1 Reply Latest reply on May 25, 2015 1:29 AM by Bill Wang

    jbpm rest api is allowed to access by any user with password "EMPTY_STR" if using SAML2LoginModule

    Bill Wang Newbie

      jbpm rest api is protected by fileter: BasicAuthSecurityFilter.

      that will call authenticationService.login()

      which finally call SAML2LoginModule.login() which method is extended from UsernamePasswordLoginModule.

       

      so "EMPTY_STR" will pass that validation!!!!

        • 1. Re: jbpm rest api is allowed to access by any user with password "EMPTY_STR" if using SAML2LoginModule
          Bill Wang Newbie

          the calling stacktrace:

          org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284), 
          sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), 
          sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57), 
          sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43), 
          java.lang.reflect.Method.invoke(Method.java:606), 
          javax.security.auth.login.LoginContext.invoke(LoginContext.java:762), 
          javax.security.auth.login.LoginContext.access$000(LoginContext.java:203), 
          javax.security.auth.login.LoginContext$4.run(LoginContext.java:690), 
          javax.security.auth.login.LoginContext$4.run(LoginContext.java:688), 
          java.security.AccessController.doPrivileged(Native Method), 
          javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687), 
          javax.security.auth.login.LoginContext.login(LoginContext.java:595), 
          org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408), 
          org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345), 
          org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333), 
          org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146), 
          org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:111), 
          org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:82), 
          io.undertow.security.impl.SecurityContextImpl.login(SecurityContextImpl.java:210), 
          io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:418), 
          org.uberfire.ext.security.server.ServletSecurityAuthenticationService.login(ServletSecurityAuthenticationService.java:65), 
          org.uberfire.ext.security.server.ServletSecurityAuthenticationService$Proxy$_$$_WeldClientProxy.login(Unknown Source), 
          org.uberfire.ext.security.server.BasicAuthSecurityFilter.authenticate(BasicAuthSecurityFilter.java:91), 
          org.uberfire.ext.security.server.BasicAuthSecurityFilter.doFilter(BasicAuthSecurityFilter.java:52),