at java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:881)
at org.jboss.security.integration.JNDIBasedSecurityManagement.getMappingManager(JNDIBasedSecurityManagement.java:219)
at org.jboss.security.plugins.JBossSecurityContext.getMappingManager(JBossSecurityContext.java:280)
at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:406)
at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:379)
at org.jboss.security.plugins.JBossAuthorizationManager.doesUserHaveRole(JBossAuthorizationManager.java:185)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.doesUserHaveRole(JaasSecurityManagerBase.java:434)
at org.jboss.security.plugins.JaasSecurityManager.doesUserHaveRole(JaasSecurityManager.java:195)
at org.hornetq.integration.jboss.security.JBossASSecurityManager.validateUserAndRole(JBossASSecurityManager.java:110)
at org.hornetq.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:172)

After that exception, all subsequent tests fail because of auth issue.

I need to restart the server for authentication to work again.

I suppose we should check for a null mapping manager before putting it in the map.

1. Re: NPE causing authentication failure

jmesnil Mar 31, 2010 5:45 AM (in response to jmesnil)

Thanks to the fix, the NPE no longer occurs.

However, authentication still fails after some time running the TCK tests:

11:32:58,049 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] Application Policy not found for domain=java:/jaas/cts.Mapping framework will use the default domain:other
 
...
 
11:33:50,487 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] logout
11:33:55,200 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(cts), size=15
11:33:55,958 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(cts), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag : required
Options:
name=usersProperties, value=cts-users.properties
name=unauthenticatedIdentity, value=cts-user
name=rolesProperties, value=cts-roles.properties
name=password-stacking, value=useFirstPass
 
11:34:06,984 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.cts] Login failure: javax.security.auth.login.LoginException: classe LoginModule introuvable : org.jboss.security.auth.spi.UsersRolesLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:553)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:487)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.hornetq.integration.jboss.security.JBossASSecurityManager.validateUser(JBossASSecurityManager.java:81)
at org.hornetq.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:128)

Now, when the java:/jaas/cts domain is not found, we use the default domain instead of throwing the NPE. Authentication will still fails later on.

Are there other traces I can add in addition to org.jboss.security to help you track why the java:/jaas/cts stops to be found?